[PYTHON] How to get a sample report from a hash value using VirusTotal's API

Introduction

I have the hash value information of the sample at hand, but it is too much to investigate manually, so I created a program that automatically acquires the report information from VirusTotal. The program is created and confirmed to work with Python3. There are many similar articles, but I decided to create an article because it is written in Python 2 system or it is written in a slightly different way from the sample of the official document.

As you can see in the references, Virus Total provides an API, so it is efficient to use the API to get information. You can get the Virus Total API key for free by creating an account. Be careful when publishing or sharing when hard-coding the program, as it may be misused if leaked to a third party. (If you only use it, you can hard-code it, but considering external disclosure, it may be safer to input it externally.)

program

I created it with the following contents according to the official document. For the apikey part, describe your own api key value. (As mentioned above, the form of external input is also acceptable.)

In addition, this program is implemented by receiving the hash value information of the sample from another text file. Please implement this in a way that is easy to do, whether to hard-code it or get it with run-time arguments.

get_vt.py


import sys
import json
import time
import requests

url = 'https://www.virustotal.com/vtapi/v2/file/report'

count = 0
file = open('hash.txt', 'r')
for hash in file:
    params = {'apikey': 'your api key value', 'resource': hash}
    response = requests.get(url, params=params)
    print(response.json())
    count = count + 1
    if count % 4 == 0:
        time.sleep(65)
file.close()

As I often hear, it seems that if you access the API intermittently, access restrictions may be applied, and with VirusTotal, I heard rumors that it is necessary to leave 60 seconds after 4 times. I try to stop the operation for 65 seconds once every four times, just in case.

Execution method

It's just a Python script, so execute it in the following way. The result will be returned in JSON format, so output it to a json file.

get_vt.How to run py


$ python3 get_vt.py > vt_result.json

The following is the acquisition result when searching with the hash value a5a0420200af84fdb5674569f1a8eafe7ef7b41b. Following the anti-virus product name, it seems that the result of malware judgment is described as True or False in detected. It seems that you can also get the malware name, and as far as you can see, it looks like Mirai.

