Zum Inhalt

Malwoverview Cheat Sheet

generieren

Überblick

Malwoverview ist ein umfassendes Bedrohungssuche- und Malware-Analyse-Tool, um Sicherheitsanalysten mit detaillierten Informationen über verdächtige Dateien, URLs und potenzielle Bedrohungen zu bieten. Als Python-basiertes Kommandozeilen-Dienstprogramm entwickelt, integriert Malwoverview mit mehreren Bedrohungsplattformen und Malware-Analyse-Diensten, um umfassende Bedrohungsbewertungen zu liefern. Das Tool dient als zentralisierte Schnittstelle zur Abfrage verschiedener Sicherheitsdienste, so dass Analysten schnell Informationen über potenzielle Bedrohungen sammeln können, ohne manuell auf mehrere Plattformen zuzugreifen.

Die primäre Stärke des Tools liegt in der Fähigkeit, Bedrohung Intelligenz aus verschiedenen Quellen zu aggregieren, einschließlich VirusTotal, Hybrid Analysis, URLVoid, Shodan und andere Sicherheitsdienste. Diese Aggregationsfähigkeit ermöglicht es Sicherheitsexperten, einen ganzheitlichen Blick auf potenzielle Bedrohungen zu erhalten, indem sie Informationen aus mehreren maßgeblichen Quellen korrelieren. Malwoverview unterstützt die Analyse verschiedener Artefakte wie File Hashes, URLs, IP-Adressen und Domains und macht sie vielseitig für verschiedene Bedrohungsjagdszenarien.

Malwoverview ist besonders wertvoll in Krisensituationen, in denen eine rasche Bedrohungsbewertung kritisch ist. Die automatisierten Abfragefähigkeiten des Tools können die Zeit, die benötigt wird, um Bedrohungsinformationen zu sammeln, erheblich reduzieren, sodass sich Analysten auf die Analyse und Entscheidungsfindung konzentrieren und nicht auf die manuelle Datenerfassung. Das Tool bietet auch strukturierte Ausgabeformate, die leicht in Sicherheits-Orchestrationsplattformen und auffallende Antwort-Workflows integriert werden können.

Das Framework unterstützt sowohl interaktive als auch Batch-Verarbeitungsmodi, die es Analysten ermöglichen, Single-Artefact-Analysen durchzuführen oder große Datensätze effizient zu verarbeiten. Seine modulare Architektur ermöglicht eine einfache Erweiterung und Anpassung, so dass es an spezifische organisatorische Anforderungen und Bedrohung Intelligenz Workflows angepasst werden kann. Die Protokollierungs- und Berichtsfähigkeiten des Tools bieten Audit-Strecken und erleichtern den Wissensaustausch zwischen Sicherheitsteams.

Installation

Voraussetzungen

```bash

Install Python and pip

sudo apt update sudo apt install python3 python3-pip git

Install required Python packages

pip3 install requests colorama configparser pefile python-magic

Install additional dependencies

sudo apt install libmagic1 libmagic-dev

For CentOS/RHEL

sudo yum install python3 python3-pip git file-devel pip3 install requests colorama configparser pefile python-magic

For macOS

brew install python3 git libmagic pip3 install requests colorama configparser pefile python-magic ```_

Standardinstallation

```bash

Clone Malwoverview repository

git clone https://github.com/alexandreborges/malwoverview.git cd malwoverview

Install Python dependencies

pip3 install -r requirements.txt

Make executable

chmod +x malwoverview.py

Test installation

python3 malwoverview.py --help

Create symbolic link for system-wide access

sudo ln -s $(pwd)/malwoverview.py /usr/local/bin/malwoverview ```_

Installation der virtuellen Umgebung

```bash

Create virtual environment

python3 -m venv malwoverview-env source malwoverview-env/bin/activate

Clone and install

git clone https://github.com/alexandreborges/malwoverview.git cd malwoverview pip install -r requirements.txt

Create activation script

cat << 'EOF' > activate-malwoverview.sh

!/bin/bash

source /path/to/malwoverview-env/bin/activate cd /path/to/malwoverview python3 malwoverview.py "$@" EOF

chmod +x activate-malwoverview.sh ```_

Docker Installation

