Malwoverview Cheat Sheet
Überblick
Malwoverview ist ein umfassendes Bedrohungssuche- und Malware-Analyse-Tool, um Sicherheitsanalysten mit detaillierten Informationen über verdächtige Dateien, URLs und potenzielle Bedrohungen zu bieten. Als Python-basiertes Kommandozeilen-Dienstprogramm entwickelt, integriert Malwoverview mit mehreren Bedrohungsplattformen und Malware-Analyse-Diensten, um umfassende Bedrohungsbewertungen zu liefern. Das Tool dient als zentralisierte Schnittstelle zur Abfrage verschiedener Sicherheitsdienste, so dass Analysten schnell Informationen über potenzielle Bedrohungen sammeln können, ohne manuell auf mehrere Plattformen zuzugreifen.
Die primäre Stärke des Tools liegt in der Fähigkeit, Bedrohung Intelligenz aus verschiedenen Quellen zu aggregieren, einschließlich VirusTotal, Hybrid Analysis, URLVoid, Shodan und andere Sicherheitsdienste. Diese Aggregationsfähigkeit ermöglicht es Sicherheitsexperten, einen ganzheitlichen Blick auf potenzielle Bedrohungen zu erhalten, indem sie Informationen aus mehreren maßgeblichen Quellen korrelieren. Malwoverview unterstützt die Analyse verschiedener Artefakte wie File Hashes, URLs, IP-Adressen und Domains und macht sie vielseitig für verschiedene Bedrohungsjagdszenarien.
Malwoverview ist besonders wertvoll in Krisensituationen, in denen eine rasche Bedrohungsbewertung kritisch ist. Die automatisierten Abfragefähigkeiten des Tools können die Zeit, die benötigt wird, um Bedrohungsinformationen zu sammeln, erheblich reduzieren, sodass sich Analysten auf die Analyse und Entscheidungsfindung konzentrieren und nicht auf die manuelle Datenerfassung. Das Tool bietet auch strukturierte Ausgabeformate, die leicht in Sicherheits-Orchestrationsplattformen und auffallende Antwort-Workflows integriert werden können.
Das Framework unterstützt sowohl interaktive als auch Batch-Verarbeitungsmodi, die es Analysten ermöglichen, Single-Artefact-Analysen durchzuführen oder große Datensätze effizient zu verarbeiten. Seine modulare Architektur ermöglicht eine einfache Erweiterung und Anpassung, so dass es an spezifische organisatorische Anforderungen und Bedrohung Intelligenz Workflows angepasst werden kann. Die Protokollierungs- und Berichtsfähigkeiten des Tools bieten Audit-Strecken und erleichtern den Wissensaustausch zwischen Sicherheitsteams.
Installation
Voraussetzungen
```bash
Install Python and pip
sudo apt update sudo apt install python3 python3-pip git
Install required Python packages
pip3 install requests colorama configparser pefile python-magic
Install additional dependencies
sudo apt install libmagic1 libmagic-dev
For CentOS/RHEL
sudo yum install python3 python3-pip git file-devel pip3 install requests colorama configparser pefile python-magic
For macOS
brew install python3 git libmagic pip3 install requests colorama configparser pefile python-magic ```_
Standardinstallation
```bash
Clone Malwoverview repository
git clone https://github.com/alexandreborges/malwoverview.git cd malwoverview
Install Python dependencies
pip3 install -r requirements.txt
Make executable
chmod +x malwoverview.py
Test installation
python3 malwoverview.py --help
Create symbolic link for system-wide access
sudo ln -s $(pwd)/malwoverview.py /usr/local/bin/malwoverview ```_
Installation der virtuellen Umgebung
```bash
Create virtual environment
python3 -m venv malwoverview-env source malwoverview-env/bin/activate
Clone and install
git clone https://github.com/alexandreborges/malwoverview.git cd malwoverview pip install -r requirements.txt
Create activation script
cat << 'EOF' > activate-malwoverview.sh
!/bin/bash
source /path/to/malwoverview-env/bin/activate cd /path/to/malwoverview python3 malwoverview.py "$@" EOF
chmod +x activate-malwoverview.sh ```_
Docker Installation
```bash
Create Dockerfile
cat << 'EOF' > Dockerfile FROM python:3.9-slim
RUN apt-get update && apt-get install -y \ git \ libmagic1 \ libmagic-dev \ && rm -rf /var/lib/apt/lists/*
WORKDIR /app RUN git clone https://github.com/alexandreborges/malwoverview.git . RUN pip install -r requirements.txt
ENTRYPOINT ["python3", "malwoverview.py"] EOF
Build image
docker build -t malwoverview .
Run container
docker run --rm -it -v $(pwd)/config:/app/config malwoverview --help
Create alias
echo 'alias malwoverview="docker run --rm -it -v $(pwd)/config:/app/config malwoverview"' >> ~/.bashrc ```_
Konfiguration Setup
```bash
Create configuration directory
mkdir -p ~/.malwoverview
Create API configuration file
cat << 'EOF' > ~/.malwoverview/malwoverview.conf [VIRUSTOTAL] vtapi = your_virustotal_api_key
[HYBRIDANALYSIS] haapi = your_hybrid_analysis_api_key
[URLVOID] urlvoidapi = your_urlvoid_api_key
[SHODAN] shodanapi = your_shodan_api_key
[MALSHARE] malshareapi = your_malshare_api_key
[POLYSWARM] polyswarmapi = your_polyswarm_api_key
[ALIENVAULT] alienvaultapi = your_alienvault_api_key EOF
Set proper permissions
chmod 600 ~/.malwoverview/malwoverview.conf ```_
Basisnutzung
Kommandozeilenschnittstelle
```bash
Show help
malwoverview --help python3 malwoverview.py -h
Show version
malwoverview --version
Basic file analysis
malwoverview -f /path/to/suspicious_file.exe
Hash analysis
malwoverview -H md5_hash_here malwoverview -H sha1_hash_here malwoverview -H sha256_hash_here
URL analysis
malwoverview -u http://suspicious-domain.com
IP address analysis
malwoverview -i 192.168.1.100
Domain analysis
malwoverview -d suspicious-domain.com ```_
Konfigurationsoptionen
```bash
Use custom configuration file
malwoverview -c /path/to/custom.conf -f file.exe
Specify output format
malwoverview -f file.exe -o json malwoverview -f file.exe -o csv malwoverview -f file.exe -o xml
Enable verbose output
malwoverview -v -f file.exe
Quiet mode
malwoverview -q -f file.exe
Save output to file
malwoverview -f file.exe > analysis_report.txt malwoverview -f file.exe -o json > report.json ```_
Dateianalyse
Analyse von Dateien
```bash
Analyze executable file
malwoverview -f /path/to/malware.exe
Analyze document
malwoverview -f /path/to/document.pdf
Analyze script
malwoverview -f /path/to/script.js
Analyze with specific engines
malwoverview -f file.exe --engines virustotal,hybridanalysis
Force analysis even if cached
malwoverview -f file.exe --force
Include metadata extraction
malwoverview -f file.exe --metadata ```_
Batch Dateianalyse
```bash
Analyze multiple files
malwoverview -f file1.exe file2.dll file3.pdf
Analyze directory
malwoverview -d /path/to/malware_samples/
Recursive directory analysis
malwoverview -d /path/to/samples/ --recursive
Filter by file type
malwoverview -d /path/to/samples/ --filter ".exe,.dll"
Exclude certain files
malwoverview -d /path/to/samples/ --exclude ".txt,.log"
Parallel processing
malwoverview -d /path/to/samples/ --threads 5 ```_
Hash-basierte Analyse
```bash
MD5 hash analysis
malwoverview -H 5d41402abc4b2a76b9719d911017c592
SHA1 hash analysis
malwoverview -H aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA256 hash analysis
malwoverview -H 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
Multiple hashes
malwoverview -H hash1,hash2,hash3
Hash list from file
malwoverview -H @hash_list.txt
Specific hash type
malwoverview -H hash_value --hash-type sha256 ```_
Netzwerkanalyse
URL Analyse
```bash
Single URL analysis
malwoverview -u http://suspicious-site.com
Multiple URLs
malwoverview -u http://site1.com,http://site2.com
URL list from file
malwoverview -u @url_list.txt
Include screenshot
malwoverview -u http://site.com --screenshot
Check redirects
malwoverview -u http://site.com --follow-redirects
Custom user agent
malwoverview -u http://site.com --user-agent "Mozilla/5.0..." ```_
IP-Adressenanalyse
```bash
Single IP analysis
malwoverview -i 192.168.1.100
Multiple IPs
malwoverview -i 192.168.1.100,10.0.0.1
IP range analysis
malwoverview -i 192.168.1.0/24
Include geolocation
malwoverview -i 192.168.1.100 --geolocation
Port scanning
malwoverview -i 192.168.1.100 --ports
Include WHOIS information
malwoverview -i 192.168.1.100 --whois ```_
Bereichsanalyse
```bash
Domain reputation check
malwoverview -d suspicious-domain.com
Include subdomains
malwoverview -d domain.com --subdomains
DNS analysis
malwoverview -d domain.com --dns
Certificate analysis
malwoverview -d domain.com --certificate
Historical data
malwoverview -d domain.com --historical
Passive DNS
malwoverview -d domain.com --passive-dns ```_
Erweiterte Analyse
Threat Intelligence Integration
```bash
VirusTotal analysis
malwoverview -f file.exe --vt-only
Hybrid Analysis
malwoverview -f file.exe --ha-only
Multiple engines
malwoverview -f file.exe --engines vt,ha,urlvoid
Custom API keys
malwoverview -f file.exe --vt-api your_api_key
Rate limiting
malwoverview -f file.exe --rate-limit 4
Timeout settings
malwoverview -f file.exe --timeout 30 ```_
Metadatenextraktion
```bash
Extract PE metadata
malwoverview -f file.exe --pe-info
Extract strings
malwoverview -f file.exe --strings
Extract imports
malwoverview -f file.exe --imports
Extract exports
malwoverview -f file.exe --exports
Extract resources
malwoverview -f file.exe --resources
Extract certificates
malwoverview -f file.exe --certificates
All metadata
malwoverview -f file.exe --all-metadata ```_
Verhaltensanalyse
```bash
Dynamic analysis
malwoverview -f file.exe --dynamic
Sandbox analysis
malwoverview -f file.exe --sandbox cuckoo
Network behavior
malwoverview -f file.exe --network-behavior
File system behavior
malwoverview -f file.exe --fs-behavior
Registry behavior
malwoverview -f file.exe --registry-behavior
Process behavior
malwoverview -f file.exe --process-behavior ```_
Reporting und Output
Ausgabeformate
```bash
JSON output
malwoverview -f file.exe -o json
CSV output
malwoverview -f file.exe -o csv
XML output
malwoverview -f file.exe -o xml
HTML report
malwoverview -f file.exe -o html
PDF report
malwoverview -f file.exe -o pdf
Custom template
malwoverview -f file.exe --template custom_template.jinja2 ```_
Bericht Anpassung
```bash
Include specific sections
malwoverview -f file.exe --sections detection,metadata,behavior
Exclude sections
malwoverview -f file.exe --exclude-sections strings,imports
Custom report title
malwoverview -f file.exe --title "Malware Analysis Report"
Add analyst information
malwoverview -f file.exe --analyst "John Doe" --organization "Security Team"
Include timestamps
malwoverview -f file.exe --timestamps
Add executive summary
malwoverview -f file.exe --executive-summary ```_
Datenexport
```bash
Export to database
malwoverview -f file.exe --export-db sqlite:///analysis.db
Export to SIEM
malwoverview -f file.exe --export-siem splunk
Export to MISP
malwoverview -f file.exe --export-misp http://misp-server.com
Export IOCs
malwoverview -f file.exe --export-iocs iocs.txt
Export YARA rules
malwoverview -f file.exe --export-yara rules.yar
Export STIX
malwoverview -f file.exe --export-stix report.stix ```_
Automatisierung und Schrift
Batch Processing
```bash
Process hash list
cat << 'EOF' > hash_list.txt 5d41402abc4b2a76b9719d911017c592 aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae EOF
malwoverview -H @hash_list.txt -o json > batch_results.json
Process URL list
cat << 'EOF' > url_list.txt http://suspicious-site1.com http://malicious-domain.net http://phishing-site.org EOF
malwoverview -u @url_list.txt -o csv > url_analysis.csv ```_
Automatisierungsskripte
```bash
!/bin/bash
Automated malware analysis script
cat << 'EOF' > analyze_samples.sh
!/bin/bash
SAMPLE_DIR="/path/to/samples" OUTPUT_DIR="/path/to/reports" DATE=$(date +%Y%m%d_%H%M%S)
Create output directory
mkdir -p "$OUTPUT_DIR/$DATE"
Analyze all samples
for file in "$SAMPLE_DIR"/*; do if [ -f "$file" ]; then filename=$(basename "$file") echo "Analyzing $filename..."
