Friday, November 4, 2016

VirusTotal Public API MD5 Report Search

This Python script will ingest a file with a list of MD5s and use the VirusTotal Public API to query them for AntiVirus hits.  The public API has a limit of 4 MD5's a minute.  This uses the bulk query method to send 4 in one request, and if there's not a block of 4, to do them separately.

If you're lucky enough to have Private API access, just change the values on lines 62-69 from 4 to 25.



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import requests
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
apikey = '<mine>'
fname="c:\\temp\\uniqueMD5s.csv"
with open(fname) as f:
 fContents=f.readlines()
hashes=[]

for i in fContents:
 hashes.append(i.strip())

hits=[]

def singleMode(hash):
 positives=[]
 headers = {"Accept-Encoding": "gzip, deflate","User-Agent" : "VT Query UserAgent"}
 params = {'apikey': apikey, 'resource': hash}
 try:
  response = requests.get('https://www.virustotal.com/vtapi/v2/file/report',params=params, headers=headers, verify=False)
  if response.status_code==204:
   print "time to sleep!"
   time.sleep(61)
   response = requests.get('https://www.virustotal.com/vtapi/v2/file/report',params=params, headers=headers, verify=False)
  json_response = response.json()
  if json_response['response_code']==1:
   if json_response['positives']!=0:
    print json_response['md5'] + " has " + str(json_response['positives']) + " positives!"
    positives.append(json_response['md5'])
 except:
  print "error retrieving stats on md5: " + i
 if len(positives)>0:
  return positives

def multiMode(hashes):
 positives=[]
 hashlist=''
 for i in xrange(0, len(hashes), 1):
  hashlist=hashlist+hashes[i]+","
 hashlist = hashlist[:-1]
 headers = {"Accept-Encoding": "gzip, deflate","User-Agent" : "VT Query UserAgent"}
 params = {'apikey': apikey, 'resource': hashlist}
 try:
  response = requests.get('https://www.virustotal.com/vtapi/v2/file/report',params=params, headers=headers, verify=False)
  if response.status_code==204:
   print "time to sleep!"
   time.sleep(61)
   response = requests.get('https://www.virustotal.com/vtapi/v2/file/report',params=params, headers=headers, verify=False)
  json_response = response.json()
  for i in xrange(0,len(json_response),1):
   if json_response[i]['response_code']==1:
    if json_response[i]['positives']!=0:
     print json_response[i]['md5'] + " has " + str(json_response[i]['positives']) + " positives!"
     positives.append(json_response[i]['md5'])
 except:
  print "error retrieving stats on md5 group:", hashes
 if len(positives)>0:
  return positives
 else: 
  return 0

for i in xrange(0,len(hashes), 4):
 if (len(hashes)-i)<4:
  for x in xrange(0,(len(hashes)-i), 1):
   #print "sending: ", hashes[i+x]
   hits.append(singleMode(hashes[i+x]))
 else:
  #print "sending: ", hashes[i:i+4]
  hits.append(multiMode(hashes[i:i+4]))
 print "On hash ", i, "out of ", len(hashes)
hits[:] = [i for i in hits if i != 0]
y=[]

for x in hits:
 try:
  for z in x:
   y.append(z)
 except:
  continue

print y
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)