```bash

Create Dockerfile

cat << 'EOF' > Dockerfile FROM python:3.9-slim

RUN apt-get update && apt-get install -y \ git \ libmagic1 \ libmagic-dev \ && rm -rf /var/lib/apt/lists/*

WORKDIR /app RUN git clone https://github.com/alexandreborges/malwoverview.git . RUN pip install -r requirements.txt

ENTRYPOINT ["python3", "malwoverview.py"] EOF

Build image

docker build -t malwoverview .

Run container

docker run --rm -it -v $(pwd)/config:/app/config malwoverview --help

Create alias

echo 'alias malwoverview="docker run --rm -it -v $(pwd)/config:/app/config malwoverview"' >> ~/.bashrc ```_

Konfiguration Setup

```bash

Create configuration directory

mkdir -p ~/.malwoverview

Create API configuration file

cat << 'EOF' > ~/.malwoverview/malwoverview.conf [VIRUSTOTAL] vtapi = your_virustotal_api_key

[HYBRIDANALYSIS] haapi = your_hybrid_analysis_api_key

[URLVOID] urlvoidapi = your_urlvoid_api_key

[SHODAN] shodanapi = your_shodan_api_key

[MALSHARE] malshareapi = your_malshare_api_key

[POLYSWARM] polyswarmapi = your_polyswarm_api_key

[ALIENVAULT] alienvaultapi = your_alienvault_api_key EOF

Set proper permissions

chmod 600 ~/.malwoverview/malwoverview.conf ```_

Basisnutzung

Kommandozeilenschnittstelle

```bash

Show help

malwoverview --help python3 malwoverview.py -h

Show version

malwoverview --version

Basic file analysis

malwoverview -f /path/to/suspicious_file.exe

Hash analysis

malwoverview -H md5_hash_here malwoverview -H sha1_hash_here malwoverview -H sha256_hash_here

URL analysis

malwoverview -u http://suspicious-domain.com

IP address analysis

malwoverview -i 192.168.1.100

Domain analysis

malwoverview -d suspicious-domain.com ```_

Konfigurationsoptionen

```bash

Use custom configuration file

malwoverview -c /path/to/custom.conf -f file.exe

Specify output format

malwoverview -f file.exe -o json malwoverview -f file.exe -o csv malwoverview -f file.exe -o xml

Enable verbose output

malwoverview -v -f file.exe

Quiet mode

malwoverview -q -f file.exe

Save output to file

malwoverview -f file.exe > analysis_report.txt malwoverview -f file.exe -o json > report.json ```_

Dateianalyse

Analyse von Dateien

```bash

Analyze executable file

malwoverview -f /path/to/malware.exe

Analyze document

malwoverview -f /path/to/document.pdf

Analyze script

malwoverview -f /path/to/script.js

Analyze with specific engines

malwoverview -f file.exe --engines virustotal,hybridanalysis

Force analysis even if cached

malwoverview -f file.exe --force

Include metadata extraction

malwoverview -f file.exe --metadata ```_

Batch Dateianalyse

```bash

Analyze multiple files

malwoverview -f file1.exe file2.dll file3.pdf

Analyze directory

malwoverview -d /path/to/malware_samples/

Recursive directory analysis

malwoverview -d /path/to/samples/ --recursive

Filter by file type

malwoverview -d /path/to/samples/ --filter ".exe,.dll"

Exclude certain files

malwoverview -d /path/to/samples/ --exclude ".txt,.log"

Parallel processing

malwoverview -d /path/to/samples/ --threads 5 ```_

Hash-basierte Analyse

