Cryptography and Encryption

Munin – Online Hash Checker For Virustotal And Other Services

October 20, 2018
4 Min Read
Munin - Online Hash Checker For Virustotal And Other Services

Munin is a online hash checker utility that retrieves valuable information from various online sources
The current version of Munin queries the following services:

  • Virustotal
  • Malshare
  • HybridAnalysis

Note: Munin is based on the script “VT-Checker”, which has been maintained in the LOKI repository.

Usage

usage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder]
                [--comment] [-p vt-comment-prefix] [--download]
                [-d download_path] [--nocache] [--intense] [--retroverify]
                [-r num-results] [--nocsv] [--verifycert] [--sort] [--debug]

Online Hash Checker


optional arguments:
-h, --help show this help message and exit
-f path File to process (hash line by line OR csv with hash in
each line - auto-detects position and comment)
-c cache-db Name of the cache database file (default: vt-hash-
db.pkl)
-i ini-file Name of the ini file that holds the API keys
-s sample-folder Folder with samples to process
--comment Posts a comment for the analysed hash which contains
the comment from the log line
-p vt-comment-prefix Virustotal comment prefix
--download Enables Sample Download from Hybrid Analysis. SHA256
of sample needed.
-d download_path Output Path for Sample Download from Hybrid Analysis.
Folder must exist
--nocache Do not use cache database file
--intense Do use PhantomJS to parse the permalink (used to
extract user comments on samples)
--retroverify Check only 40 entries with the same comment and
therest at the end of the run (retrohunt verification)
-r num-results Number of results to take as verification
--nocsv Do not write a CSV with the results
--verifycert Verify SSL/TLS certificates
--sort Sort the input lines (useful for VT retrohunt results)
--debug Debug output

Features

  • MODE A: Extracts hashes from any text file based on regular expressions
  • MODE B: Walks sample directory and checks hashes online
  • Retrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)
  • Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text file
  • Cached objects are stored in JSON
  • Creates CSV file with the findings for easy post-processing and reporting
  • Appends results to a previous CSV if available

Displays

  • Hash and comment (comment is the rest of the line of which the hash has been extracted)
  • AV vendor matches based on a user defined list
  • Filenames used in the wild
  • PE information like the description, the original file name and the copyright statement
  • Signer of a signed portable executable
  • Result based on Virustotal ratio
  • First and last submission
  • Tags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftware

Extra Checks

  • Queries Malshare.com for sample uploads
  • Queries Hybrid-Analysis.com for present analysis
  • Imphash duplicates in current batch > allows you to spot overlaps in import table hashes

Getting started

  1. Download / clone the repo
  2. Install required packages: pip3 install -r requirements.txt (on macOS add --user)
  3. (optional: required for –intense mode) Download PhantomJS and place it in your $PATH, e.g. /usr/local/bin http://phantomjs.org/download.html
  4. Set the API key for the different services in the munin.ini file
  5. Use the demo file for a first run: python munin.py -f munin-demo.txt --nocache

Typical Command Lines
Process a Virustotal Retrohunt result and sort the lines before checking so that matched signatures are checked in blocks

python munin.py -f my.ini -f ~/Downloads/retro_hunt

Process an IOC file and show who commented on these samples on Virustotal (uses PhantomJS, higher CPU usage)

python munin.py -f my.ini -f ~/Downloads/misp-event-1234.csv --sort --intense

Process a directory with samples and check their hashes online

python munin.py -f my.ini -s ~/malware/case34

Get the API Keys used by Munin

Virustotal

  1. Create an account here https://www.virustotal.com/#/join-us
  2. Check Profile > My API key for your public API key

Malshare
Register here https://malshare.com/register.php

Hybrid Analysis

  1. Create an account here https://www.hybrid-analysis.com/signup
  2. After login, check Profile > API key

Website security, detecting malwares on the website and removal services, website backup services, daily website file scanning and file changes monitoring

Tags