Few days ago I finish to improve previous script and add private API support, so very big thank to VirusTotal team for this :)
I will show a few options with examples, for all options see usage
Important! Some functions as behaviour have many options, if you want active all of them, just use -v/--verbose. For get more details from report use verbose mode.
You can use options --dump for dump json to file, and after analyse it, you can combine this, so you will can see a report and dump him to file, and after pass file as the parameter instead of hash/scan-id/url/etc...
File scan:
Important, if file has been scanned before, you will get a report, file will not be uploaded
Files with size bigger then 32mb will be ignored and you will see warning with file name
You can use name/path wildcard as: /home/user/malware*/*Zeus*
vt.py -f path_to_file
+19.01.13.png)
vt.py -f path_to_file -v #with verbose mode you will see the same more detection by AV's
+19.05.46.png)
Url scan and report:
Depend of API, if you have public API you can scan up to 4 urls. With private api up to 25 urls.
Example for scanning 2 urls/domains
python vt.py -ur google.com virustotal.com
+19.17.09.png)
When you trying to get report and url/domain is not scanned before, and you will upload it to scan you can execute it with option:
python vt.py -ur -u google.com virustotal.com
If you directly want add it to scan/rescan just execute it as:
python vt.py -u google.com virustotal.com
Report search
Here you can use md5/sha1/sha256 hash or scan-id
python vt.py -s 99017f6eebbac24f351415dd410d522d
MD5 : 99017f6eebbac24f351415dd410d522d
SHA1 : 4d1740485713a2ab3a4f5822a01f645fe8387f92
SHA256 : 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c
Scan Date : 2013-11-02 05:21:11
Detections:
39/46 Positives/Total
+19.29.35.png)
output is very long, so it's just a part of him
Permanent link : https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1383369671/
Domain search:
Get resolver Ip and date of the domain
python vt.py -d http://027.ru --dump -v #public api
Domain search:
Get resolver Ip and date of the domain
python vt.py -d http://027.ru --dump -v #public api
Get domain info with all info: # the same execution but with private api
You can get all info with verbose mode or just activate options what you want to see, see usage
You can get all info with verbose mode or just activate options what you want to see, see usage
Get IP info:
python vt.py -i ip/json_dump #public api
+11.42.05.png)
+11.43.16.png)
+11.44.05.png)
+11.57.45.png)
python vt.py -i ip/json_dump #public api
Search report
python vt.py -s 99017f6eebbac24f351415dd410d522d #private api example
+11.42.05.png)
ExifTool file metadata:
+11.43.16.png)
+11.44.05.png)
<cutted>
Permanent link : https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1382633189/
Cluster info:
python vt.py --cluster 2013-10-01
Distribucion:
python vt.py --distribution-files --report --limit 1
python vt.py --distribution-urls
+11.57.45.png)
Permanent link : https://www.virustotal.com/url/6df0f88d03421a4c202bb6151d4b16666be0d8fac3780d387a5b818ca824d6b7/analysis/1383121114/
Get comments:
Behaviour:
it's very cutted output of behaviour, because is very very long
And much more!
Process Tree
pid:484
name:82a4d0467f93e3ddec3b51a66dbd55cfce3f6c5725d2759850fb4b3b37c28304
children:[]
You need to see usage for all options
python vt.py -h
Enjoy it!
Hi. Extremely useful. Thanks a lot. I'm also looking for retrieve also the first submission date. Are you planning to include it also?
ResponderEliminarThank you Alvaro, coming soon great upgrade with a lot of features.
EliminarYou can get first submission with private-api only, using --report-all-info
For example:
vt -s --report-all-info 9fc5f95fb1e7fd4cc45fd6c04264abff
Scan Date : 2014-10-05 18:44:31
First Submission : 2014-09-24 04:01:53
Last Submission : 2014-09-24 04:01:53
Cheers
PS If you have any suggestions or everything what you see utils can tell me here or open requests on github
Ok cool. I've tried but I don't see this info. Probably my API key is a public one instead of a private / purchased one.. right?. I mean.. the script is able to use private-api features without any modification?
ResponderEliminarThanks
by default all keys are public, if you want private, give a touch to VT for a prices
Eliminaryes without any modification :)
In new version, private api has a little improvement, but I will explain it when i do it public :)
best regards
Hi, Thanks for such a great tool. I need to download reports (in json or csv format) for static and behavioral analysis of Android applications from VT using your tool. Can you please give me an example command through which i can perform the said task. I shall be thankful to you.
ResponderEliminarhello @Ahmed, thanks for using it. If you have private apikey you can do it in this way:
ResponderEliminar1) vt -rai android_app_hash --dump <- for static
2) vt -behaviour android_app_hash --dump <- for dynamic
if you have only public key, then you will only can get basic static information:
vt -fs --dump
--dump will save returned data from VT to json file
Is there a way to scan URL's and return the result by calling one of the functions from another python script or importing another function into another python script? I've been trying to find a way to do so, but at 3000 lines of code i've been having a hard time figuring it out.
ResponderEliminarHello, first of all check the wiki to see how to use as library if you want to use from another scrui
ResponderEliminarhttps://github.com/doomedraven/virustotalapi/wiki
and here you have code which do what you want https://github.com/doomedraven/VirusTotalApi/blob/master/vt/vt.py#L1662