```bash

MD5 hash analysis

malwoverview -H 5d41402abc4b2a76b9719d911017c592

SHA1 hash analysis

malwoverview -H aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

SHA256 hash analysis

malwoverview -H 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae

Multiple hashes

malwoverview -H hash1,hash2,hash3

Hash list from file

malwoverview -H @hash_list.txt

Specific hash type

malwoverview -H hash_value --hash-type sha256 ```_

Netzwerkanalyse

URL Analyse

```bash

Single URL analysis

malwoverview -u http://suspicious-site.com

Multiple URLs

malwoverview -u http://site1.com,http://site2.com

URL list from file

malwoverview -u @url_list.txt

Include screenshot

malwoverview -u http://site.com --screenshot

Check redirects

malwoverview -u http://site.com --follow-redirects

Custom user agent

malwoverview -u http://site.com --user-agent "Mozilla/5.0..." ```_

IP-Adressenanalyse

```bash

Single IP analysis

malwoverview -i 192.168.1.100

Multiple IPs

malwoverview -i 192.168.1.100,10.0.0.1

IP range analysis

malwoverview -i 192.168.1.0/24

Include geolocation

malwoverview -i 192.168.1.100 --geolocation

Port scanning

malwoverview -i 192.168.1.100 --ports

Include WHOIS information

malwoverview -i 192.168.1.100 --whois ```_

Bereichsanalyse

```bash

Domain reputation check

malwoverview -d suspicious-domain.com

Include subdomains

malwoverview -d domain.com --subdomains

DNS analysis

malwoverview -d domain.com --dns

Certificate analysis

malwoverview -d domain.com --certificate

Historical data

malwoverview -d domain.com --historical

Passive DNS

malwoverview -d domain.com --passive-dns ```_

Erweiterte Analyse

Threat Intelligence Integration

```bash

VirusTotal analysis

malwoverview -f file.exe --vt-only

Hybrid Analysis

malwoverview -f file.exe --ha-only

Multiple engines

malwoverview -f file.exe --engines vt,ha,urlvoid

Custom API keys

malwoverview -f file.exe --vt-api your_api_key

Rate limiting

malwoverview -f file.exe --rate-limit 4

Timeout settings

malwoverview -f file.exe --timeout 30 ```_

Metadatenextraktion

```bash

Extract PE metadata

malwoverview -f file.exe --pe-info

Extract strings

malwoverview -f file.exe --strings

Extract imports

malwoverview -f file.exe --imports

Extract exports

malwoverview -f file.exe --exports

Extract resources

malwoverview -f file.exe --resources

Extract certificates

malwoverview -f file.exe --certificates

All metadata

malwoverview -f file.exe --all-metadata ```_

Verhaltensanalyse

```bash

Dynamic analysis

malwoverview -f file.exe --dynamic

Sandbox analysis

malwoverview -f file.exe --sandbox cuckoo

Network behavior

malwoverview -f file.exe --network-behavior

File system behavior

malwoverview -f file.exe --fs-behavior

Registry behavior

malwoverview -f file.exe --registry-behavior

Process behavior

malwoverview -f file.exe --process-behavior ```_

Reporting und Output

Ausgabeformate

```bash

JSON output

malwoverview -f file.exe -o json

CSV output

malwoverview -f file.exe -o csv

XML output

malwoverview -f file.exe -o xml

HTML report

malwoverview -f file.exe -o html

PDF report

malwoverview -f file.exe -o pdf

Custom template

malwoverview -f file.exe --template custom_template.jinja2 ```_

Bericht Anpassung

```bash

Include specific sections

malwoverview -f file.exe --sections detection,metadata,behavior

Exclude sections

malwoverview -f file.exe --exclude-sections strings,imports

Custom report title

malwoverview -f file.exe --title "Malware Analysis Report"

Add analyst information

malwoverview -f file.exe --analyst "John Doe" --organization "Security Team"

Include timestamps

malwoverview -f file.exe --timestamps

Add executive summary

malwoverview -f file.exe --executive-summary ```_

Datenexport

```bash

Export to database

malwoverview -f file.exe --export-db sqlite:///analysis.db

Export to SIEM

malwoverview -f file.exe --export-siem splunk

Export to MISP

malwoverview -f file.exe --export-misp http://misp-server.com

Export IOCs

malwoverview -f file.exe --export-iocs iocs.txt

Export YARA rules

malwoverview -f file.exe --export-yara rules.yar

Export STIX

malwoverview -f file.exe --export-stix report.stix ```_

Automatisierung und Schrift

Batch Processing

```bash

Process hash list

cat << 'EOF' > hash_list.txt 5d41402abc4b2a76b9719d911017c592 aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae EOF

malwoverview -H @hash_list.txt -o json > batch_results.json

Process URL list

cat << 'EOF' > url_list.txt http://suspicious-site1.com http://malicious-domain.net http://phishing-site.org EOF

malwoverview -u @url_list.txt -o csv > url_analysis.csv ```_

Automatisierungsskripte

```bash

!/bin/bash

Automated malware analysis script

cat << 'EOF' > analyze_samples.sh

!/bin/bash

SAMPLE_DIR="/path/to/samples" OUTPUT_DIR="/path/to/reports" DATE=$(date +%Y%m%d_%H%M%S)

Create output directory

mkdir -p "\(OUTPUT_DIR/\)DATE"

Analyze all samples

for file in "\(SAMPLE_DIR"/*; do if [ -f "\)file" ]; then filename=\((basename "\)file") echo "Analyzing $filename..."

    malwoverview -f "$file" -o json > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.json"
    malwoverview -f "$file" -o html > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.html"

    # Extract IOCs
    malwoverview -f "$file" --export-iocs "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}_iocs.txt"
fi

done

Generate summary report

python3 generate_summary.py "\(OUTPUT_DIR/\)DATE" > "\(OUTPUT_DIR/\)DATE/summary.html"

echo "Analysis complete. Reports saved to \(OUTPUT_DIR/\)DATE" EOF

chmod +x analyze_samples.sh ```_

Python Integration

```python

!/usr/bin/env python3

Python wrapper for Malwoverview

import subprocess import json import sys

class MalwoverviewAPI: def init(self, config_file=None): self.config_file = config_file self.base_cmd = ['python3', 'malwoverview.py'] if config_file: self.base_cmd.extend(['-c', config_file])

def analyze_file(self, file_path, output_format='json'):
    cmd = self.base_cmd + ['-f', file_path, '-o', output_format]
    result = subprocess.run(cmd, capture_output=True, text=True)

    if result.returncode == 0:
        if output_format == 'json':
            return json.loads(result.stdout)
        return result.stdout
    else:
        raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

def analyze_hash(self, hash_value, output_format='json'):
    cmd = self.base_cmd + ['-H', hash_value, '-o', output_format]
    result = subprocess.run(cmd, capture_output=True, text=True)

    if result.returncode == 0:
        if output_format == 'json':
            return json.loads(result.stdout)
        return result.stdout
    else:
        raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

def analyze_url(self, url, output_format='json'):
    cmd = self.base_cmd + ['-u', url, '-o', output_format]
    result = subprocess.run(cmd, capture_output=True, text=True)

    if result.returncode == 0:
        if output_format == 'json':
            return json.loads(result.stdout)
        return result.stdout
    else:
        raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

Usage example

if name == "main": api = MalwoverviewAPI()

# Analyze file
try:
    result = api.analyze_file('/path/to/sample.exe')
    print(f"Detection ratio: \\\\{result.get('detection_ratio', 'N/A')\\\\}")
    print(f"Threat level: \\\\{result.get('threat_level', 'N/A')\\\\}")
except Exception as e:
    print(f"Error: \\\\{e\\\\}")

```_

Integrationsbeispiele

SIEM Integration