malwoverview -f "$file" -o json > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.json"
malwoverview -f "$file" -o html > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.html"
# Extract IOCs
malwoverview -f "$file" --export-iocs "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}_iocs.txt"
fi
done
Generate summary report
python3 generate_summary.py "$OUTPUT_DIR/$DATE" > "$OUTPUT_DIR/$DATE/summary.html"
echo "Analysis complete. Reports saved to $OUTPUT_DIR/$DATE" EOF
chmod +x analyze_samples.sh ```_
Python Integration
```python
!/usr/bin/env python3
Python wrapper for Malwoverview
import subprocess import json import sys
class MalwoverviewAPI: def init(self, config_file=None): self.config_file = config_file self.base_cmd = ['python3', 'malwoverview.py'] if config_file: self.base_cmd.extend(['-c', config_file])
def analyze_file(self, file_path, output_format='json'):
cmd = self.base_cmd + ['-f', file_path, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
def analyze_hash(self, hash_value, output_format='json'):
cmd = self.base_cmd + ['-H', hash_value, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
def analyze_url(self, url, output_format='json'):
cmd = self.base_cmd + ['-u', url, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
Usage example
if name == "main": api = MalwoverviewAPI()
# Analyze file
try:
result = api.analyze_file('/path/to/sample.exe')
print(f"Detection ratio: \\\\{result.get('detection_ratio', 'N/A')\\\\}")
print(f"Threat level: \\\\{result.get('threat_level', 'N/A')\\\\}")
except Exception as e:
print(f"Error: \\\\{e\\\\}")
```_
Integrationsbeispiele
SIEM Integration
```bash
Splunk integration
!/bin/bash
cat << 'EOF' > splunk_integration.sh
!/bin/bash
Analyze file and send to Splunk
analyze_and_send() \\{ local file="$1" local splunk_index="malware_analysis"
# Analyze file
result=$(malwoverview -f "$file" -o json)
# Send to Splunk
echo "$result"|curl -k -H "Authorization: Splunk $SPLUNK_TOKEN" \
-X POST "$SPLUNK_HEC_URL/services/collector" \
-d @- \
-H "Content-Type: application/json"
\\}
Monitor directory for new samples
inotifywait -m -e create /path/to/samples --format '%w%f'|while read file; do analyze_and_send "$file" done EOF
chmod +x splunk_integration.sh ```_
MISP Integration
```python
!/usr/bin/env python3
MISP integration script
import requests import json import subprocess from pymisp import PyMISP
class MalwoverviewMISP: def init(self, misp_url, misp_key): self.misp = PyMISP(misp_url, misp_key, ssl=False)
def analyze_and_create_event(self, file_path, event_info):
# Analyze with Malwoverview
cmd = ['malwoverview', '-f', file_path, '-o', 'json']
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode != 0:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
analysis_data = json.loads(result.stdout)
# Create MISP event
event = self.misp.new_event(info=event_info)
# Add file hash
if 'md5' in analysis_data:
self.misp.add_hashes(event, md5=analysis_data['md5'])
if 'sha1' in analysis_data:
self.misp.add_hashes(event, sha1=analysis_data['sha1'])
if 'sha256' in analysis_data:
self.misp.add_hashes(event, sha256=analysis_data['sha256'])
# Add detection information
if 'detections' in analysis_data:
for detection in analysis_data['detections']:
self.misp.add_attribute(event, 'text', detection['name'])
# Add network indicators
if 'network_indicators' in analysis_data:
for indicator in analysis_data['network_indicators']:
if indicator['type'] == 'domain':
self.misp.add_attribute(event, 'domain', indicator['value'])
elif indicator['type'] == 'ip':
self.misp.add_attribute(event, 'ip-dst', indicator['value'])
elif indicator['type'] == 'url':
self.misp.add_attribute(event, 'url', indicator['value'])
return event
Usage
misp_integration = MalwoverviewMISP('https://misp.example.com', 'your_api_key') event = misp_integration.analyze_and_create_event('/path/to/malware.exe', 'Malware Analysis') ```_
Threat Hunting Workflow
```bash
!/bin/bash
Automated threat hunting workflow
cat << 'EOF' > threat_hunting.sh
!/bin/bash
HUNT_DIR="/tmp/threat_hunt_$(date +%Y%m%d_%H%M%S)" mkdir -p "$HUNT_DIR"
Function to analyze suspicious files
hunt_files() \\{ echo "Hunting for suspicious files..."
