__FRONTMATTER_38_# Malwoverview Cheat Sheet

HTML_TAG_28_ __HTML_TAG_29_ Tutti i comandi_HTML_TAG_30 📄 Generare PDF__HTML_TAG_32_ __HTML_TAG_33_

Panoramica

Malwoverview è uno strumento di analisi di minacce e malware completo progettato per fornire agli analisti di sicurezza informazioni dettagliate su file sospetti, URL e potenziali minacce. Sviluppato come un programma di utilità di linea di comando basato su Python, Malwoverview si integra con più piattaforme di intelligence minaccia e servizi di analisi malware per fornire valutazioni complete delle minacce. Lo strumento funge da interfaccia centralizzata per interrogare vari servizi di sicurezza, consentendo agli analisti di raccogliere rapidamente informazioni sulle potenziali minacce senza accedere manualmente a più piattaforme.

La forza primaria dello strumento risiede nella sua capacità di aggregare l'intelligenza della minaccia da diverse fonti, tra cui VirusTotal, Hybrid Analysis, URLVoid, Shodan e altri servizi di sicurezza. Questa capacità di aggregazione consente ai professionisti della sicurezza di ottenere una visione olistica delle potenziali minacce correlando le informazioni da fonti autorevoli multiple. Malwoverview supporta l'analisi di vari tipi di artefatti tra cui file hashes, URL, indirizzi IP e domini, rendendolo versatile per diversi scenari di caccia alle minacce.

Malwoverview è particolarmente utile negli scenari di risposta agli incidenti in cui la rapida valutazione delle minacce è critica. Le funzionalità di querying automatizzate dello strumento possono ridurre significativamente il tempo necessario per raccogliere informazioni sulle minacce, consentendo agli analisti di concentrarsi sull'analisi e sul processo decisionale piuttosto che sulla raccolta manuale dei dati. Lo strumento fornisce anche formati di output strutturati che possono essere facilmente integrati in piattaforme di orchestrazione di sicurezza e flussi di lavoro di risposta incidente.

Il framework supporta sia le modalità di elaborazione interattive che batch, consentendo agli analisti di eseguire un'analisi a singolo articolo o elaborare in modo efficiente grandi set di dati. La sua architettura modulare consente una facile estensione e personalizzazione, rendendola adattabile a specifiche esigenze organizzative e ai flussi di lavoro di intelligenza delle minacce. Le funzionalità di registrazione e reporting dello strumento forniscono percorsi di audit e facilitano la condivisione delle conoscenze tra i team di sicurezza.

Installazione

Prerequisiti

# Install Python and pip
sudo apt update
sudo apt install python3 python3-pip git

# Install required Python packages
pip3 install requests colorama configparser pefile python-magic

# Install additional dependencies
sudo apt install libmagic1 libmagic-dev

# For CentOS/RHEL
sudo yum install python3 python3-pip git file-devel
pip3 install requests colorama configparser pefile python-magic

# For macOS
brew install python3 git libmagic
pip3 install requests colorama configparser pefile python-magic

Installazione standard

# Clone Malwoverview repository
git clone https://github.com/alexandreborges/malwoverview.git
cd malwoverview

# Install Python dependencies
pip3 install -r requirements.txt

# Make executable
chmod +x malwoverview.py

# Test installation
python3 malwoverview.py --help

# Create symbolic link for system-wide access
sudo ln -s $(pwd)/malwoverview.py /usr/local/bin/malwoverview

Installazione ambiente virtuale

# Create virtual environment
python3 -m venv malwoverview-env
source malwoverview-env/bin/activate

# Clone and install
git clone https://github.com/alexandreborges/malwoverview.git
cd malwoverview
pip install -r requirements.txt

# Create activation script
cat << 'EOF' > activate-malwoverview.sh
#!/bin/bash
source /path/to/malwoverview-env/bin/activate
cd /path/to/malwoverview
python3 malwoverview.py "$@"
EOF

chmod +x activate-malwoverview.sh

Installazione Docker

# Create Dockerfile
cat << 'EOF' > Dockerfile
FROM python:3.9-slim

RUN apt-get update && apt-get install -y \
    git \
    libmagic1 \
    libmagic-dev \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app
RUN git clone https://github.com/alexandreborges/malwoverview.git .
RUN pip install -r requirements.txt

ENTRYPOINT ["python3", "malwoverview.py"]
EOF

# Build image
docker build -t malwoverview .

# Run container
docker run --rm -it -v $(pwd)/config:/app/config malwoverview --help

# Create alias
echo 'alias malwoverview="docker run --rm -it -v $(pwd)/config:/app/config malwoverview"' >> ~/.bashrc

Configurazione configurazione

# Create configuration directory
mkdir -p ~/.malwoverview

# Create API configuration file
cat << 'EOF' > ~/.malwoverview/malwoverview.conf
[VIRUSTOTAL]
vtapi = your_virustotal_api_key

