Created
May 1, 2020 14:01
-
-
Save cocaman/d86313c603756dba8427f641eef0a178 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import requests | |
| import sys | |
| import argparse | |
| import pyzipper | |
| import io | |
| __author__ = "Corsin Camichel" | |
| __copyright__ = "Copyright 2020, Corsin Camichel" | |
| __license__ = "Creative Commons Attribution-ShareAlike 4.0 International License." | |
| __version__ = "1.0" | |
| __email__ = "cocaman@gmail.com" | |
| def check_sha256(s): | |
| if s == "": | |
| return | |
| if len(s) != 64: | |
| raise argparse.ArgumentTypeError("Please use sha256 value instead of '" + s + "'") | |
| return str(s) | |
| parser = argparse.ArgumentParser(description='Download a malware sample from Malware Bazaar by abuse.ch, store zip in memory and extract the file') | |
| parser.add_argument('-s', '--hash', help='File hash (sha256) to download', metavar="HASH", required=True, type=check_sha256) | |
| args = parser.parse_args() | |
| ZIP_PASSWORD = "infected".encode() | |
| headers = { 'API-KEY': 'YOURKEY' } | |
| data = { | |
| 'query': 'get_file', | |
| 'sha256_hash': args.hash, | |
| } | |
| response = requests.post('https://mb-api.abuse.ch/api/v1/', data=data, timeout=15, headers=headers, allow_redirects=True) | |
| zf = pyzipper.AESZipFile(io.BytesIO(response.content), "r") | |
| infolists = zf.infolist() | |
| for infolist in infolists: | |
| zf.extract(infolist.filename, pwd=ZIP_PASSWORD, path=".") | |
| print(f"extracted {infolist.filename}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment