This is a simple tool to utilize the basic functionality of the Private API From Virus Total, with this tool you can eaisly scan a hash or file (script will automatically hash the file and submit the HASH to VT not the file). You can download malware based on hash, download pcaps, write the full VT Json report to file, and force a rescan of a previously uploaded file with new AV definitions. Advanced queries and bulk downloads can be accomplished via VT Provided Scripts available on the Intelligence portal. (or a bash loop if you want to bulk DL with this)
NOTE: You need your own premium VT API to use this tool. API Key Goes on Line 13!
NOTE2: If you have a free VT Public API (you do) then you can use VTlite.py with limited functionality (Check Hash/Path/Rescan/DownloadJson/VerboseDetections) four checks per minute are allowed.
Original Script Author: Adam Meyers
Rewritten & Modified: Chris Clark
License: Do whatever you want with it :)
Usage is as follows with an example of a basic search + hitting all of
the switches below:
usage: vt.py [-h] [-s] [-v] [-j] [-d] [-p] [-r] HashorPath
Search and Download from VirusTotal
positional arguments:
HashorPath Enter the MD5 Hash or Path to File
optional arguments:
-h, --help show this help message and exit
-s, --search Search VirusTotal
-v, --verbose Turn on verbosity of VT reports
-j, --jsondump Dumps the full VT report to file (VTDLXXX.json)
-d, --download Download File from Virustotal (VTDLXXX.danger)
-p, --pcap Download Network Traffic (VTDLXXX.pcap)
-r, --rescan Force Rescan with Current A/V Definitions
Example Basic Scan:
xen0ph0n@pir8ship:~/tools$ python vt.py ../../VirtualBox_Share/wsusservice.dll -s
Results for MD5: 92d37a92138659fa75f45ccb87242910
Detected by: 30 / 43
Sophos Detection: Troj/Briba-A
Kaspersky Detection: Backdoor.Win32.Agent.clfe
TrendMicro Detection: BKDR_BRIBA.A
Scanned on: 2012-09-28 02:44:37
First Seen: 2012-08-15 12:36:02
Last Seen: 2012-09-28 02:44:37
Unique Sources 3
Submission Names:
92d37a92138659fa75f45ccb87242910
wsusservice.dll_
wsusservice2.dll_
file-4567337_
Example Verbose Scan + Download + Pcap + Json Save + Force Rescan:
xen0ph0n@pir8ship:~/tools$ python vt.py 287f3dda64b830a5ac5a6df3266f7d08 -pdvjr
Results for MD5: 287f3dda64b830a5ac5a6df3266f7d08
Detected by: 38 / 46
Sophos Detection: Troj/Hurgyu-A
Kaspersky Detection: Trojan-Dropper.Win32.Dapato.bnnu
TrendMicro Detection: TROJ_GEN.RCBC8HQ
Scanned on: 2013-03-25 21:38:35
First Seen: 2012-09-25 09:14:13
Last Seen: 2012-09-25 09:14:13
Unique Sources 1
Submission Names:
7DkduxxH
JSON Written to File -- VTDL287F3DDA64B830A5AC5A6DF3266F7D08.json
Verbose VirusTotal Information Output:
MicroWorld-eScan True Trojan.Generic.7705996
nProtect True Trojan/W32.Small.29184.SN
CAT-QuickHeal True TrojanDropper.Dapato.bnnu
McAfee True Generic Dropper!ff3
Malwarebytes True Trojan.Inject
K7AntiVirus True Riskware
TheHacker False None
NANO-Antivirus True Trojan.Win32.Dapato.vpmxh
F-Prot False None
Symantec True Trojan.Gen.2
Norman True Suspicious_Gen4.AWDSR
TotalDefense False None
TrendMicro-HouseCall True TROJ_GEN.RCBC8HQ
Avast True MX97:ShellCode-I [Expl]
eSafe False None
ClamAV False None
Kaspersky True Trojan-Dropper.Win32.Dapato.bnnu
BitDefender True Trojan.Generic.7705996
Agnitum True Trojan.DR.Dapato!qkvVtOGNQlE
SUPERAntiSpyware False None
Emsisoft True Trojan.Generic.7705996 (B)
Comodo True UnclassifiedMalware
F-Secure True Trojan:W32/Agent.DUDB
DrWeb True Trojan.DownLoader6.49674
VIPRE True Trojan.Win32.Generic!BT
AntiVir True TR/Agent.29184.170
TrendMicro True TROJ_GEN.RCBC8HQ
McAfee-GW-Edition True Generic Dropper!ff3
Sophos True Troj/Hurgyu-A
Jiangmin True TrojanDropper.Dapato.mfq
Antiy-AVL True Trojan/Win32.Dapato.gen
Kingsoft True Win32.Troj.Dapato.(kcloud)
Microsoft True VirTool:Win32/Obfuscator.ABD
ViRobot True Dropper.A.Dapato.29184.J
AhnLab-V3 True Trojan/Win32.Inject
GData True Trojan.Generic.7705996
Commtouch False None
ByteHero False None
VBA32 True Trojan-Dropper.Dapato.bnnu
PCTools True Trojan.Gen
ESET-NOD32 True a variant of Win32/Inject.NFV
Rising True Suspicious
Ikarus True Win32.SuspectCrc
Fortinet True W32/Inject.NFV!tr
AVG True Dropper.Generic6.APFX
Panda True Generic Trojan
Malware Downloaded to File -- VTDL287F3DDA64B830A5AC5A6DF3266F7D08.danger
PCAP Downloaded to File -- VTDL287F3DDA64B830A5AC5A6DF3266F7D08.pcap
Virus Total Rescan Initiated for -- 287F3DDA64B830A5AC5A6DF3266F7D08 (Requery in 10 Mins)