domingo, 10 de noviembre de 2013

[Script] VirusTotal public and private API v2 with all features

Few days ago I finish to improve previous script and add private API  support, so very big thank to VirusTotal team for this :)

I will show a few options with examples, for all options see usage

Important! Some functions as behaviour have many options, if you want active all of them, just use -v/--verbose. For get more details from report use verbose mode.

You can use options --dump for dump json to file, and after analyse it, you can combine this, so you will can see a report and dump him to file, and after pass file as the parameter instead of hash/scan-id/url/etc...

File scan:
Important, if file has been scanned before, you will get a report, file will not be uploaded
Files with size bigger then 32mb will be ignored and you will see warning with file name

You can use name/path wildcard as: /home/user/malware*/*Zeus* -f path_to_file -f path_to_file -v #with verbose mode you will see the same more detection by AV's

Url scan and report:

Depend of API, if you have public API you can scan up to 4 urls. With private api up to 25 urls.
Example for scanning 2 urls/domains

python -ur

When you trying to get report and url/domain is not scanned before, and you will upload it to scan you can execute it with option:

python -ur -u

If you directly want add it to scan/rescan just execute it as:

python -u

Report search

Here you can use md5/sha1/sha256 hash or scan-id

python -s 99017f6eebbac24f351415dd410d522d

MD5       : 99017f6eebbac24f351415dd410d522d
SHA1     : 4d1740485713a2ab3a4f5822a01f645fe8387f92
SHA256 : 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c

Scan  Date     : 2013-11-02 05:21:11

      39/46 Positives/Total

                                   output is very long, so it's just a part of him

Permanent link :

Domain search:
Get resolver Ip and date  of the domain

python -d --dump -v #public api

Get domain info with all info: # the same execution but with private api

You can get all info with verbose mode or just activate options what you want to see, see usage

Get IP info:

python -i ip/json_dump #public api

Search report
python -s 99017f6eebbac24f351415dd410d522d #private api example

ExifTool file metadata:


Cluster info:

python --cluster 2013-10-01


python --distribution-files --report --limit 1

python --distribution-urls

Permanent link :

Get comments:


it's very cutted output of behaviour, because is very very long

          And much more!

Process Tree


You need to see usage for all options

python -h

Enjoy it!

8 comentarios:

  1. Hi. Extremely useful. Thanks a lot. I'm also looking for retrieve also the first submission date. Are you planning to include it also?

    1. Thank you Alvaro, coming soon great upgrade with a lot of features.
      You can get first submission with private-api only, using --report-all-info
      For example:
      vt -s --report-all-info 9fc5f95fb1e7fd4cc45fd6c04264abff

      Scan Date : 2014-10-05 18:44:31
      First Submission : 2014-09-24 04:01:53
      Last Submission : 2014-09-24 04:01:53


      PS If you have any suggestions or everything what you see utils can tell me here or open requests on github

  2. Ok cool. I've tried but I don't see this info. Probably my API key is a public one instead of a private / purchased one.. right?. I mean.. the script is able to use private-api features without any modification?


    1. by default all keys are public, if you want private, give a touch to VT for a prices
      yes without any modification :)

      In new version, private api has a little improvement, but I will explain it when i do it public :)
      best regards

  3. Hi, Thanks for such a great tool. I need to download reports (in json or csv format) for static and behavioral analysis of Android applications from VT using your tool. Can you please give me an example command through which i can perform the said task. I shall be thankful to you.

  4. hello @Ahmed, thanks for using it. If you have private apikey you can do it in this way:
    1) vt -rai android_app_hash --dump <- for static
    2) vt -behaviour android_app_hash --dump <- for dynamic

    if you have only public key, then you will only can get basic static information:
    vt -fs --dump

    --dump will save returned data from VT to json file

  5. Is there a way to scan URL's and return the result by calling one of the functions from another python script or importing another function into another python script? I've been trying to find a way to do so, but at 3000 lines of code i've been having a hard time figuring it out.

  6. Hello, first of all check the wiki to see how to use as library if you want to use from another scrui
    and here you have code which do what you want