```bash

Splunk integration

!/bin/bash

cat << 'EOF' > splunk_integration.sh

!/bin/bash

Analyze file and send to Splunk

analyze_and_send() \\{ local file="$1" local splunk_index="malware_analysis"

# Analyze file
result=$(malwoverview -f "$file" -o json)

# Send to Splunk
echo "$result"|curl -k -H "Authorization: Splunk $SPLUNK_TOKEN" \
    -X POST "$SPLUNK_HEC_URL/services/collector" \
    -d @- \
    -H "Content-Type: application/json"

\\}

Monitor directory for new samples

inotifywait -m -e create /path/to/samples --format '%w%f'|while read file; do analyze_and_send "$file" done EOF

chmod +x splunk_integration.sh ```_

MISP Integration

```python

!/usr/bin/env python3

MISP integration script

import requests import json import subprocess from pymisp import PyMISP

class MalwoverviewMISP: def init(self, misp_url, misp_key): self.misp = PyMISP(misp_url, misp_key, ssl=False)

def analyze_and_create_event(self, file_path, event_info):
    # Analyze with Malwoverview
    cmd = ['malwoverview', '-f', file_path, '-o', 'json']
    result = subprocess.run(cmd, capture_output=True, text=True)

    if result.returncode != 0:
        raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

    analysis_data = json.loads(result.stdout)

    # Create MISP event
    event = self.misp.new_event(info=event_info)

    # Add file hash
    if 'md5' in analysis_data:
        self.misp.add_hashes(event, md5=analysis_data['md5'])

    if 'sha1' in analysis_data:
        self.misp.add_hashes(event, sha1=analysis_data['sha1'])

    if 'sha256' in analysis_data:
        self.misp.add_hashes(event, sha256=analysis_data['sha256'])

    # Add detection information
    if 'detections' in analysis_data:
        for detection in analysis_data['detections']:
            self.misp.add_attribute(event, 'text', detection['name'])

    # Add network indicators
    if 'network_indicators' in analysis_data:
        for indicator in analysis_data['network_indicators']:
            if indicator['type'] == 'domain':
                self.misp.add_attribute(event, 'domain', indicator['value'])
            elif indicator['type'] == 'ip':
                self.misp.add_attribute(event, 'ip-dst', indicator['value'])
            elif indicator['type'] == 'url':
                self.misp.add_attribute(event, 'url', indicator['value'])

    return event

Usage

misp_integration = MalwoverviewMISP('https://misp.example.com', 'your_api_key') event = misp_integration.analyze_and_create_event('/path/to/malware.exe', 'Malware Analysis') ```_

Threat Hunting Workflow

```bash

!/bin/bash

Automated threat hunting workflow

cat << 'EOF' > threat_hunting.sh

!/bin/bash

HUNT_DIR="/tmp/threat_hunt_\((date +%Y%m%d_%H%M%S)" mkdir -p "\)HUNT_DIR"

Function to analyze suspicious files

hunt_files() \\{ echo "Hunting for suspicious files..."

# Find recently modified executables
find /tmp /var/tmp -name "*.exe" -mtime -1 2>/dev/null|while read file; do
    echo "Analyzing: $file"
    malwoverview -f "$file" -o json > "$HUNT_DIR/$(basename $file).json"
done

# Find files with suspicious names
find / -name "*crypt*" -o -name "*hack*" -o -name "*payload*" 2>/dev/null|while read file; do
    if [ -f "$file" ]; then
        echo "Analyzing suspicious file: $file"
        malwoverview -f "$file" -o json > "$HUNT_DIR/suspicious_$(basename $file).json"
    fi
done

\\}

Function to analyze network connections

hunt_network() \\{ echo "Hunting for suspicious network activity..."