Acquisition result


{'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20200819'}, 'MicroWorld-eScan': {'detected': False, 'version': '14.0.409.0', 'result': None, 'update': '20200820'}, 'FireEye': {'detected': True, 'version': '32.36.1.0', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'CAT-QuickHeal': {'detected': False, 'version': '14.00', 'result': None, 'update': '20200820'}, 'McAfee': {'detected': True, 'version': '6.0.6.653', 'result': 'RDN/Generic BackDoor', 'update': '20200820'}, 'Malwarebytes': {'detected': False, 'version': '3.6.4.335', 'result': None, 'update': '20200820'}, 'Zillya': {'detected': True, 'version': '2.0.0.4158', 'result': 'Backdoor.Mirai.Linux.91998', 'update': '20200820'}, 'SUPERAntiSpyware': {'detected': False, 'version': '5.6.0.1032', 'result': None, 'update': '20200814'}, 'Sangfor': {'detected': False, 'version': '1.0', 'result': None, 'update': '20200814'}, 'K7AntiVirus': {'detected': False, 'version': '11.131.35049', 'result': None, 'update': '20200820'}, 'K7GW': {'detected': False, 'version': '11.131.35050', 'result': None, 'update': '20200820'}, 'Baidu': {'detected': False, 'version': '1.0.0.2', 'result': None, 'update': '20190318'}, 'F-Prot': {'detected': False, 'version': '4.7.1.166', 'result': None, 'update': '20200820'}, 'Symantec': {'detected': True, 'version': '1.11.0.0', 'result': 'Trojan.Gen.NPE', 'update': '20200820'}, 'ESET-NOD32': {'detected': True, 'version': '21852', 'result': 'a variant of Linux/Mirai.OX', 'update': '20200820'}, 'TrendMicro-HouseCall': {'detected': False, 'version': '10.0.0.1040', 'result': None, 'update': '20200820'}, 'Avast': {'detected': True, 'version': '18.4.3895.0', 'result': 'Other:Malware-gen [Trj]', 'update': '20200820'}, 'ClamAV': {'detected': True, 'version': '0.102.4.0', 'result': 'Unix.Dropper.Mirai-7135870-0', 'update': '20200817'}, 'Kaspersky': {'detected': True, 'version': '15.0.1.13', 'result': 'HEUR:Backdoor.Linux.Mirai.b', 'update': '20200820'}, 'BitDefender': {'detected': True, 'version': '7.2', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'NANO-Antivirus': {'detected': True, 'version': '1.0.134.25140', 'result': 'Trojan.Mirai.hrbzkk', 'update': '20200820'}, 'ViRobot': {'detected': False, 'version': '2014.3.20.0', 'result': None, 'update': '20200820'}, 'Tencent': {'detected': True, 'version': '1.0.0.1', 'result': 'Backdoor.Linux.Mirai.wao', 'update': '20200820'}, 'Ad-Aware': {'detected': False, 'version': '3.0.16.117', 'result': None, 'update': '20200820'}, 'TACHYON': {'detected': False, 'version': '2020-08-20.02', 'result': None, 'update': '20200820'}, 'Comodo': {'detected': True, 'version': '32668', 'result': '.UnclassifiedMalware@0', 'update': '20200728'}, 'F-Secure': {'detected': True, 'version': '12.0.86.52', 'result': 'Malware.LINUX/Mirai.lpnjw', 'update': '20200820'}, 'DrWeb': {'detected': True, 'version': '7.0.46.3050', 'result': 'Linux.Mirai.671', 'update': '20200820'}, 'VIPRE': {'detected': False, 'version': '86068', 'result': None, 'update': '20200820'}, 'TrendMicro': {'detected': True, 'version': '11.0.0.1006', 'result': 'Backdoor.Linux.MIRAI.USELVH120', 'update': '20200820'}, 'CMC': {'detected': False, 'version': '2.7.2019.1', 'result': None, 'update': '20200820'}, 'Sophos': {'detected': True, 'version': '4.98.0', 'result': 'Linux/DDoS-CIA', 'update': '20200819'}, 'Cyren': {'detected': False, 'version': '6.3.0.2', 'result': None, 'update': '20200820'}, 'Jiangmin': {'detected': False, 'version': '16.0.100', 'result': None, 'update': '20200820'}, 'Avira': {'detected': True, 'version': '8.3.3.8', 'result': 'LINUX/Mirai.lpnjw', 'update': '20200820'}, 'Fortinet': {'detected': True, 'version': '6.2.142.0', 'result': 'ELF/DDoS.CIA!tr', 'update': '20200820'}, 'Antiy-AVL': {'detected': False, 'version': '3.0.0.1', 'result': None, 'update': '20200820'}, 'Kingsoft': {'detected': False, 'version': '2013.8.14.323', 'result': None, 'update': '20200820'}, 'Arcabit': {'detected': True, 'version': '1.0.0.877', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'AegisLab': {'detected': True, 'version': '4.2', 'result': 'Trojan.Linux.Mirai.K!c', 'update': '20200820'}, 'AhnLab-V3': {'detected': False, 'version': '3.18.1.10026', 'result': None, 'update': '20200820'}, 'ZoneAlarm': {'detected': True, 'version': '1.0', 'result': 'HEUR:Backdoor.Linux.Mirai.b', 'update': '20200820'}, 'Avast-Mobile': {'detected': False, 'version': '200820-00', 'result': None, 'update': '20200820'}, 'Microsoft': {'detected': True, 'version': '1.1.17300.4', 'result': 'Trojan:Win32/Skeeyah.A!rfn', 'update': '20200820'}, 'Cynet': {'detected': True, 'version': '4.0.0.24', 'result': 'Malicious (score: 85)', 'update': '20200815'}, 'TotalDefense': {'detected': False, 'version': '37.1.62.1', 'result': None, 'update': '20200820'}, 'BitDefenderTheta': {'detected': False, 'version': '7.2.37796.0', 'result': None, 'update': '20200819'}, 'ALYac': {'detected': False, 'version': '1.1.1.5', 'result': None, 'update': '20200820'}, 'MAX': {'detected': True, 'version': '2019.9.16.1', 'result': 'malware (ai score=89)', 'update': '20200820'}, 'VBA32': {'detected': False, 'version': '4.4.1', 'result': None, 'update': '20200819'}, 'Zoner': {'detected': False, 'version': '0.0.0.0', 'result': None, 'update': '20200819'}, 'Rising': {'detected': True, 'version': '25.0.0.26', 'result': 'Backdoor.Mirai/Linux!1.BAF6 (CLASSIC)', 'update': '20200820'}, 'Yandex': {'detected': False, 'version': '5.5.2.24', 'result': None, 'update': '20200707'}, 'Ikarus': {'detected': True, 'version': '0.1.5.2', 'result': 'Trojan.Linux.Mirai', 'update': '20200820'}, 'MaxSecure': {'detected': False, 'version': '1.0.0.1', 'result': None, 'update': '20200819'}, 'GData': {'detected': True, 'version': 'A:25.26670B:27.19869', 'result': 'Trojan.Linux.Mirai.1', 'update': '20200820'}, 'AVG': {'detected': True, 'version': '18.4.3895.0', 'result': 'Other:Malware-gen [Trj]', 'update': '20200820'}, 'Panda': {'detected': False, 'version': '4.6.4.2', 'result': None, 'update': '20200819'}, 'Qihoo-360': {'detected': True, 'version': '1.0.0.1120', 'result': 'Linux/Backdoor.6f4', 'update': '20200820'}}, 'scan_id': '0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c-1597909074', 'sha1': 'a5a0420200af84fdb5674569f1a8eafe7ef7b41b', 'resource': '0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c', 'response_code': 1, 'scan_date': '2020-08-20 07:37:54', 'permalink': 'https://www.virustotal.com/gui/file/0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c/detection/f-0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c-1597909074', 'verbose_msg': 'Scan finished, information embedded', 'total': 59, 'positives': 29, 'sha256': '0aa5949d00c05b62cb5e9ac24f11b08cd5ed13f089b628220d6cc27b5147230c', 'md5': '1e0621f530a9f1cb000d670c54a789c9'}