[HYBRIDANALYSIS]
haapi = your_hybrid_analysis_api_key

[URLVOID]
urlvoidapi = your_urlvoid_api_key

[SHODAN]
shodanapi = your_shodan_api_key

[MALSHARE]
malshareapi = your_malshare_api_key

[POLYSWARM]
polyswarmapi = your_polyswarm_api_key

[ALIENVAULT]
alienvaultapi = your_alienvault_api_key
EOF

# Set proper permissions
chmod 600 ~/.malwoverview/malwoverview.conf

Uso di base

Linea di comando Interfaccia

# Show help
malwoverview --help
python3 malwoverview.py -h

# Show version
malwoverview --version

# Basic file analysis
malwoverview -f /path/to/suspicious_file.exe

# Hash analysis
malwoverview -H md5_hash_here
malwoverview -H sha1_hash_here
malwoverview -H sha256_hash_here

# URL analysis
malwoverview -u http://suspicious-domain.com

# IP address analysis
malwoverview -i 192.168.1.100

# Domain analysis
malwoverview -d suspicious-domain.com

Opzioni di configurazione

# Use custom configuration file
malwoverview -c /path/to/custom.conf -f file.exe

# Specify output format
malwoverview -f file.exe -o json
malwoverview -f file.exe -o csv
malwoverview -f file.exe -o xml

# Enable verbose output
malwoverview -v -f file.exe

# Quiet mode
malwoverview -q -f file.exe

# Save output to file
malwoverview -f file.exe > analysis_report.txt
malwoverview -f file.exe -o json > report.json

Analisi file

Analisi dei file singoli

# Analyze executable file
malwoverview -f /path/to/malware.exe

# Analyze document
malwoverview -f /path/to/document.pdf

# Analyze script
malwoverview -f /path/to/script.js

# Analyze with specific engines
malwoverview -f file.exe --engines virustotal,hybridanalysis

# Force analysis even if cached
malwoverview -f file.exe --force

# Include metadata extraction
malwoverview -f file.exe --metadata

Batch File Analysis

# Analyze multiple files
malwoverview -f file1.exe file2.dll file3.pdf

# Analyze directory
malwoverview -d /path/to/malware_samples/

# Recursive directory analysis
malwoverview -d /path/to/samples/ --recursive

# Filter by file type
malwoverview -d /path/to/samples/ --filter "*.exe,*.dll"

# Exclude certain files
malwoverview -d /path/to/samples/ --exclude "*.txt,*.log"

# Parallel processing
malwoverview -d /path/to/samples/ --threads 5

Hash-Based Analysis

# MD5 hash analysis
malwoverview -H 5d41402abc4b2a76b9719d911017c592

# SHA1 hash analysis
malwoverview -H aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

# SHA256 hash analysis
malwoverview -H 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae

# Multiple hashes
malwoverview -H hash1,hash2,hash3

# Hash list from file
malwoverview -H @hash_list.txt

# Specific hash type
malwoverview -H hash_value --hash-type sha256

Analisi della rete

URL Analysis

# Single URL analysis
malwoverview -u http://suspicious-site.com

# Multiple URLs
malwoverview -u http://site1.com,http://site2.com

# URL list from file
malwoverview -u @url_list.txt

# Include screenshot
malwoverview -u http://site.com --screenshot

# Check redirects
malwoverview -u http://site.com --follow-redirects

# Custom user agent
malwoverview -u http://site.com --user-agent "Mozilla/5.0..."

Analisi degli indirizzi IP

# Single IP analysis
malwoverview -i 192.168.1.100

# Multiple IPs
malwoverview -i 192.168.1.100,10.0.0.1

# IP range analysis
malwoverview -i 192.168.1.0/24

# Include geolocation
malwoverview -i 192.168.1.100 --geolocation

# Port scanning
malwoverview -i 192.168.1.100 --ports

# Include WHOIS information
malwoverview -i 192.168.1.100 --whois

Analisi del dominio

# Domain reputation check
malwoverview -d suspicious-domain.com

# Include subdomains
malwoverview -d domain.com --subdomains

# DNS analysis
malwoverview -d domain.com --dns

# Certificate analysis
malwoverview -d domain.com --certificate

# Historical data
malwoverview -d domain.com --historical