# Get active connections
netstat -an|grep ESTABLISHED|awk '\\\\{print $5\\\\}'|cut -d: -f1|sort -u|while read ip; do
    if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        echo "Analyzing IP: $ip"
        malwoverview -i "$ip" -o json > "$HUNT_DIR/ip_$ip.json"
    fi
done

\\}

Function to analyze suspicious domains

hunt_domains() \\{ echo "Hunting for suspicious domains..."

# Extract domains from browser history, logs, etc.
grep -h "http" /var/log/*.log 2>/dev/null|grep -oE 'https?://[^/]+'|cut -d/ -f3|sort -u|while read domain; do
    echo "Analyzing domain: $domain"
    malwoverview -d "$domain" -o json > "$HUNT_DIR/domain_$domain.json"
done

\\}

Execute hunting functions

hunt_files hunt_network hunt_domains

Generate summary report

echo "Generating threat hunting report..." python3 << 'PYTHON' import json import glob import os

hunt_dir = os.environ.get('HUNT_DIR', '/tmp/threat_hunt_latest') results = []

for json_file in glob.glob(f"\\{hunt_dir\\}/*.json"): try: with open(json_file, 'r') as f: data = json.load(f) if data.get('threat_level', 0) > 5: results.append(\\{ 'file': json_file, 'threat_level': data.get('threat_level'), 'detections': data.get('detections', []) \\}) except: continue

print(f"Threat Hunting Summary - \\{len(results)\\} high-risk items found:") for result in sorted(results, key=lambda x: x['threat_level'], reverse=True): print(f"- \\{result['file']\\}: Threat Level \\{result['threat_level']\\}") PYTHON

echo "Threat hunting complete. Results saved to $HUNT_DIR" EOF

chmod +x threat_hunting.sh ```_

Fehlerbehebung

Gemeinsame Themen

```bash

API key configuration issues

malwoverview --test-apis

Network connectivity issues

malwoverview --test-connectivity

Permission issues

sudo chown -R \(USER:\)USER ~/.malwoverview chmod 600 ~/.malwoverview/malwoverview.conf

Python dependency issues

pip3 install --upgrade requests colorama configparser pefile python-magic

File magic issues

sudo apt install libmagic1 libmagic-dev pip3 install --upgrade python-magic ```_

Debug Mode

```bash

Enable debug logging

malwoverview -f file.exe --debug

Verbose output

malwoverview -f file.exe -v

Log to file

malwoverview -f file.exe --log-file analysis.log

Test specific API

malwoverview --test-api virustotal

Check configuration

malwoverview --show-config ```_

Leistungsoptimierung

```bash

Increase timeout for slow APIs

malwoverview -f file.exe --timeout 60

Reduce rate limiting

malwoverview -f file.exe --rate-limit 1

Use caching

malwoverview -f file.exe --cache-results

Parallel processing

malwoverview -d /samples/ --threads 3

Memory optimization

export PYTHONOPTIMIZE=1 ulimit -v 1048576 # Limit virtual memory ```_

--

** Sicherheitshinweis*: Malwoverview ist ein Bedrohungsjagd- und Malware-Analyse-Tool, das verantwortungsvoll und entsprechend den geltenden Gesetzen und Vorschriften eingesetzt werden sollte. Wenn Sie verdächtige Dateien oder URLs analysieren, stellen Sie sicher, dass Sie eine richtige Berechtigung haben und in einer sicheren, isolierten Umgebung arbeiten. Das Tool integriert sich mit verschiedenen Drittanbieter-Diensten, so Achten Sie auf Daten Privatsphäre und Freigaberichtlinien. Überprüfen Sie immer die Legitimität der Proben vor der Analyse und folgen Sie den Vorfallreaktionsverfahren Ihrer Organisation bei der Bewältigung potenzieller Bedrohungen.

📚 Zusätzliche Ressourcen: - Malwoverview GitHub Repository - VirusTotal API Documentation - Hybrid Analysis API Dokumentation - Threat Intelligence Platforms Vergleich