Summary

I created a program to get report information from hash values using Virus Total API. In the future, we will consider how to use the obtained output information and how to use other APIs.

References

Recommended Posts

How to get a sample report from a hash value using VirusTotal's API
How to get followers and followers from python using the Mastodon API
How to get article data using Qiita API
[Rails] How to get location information using Geolocation API
How to post a ticket from the Shogun API
How to get temperature from switchBot thermo-hygrometer using raspberry Pi
How to get a list of links from a page from wikipedia
How to get only the data you need from a structured data set using a versatile method
How to get a string from a command line argument in python
[Python] How to get & change rows / columns / values from a table.
How to use Visual Recognition to get LINE ID from a girl
[Python] How to get a value with a key other than value with Enum
How to get a job as an engineer from your 30s
How to draw a graph using Matplotlib
How to install a package using a repository
How to create a repository from media
How to get a namespaced view name from a URL (path_info) in Django
How to display Map using Google Map API (Android)
How to code a drone using image recognition
How to open a web browser from python
How to create a function object from a string
How to get results from id in Celery
How to call Cloud API from GCP Cloud Functions
How to extract coefficients from a fractional formula
Sample to draw a simple clock using ebiten
Generate a hash value using the HMAC method.
How to create a Rest Api in Django
How to upload to a shared drive using pydrive
How to uninstall a module installed using setup.py
[PyTorch] Sample ⑧ ~ How to build a complex model ~
A story about a Python beginner trying to get Google search results using the API
How to create a radial profile from astronomical images (Chandra, XMM etc.) using python
How to set up a Python environment using pyenv
How to get a logged-in user with Django's forms.py
Push notifications from Python to Android using Google's API
How to make a Python package using VS Code
How to analyze with Google Colaboratory using Kaggle API
How to take a captured image from a video (OpenCV)
How to execute a command using subprocess in Python
[Python] How to call a c function from python (ctypes)
How to create a kubernetes pod from python code
A little bit from Python using the Jenkins API
[Linux] [C / C ++] How to get the return address value of a function and the function name of the caller
How to create an instance of a particular class from dict using __new__ () in python
How to find the average amount of information (entropy) of the original probability distribution from a sample
How to run a Python program from within a shell script
How to reset password via API using Django rest framework
How to launch AWS Batch from a python client app
How to transpose a 2D array using only python [Note]
How to generate a public key from an SSH private key
I tried "How to get a method decorated in Python"
How to substitute a numerical value for a partial match (Note 1)
How to generate a query using the IN operator in Django
How to hide your Google Maps API key from HTML
How to sample from any probability density function in Python
How to get a list of built-in exceptions in python
I tried to get various information from the codeforces API
How to get a quadratic array of squares in a spiral!
I tried to get data from AS / 400 quickly using pypyodbc
Extract the value closest to a value from a Python list element
How to get the pixel value of the point from the satellite image by specifying the latitude and longitude