# Passive DNS
malwoverview -d domain.com --passive-dns

Analisi avanzata

Threat Intelligence Integration

# VirusTotal analysis
malwoverview -f file.exe --vt-only

# Hybrid Analysis
malwoverview -f file.exe --ha-only

# Multiple engines
malwoverview -f file.exe --engines vt,ha,urlvoid

# Custom API keys
malwoverview -f file.exe --vt-api your_api_key

# Rate limiting
malwoverview -f file.exe --rate-limit 4

# Timeout settings
malwoverview -f file.exe --timeout 30

Metadata Extraction

# Extract PE metadata
malwoverview -f file.exe --pe-info

# Extract strings
malwoverview -f file.exe --strings

# Extract imports
malwoverview -f file.exe --imports

# Extract exports
malwoverview -f file.exe --exports

# Extract resources
malwoverview -f file.exe --resources

# Extract certificates
malwoverview -f file.exe --certificates

# All metadata
malwoverview -f file.exe --all-metadata

Analisi comportamentale

# Dynamic analysis
malwoverview -f file.exe --dynamic

# Sandbox analysis
malwoverview -f file.exe --sandbox cuckoo

# Network behavior
malwoverview -f file.exe --network-behavior

# File system behavior
malwoverview -f file.exe --fs-behavior

# Registry behavior
malwoverview -f file.exe --registry-behavior

# Process behavior
malwoverview -f file.exe --process-behavior

Reporting and Output

Formati di output

# JSON output
malwoverview -f file.exe -o json

# CSV output
malwoverview -f file.exe -o csv

# XML output
malwoverview -f file.exe -o xml

# HTML report
malwoverview -f file.exe -o html

# PDF report
malwoverview -f file.exe -o pdf

# Custom template
malwoverview -f file.exe --template custom_template.jinja2

Report Personalizzazione

# Include specific sections
malwoverview -f file.exe --sections detection,metadata,behavior

# Exclude sections
malwoverview -f file.exe --exclude-sections strings,imports

# Custom report title
malwoverview -f file.exe --title "Malware Analysis Report"

# Add analyst information
malwoverview -f file.exe --analyst "John Doe" --organization "Security Team"

# Include timestamps
malwoverview -f file.exe --timestamps

# Add executive summary
malwoverview -f file.exe --executive-summary

Esportazione dei dati

# Export to database
malwoverview -f file.exe --export-db sqlite:///analysis.db

# Export to SIEM
malwoverview -f file.exe --export-siem splunk

# Export to MISP
malwoverview -f file.exe --export-misp http://misp-server.com

# Export IOCs
malwoverview -f file.exe --export-iocs iocs.txt

# Export YARA rules
malwoverview -f file.exe --export-yara rules.yar

# Export STIX
malwoverview -f file.exe --export-stix report.stix

Automation and Scripting

Elaborazione batch

# Process hash list
cat << 'EOF' > hash_list.txt
5d41402abc4b2a76b9719d911017c592
aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
EOF

malwoverview -H @hash_list.txt -o json > batch_results.json

# Process URL list
cat << 'EOF' > url_list.txt
http://suspicious-site1.com
http://malicious-domain.net
http://phishing-site.org
EOF

malwoverview -u @url_list.txt -o csv > url_analysis.csv

Automation Scripts

#!/bin/bash
# Automated malware analysis script
cat << 'EOF' > analyze_samples.sh
#!/bin/bash

SAMPLE_DIR="/path/to/samples"
OUTPUT_DIR="/path/to/reports"
DATE=$(date +%Y%m%d_%H%M%S)

# Create output directory
mkdir -p "$OUTPUT_DIR/$DATE"

# Analyze all samples
for file in "$SAMPLE_DIR"/*; do
    if [ -f "$file" ]; then
        filename=$(basename "$file")
        echo "Analyzing $filename..."

        malwoverview -f "$file" -o json > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.json"
        malwoverview -f "$file" -o html > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.html"

        # Extract IOCs
        malwoverview -f "$file" --export-iocs "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}_iocs.txt"
    fi
done