# Find recently modified executables
find /tmp /var/tmp -name "*.exe" -mtime -1 2>/dev/null|while read file; do
echo "Analyzing: $file"
malwoverview -f "$file" -o json > "$HUNT_DIR/$(basename $file).json"
done
# Find files with suspicious names
find / -name "*crypt*" -o -name "*hack*" -o -name "*payload*" 2>/dev/null|while read file; do
if [ -f "$file" ]; then
echo "Analyzing suspicious file: $file"
malwoverview -f "$file" -o json > "$HUNT_DIR/suspicious_$(basename $file).json"
fi
done
\\}
Function to analyze network connections
hunt_network() \\{ echo "Hunting for suspicious network activity..."
# Get active connections
| netstat -an | grep ESTABLISHED | awk '\\{print $5\\}' | cut -d: -f1 | sort -u | while read ip; do | if [[ $ip =~ ^[0-9]+.[0-9]+.[0-9]+.[0-9]+$ ]]; then echo "Analyzing IP: $ip" malwoverview -i "$ip" -o json > "$HUNT_DIR/ip_$ip.json" fi done \\}
Function to analyze suspicious domains
hunt_domains() \\{ echo "Hunting for suspicious domains..."
# Extract domains from browser history, logs, etc.
| grep -h "http" /var/log/*.log 2>/dev/null | grep -oE 'https?://[^/]+' | cut -d/ -f3 | sort -u | while read domain; do | echo "Analyzing domain: $domain" malwoverview -d "$domain" -o json > "$HUNT_DIR/domain_$domain.json" done \\}
Execute hunting functions
hunt_files hunt_network hunt_domains
Generate summary report
echo "Generating threat hunting report..." python3 << 'PYTHON' import json import glob import os
hunt_dir = os.environ.get('HUNT_DIR', '/tmp/threat_hunt_latest') results = []
for json_file in glob.glob(f"\\{hunt_dir\\}/*.json"): try: with open(json_file, 'r') as f: data = json.load(f) if data.get('threat_level', 0) > 5: results.append(\\{ 'file': json_file, 'threat_level': data.get('threat_level'), 'detections': data.get('detections', []) \\}) except: continue
print(f"Threat Hunting Summary - \\{len(results)\\} high-risk items found:") for result in sorted(results, key=lambda x: x['threat_level'], reverse=True): print(f"- \\{result['file']\\}: Threat Level \\{result['threat_level']\\}") PYTHON
echo "Threat hunting complete. Results saved to $HUNT_DIR" EOF
chmod +x threat_hunting.sh ```_
Fehlerbehebung
Gemeinsame Themen
```bash
API key configuration issues
malwoverview --test-apis
Network connectivity issues
malwoverview --test-connectivity
Permission issues
sudo chown -R $USER:$USER ~/.malwoverview chmod 600 ~/.malwoverview/malwoverview.conf
Python dependency issues
pip3 install --upgrade requests colorama configparser pefile python-magic
File magic issues
sudo apt install libmagic1 libmagic-dev pip3 install --upgrade python-magic ```_
Debug Mode
```bash
Enable debug logging
malwoverview -f file.exe --debug
Verbose output
malwoverview -f file.exe -v
Log to file
malwoverview -f file.exe --log-file analysis.log
Test specific API
malwoverview --test-api virustotal
Check configuration
malwoverview --show-config ```_
Leistungsoptimierung
```bash
Increase timeout for slow APIs
malwoverview -f file.exe --timeout 60
Reduce rate limiting
malwoverview -f file.exe --rate-limit 1
Use caching
malwoverview -f file.exe --cache-results
Parallel processing
malwoverview -d /samples/ --threads 3
Memory optimization
export PYTHONOPTIMIZE=1 ulimit -v 1048576 # Limit virtual memory ```_
--
** Sicherheitshinweis*: Malwoverview ist ein Bedrohungsjagd- und Malware-Analyse-Tool, das verantwortungsvoll und entsprechend den geltenden Gesetzen und Vorschriften eingesetzt werden sollte. Wenn Sie verdächtige Dateien oder URLs analysieren, stellen Sie sicher, dass Sie eine richtige Berechtigung haben und in einer sicheren, isolierten Umgebung arbeiten. Das Tool integriert sich mit verschiedenen Drittanbieter-Diensten, so Achten Sie auf Daten Privatsphäre und Freigaberichtlinien. Überprüfen Sie immer die Legitimität der Proben vor der Analyse und folgen Sie den Vorfallreaktionsverfahren Ihrer Organisation bei der Bewältigung potenzieller Bedrohungen.
📚 Zusätzliche Ressourcen: - Malwoverview GitHub Repository - VirusTotal API Documentation - Hybrid Analysis API Dokumentation - Threat Intelligence Platforms Vergleich