# Generate summary report
python3 generate_summary.py "$OUTPUT_DIR/$DATE" > "$OUTPUT_DIR/$DATE/summary.html"

echo "Analysis complete. Reports saved to $OUTPUT_DIR/$DATE"
EOF

chmod +x analyze_samples.sh

Python Integration

#!/usr/bin/env python3
# Python wrapper for Malwoverview
import subprocess
import json
import sys

class MalwoverviewAPI:
    def __init__(self, config_file=None):
        self.config_file = config_file
        self.base_cmd = ['python3', 'malwoverview.py']
        if config_file:
            self.base_cmd.extend(['-c', config_file])

    def analyze_file(self, file_path, output_format='json'):
        cmd = self.base_cmd + ['-f', file_path, '-o', output_format]
        result = subprocess.run(cmd, capture_output=True, text=True)

        if result.returncode == 0:
            if output_format == 'json':
                return json.loads(result.stdout)
            return result.stdout
        else:
            raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

    def analyze_hash(self, hash_value, output_format='json'):
        cmd = self.base_cmd + ['-H', hash_value, '-o', output_format]
        result = subprocess.run(cmd, capture_output=True, text=True)

        if result.returncode == 0:
            if output_format == 'json':
                return json.loads(result.stdout)
            return result.stdout
        else:
            raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

    def analyze_url(self, url, output_format='json'):
        cmd = self.base_cmd + ['-u', url, '-o', output_format]
        result = subprocess.run(cmd, capture_output=True, text=True)

        if result.returncode == 0:
            if output_format == 'json':
                return json.loads(result.stdout)
            return result.stdout
        else:
            raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

# Usage example
if __name__ == "__main__":
    api = MalwoverviewAPI()

    # Analyze file
    try:
        result = api.analyze_file('/path/to/sample.exe')
        print(f"Detection ratio: \\\\{result.get('detection_ratio', 'N/A')\\\\}")
        print(f"Threat level: \\\\{result.get('threat_level', 'N/A')\\\\}")
    except Exception as e:
        print(f"Error: \\\\{e\\\\}")

Esempi di integrazione

SIEM Integrazione

# Splunk integration
#!/bin/bash
cat << 'EOF' > splunk_integration.sh
#!/bin/bash

# Analyze file and send to Splunk
analyze_and_send() \\\\{
    local file="$1"
    local splunk_index="malware_analysis"

    # Analyze file
    result=$(malwoverview -f "$file" -o json)

    # Send to Splunk
    echo "$result"|curl -k -H "Authorization: Splunk $SPLUNK_TOKEN" \
        -X POST "$SPLUNK_HEC_URL/services/collector" \
        -d @- \
        -H "Content-Type: application/json"
\\\\}

# Monitor directory for new samples
inotifywait -m -e create /path/to/samples --format '%w%f'|while read file; do
    analyze_and_send "$file"
done
EOF

chmod +x splunk_integration.sh

MISP Integrazione

#!/usr/bin/env python3
# MISP integration script
import requests
import json
import subprocess
from pymisp import PyMISP

class MalwoverviewMISP:
    def __init__(self, misp_url, misp_key):
        self.misp = PyMISP(misp_url, misp_key, ssl=False)

    def analyze_and_create_event(self, file_path, event_info):
        # Analyze with Malwoverview
        cmd = ['malwoverview', '-f', file_path, '-o', 'json']
        result = subprocess.run(cmd, capture_output=True, text=True)

        if result.returncode != 0:
            raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")

        analysis_data = json.loads(result.stdout)

        # Create MISP event
        event = self.misp.new_event(info=event_info)

        # Add file hash
        if 'md5' in analysis_data:
            self.misp.add_hashes(event, md5=analysis_data['md5'])

        if 'sha1' in analysis_data:
            self.misp.add_hashes(event, sha1=analysis_data['sha1'])

        if 'sha256' in analysis_data:
            self.misp.add_hashes(event, sha256=analysis_data['sha256'])

        # Add detection information
        if 'detections' in analysis_data:
            for detection in analysis_data['detections']:
                self.misp.add_attribute(event, 'text', detection['name'])

        # Add network indicators
        if 'network_indicators' in analysis_data:
            for indicator in analysis_data['network_indicators']:
                if indicator['type'] == 'domain':
                    self.misp.add_attribute(event, 'domain', indicator['value'])
                elif indicator['type'] == 'ip':
                    self.misp.add_attribute(event, 'ip-dst', indicator['value'])
                elif indicator['type'] == 'url':
                    self.misp.add_attribute(event, 'url', indicator['value'])

        return event

# Usage
misp_integration = MalwoverviewMISP('https://misp.example.com', 'your_api_key')
event = misp_integration.analyze_and_create_event('/path/to/malware.exe', 'Malware Analysis')

Threat Hunting Workflow

#!/bin/bash
# Automated threat hunting workflow
cat << 'EOF' > threat_hunting.sh
#!/bin/bash

HUNT_DIR="/tmp/threat_hunt_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$HUNT_DIR"

# Function to analyze suspicious files
hunt_files() \\\\{
    echo "Hunting for suspicious files..."

    # Find recently modified executables
    find /tmp /var/tmp -name "*.exe" -mtime -1 2>/dev/null|while read file; do
        echo "Analyzing: $file"
        malwoverview -f "$file" -o json > "$HUNT_DIR/$(basename $file).json"
    done

    # Find files with suspicious names
    find / -name "*crypt*" -o -name "*hack*" -o -name "*payload*" 2>/dev/null|while read file; do
        if [ -f "$file" ]; then
            echo "Analyzing suspicious file: $file"
            malwoverview -f "$file" -o json > "$HUNT_DIR/suspicious_$(basename $file).json"
        fi
    done
\\\\}

# Function to analyze network connections
hunt_network() \\\\{
    echo "Hunting for suspicious network activity..."

    # Get active connections
    netstat -an|grep ESTABLISHED|awk '\\\\{print $5\\\\}'|cut -d: -f1|sort -u|while read ip; do
        if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Analyzing IP: $ip"
            malwoverview -i "$ip" -o json > "$HUNT_DIR/ip_$ip.json"
        fi
    done
\\\\}

# Function to analyze suspicious domains
hunt_domains() \\\\{
    echo "Hunting for suspicious domains..."

    # Extract domains from browser history, logs, etc.
    grep -h "http" /var/log/*.log 2>/dev/null|grep -oE 'https?://[^/]+'|cut -d/ -f3|sort -u|while read domain; do
        echo "Analyzing domain: $domain"
        malwoverview -d "$domain" -o json > "$HUNT_DIR/domain_$domain.json"
    done
\\\\}

# Execute hunting functions
hunt_files
hunt_network
hunt_domains

# Generate summary report
echo "Generating threat hunting report..."
python3 << 'PYTHON'
import json
import glob
import os

hunt_dir = os.environ.get('HUNT_DIR', '/tmp/threat_hunt_latest')
results = []

for json_file in glob.glob(f"\\\\{hunt_dir\\\\}/*.json"):
    try:
        with open(json_file, 'r') as f:
            data = json.load(f)
            if data.get('threat_level', 0) > 5:
                results.append(\\\\{
                    'file': json_file,
                    'threat_level': data.get('threat_level'),
                    'detections': data.get('detections', [])
                \\\\})
    except:
        continue

print(f"Threat Hunting Summary - \\\\{len(results)\\\\} high-risk items found:")
for result in sorted(results, key=lambda x: x['threat_level'], reverse=True):
    print(f"- \\\\{result['file']\\\\}: Threat Level \\\\{result['threat_level']\\\\}")
PYTHON

echo "Threat hunting complete. Results saved to $HUNT_DIR"
EOF

chmod +x threat_hunting.sh

Risoluzione dei problemi

Questioni comuni

# API key configuration issues
malwoverview --test-apis

# Network connectivity issues
malwoverview --test-connectivity

# Permission issues
sudo chown -R $USER:$USER ~/.malwoverview
chmod 600 ~/.malwoverview/malwoverview.conf

# Python dependency issues
pip3 install --upgrade requests colorama configparser pefile python-magic

# File magic issues
sudo apt install libmagic1 libmagic-dev
pip3 install --upgrade python-magic

Debug Mode

# Enable debug logging
malwoverview -f file.exe --debug

# Verbose output
malwoverview -f file.exe -v

# Log to file
malwoverview -f file.exe --log-file analysis.log

# Test specific API
malwoverview --test-api virustotal

# Check configuration
malwoverview --show-config

Ottimizzazione delle prestazioni

# Increase timeout for slow APIs
malwoverview -f file.exe --timeout 60

# Reduce rate limiting
malwoverview -f file.exe --rate-limit 1

# Use caching
malwoverview -f file.exe --cache-results

# Parallel processing
malwoverview -d /samples/ --threads 3

# Memory optimization
export PYTHONOPTIMIZE=1
ulimit -v 1048576  # Limit virtual memory

---

Avviso di sicurezza**: Malwoverview è uno strumento di ricerca di minacce e analisi malware che dovrebbe essere utilizzato in modo responsabile e in conformità con le leggi e le normative applicabili. Quando si analizzano file o URL sospetti, assicurarsi di avere una corretta autorizzazione e sono operativi in un ambiente sicuro e isolato. Lo strumento si integra con vari servizi di terze parti, quindi fai attenzione alla privacy dei dati e alle politiche di condivisione. Verificare sempre la legittimità dei campioni prima dell'analisi e seguire le procedure di risposta degli incidenti della vostra organizzazione quando si tratta di potenziali minacce.

Risorse aggiuntive**:

• Malwoverview GitHub Repository
• VirusTotal API Documentation_
• Documentazione API Analisi Hybrid
• Treat Intelligence Platforms Comparison