Created
December 20, 2020 02:07
-
-
Save n3l5/65fb8818e56bc62587a6c91d6b186ad7 to your computer and use it in GitHub Desktop.
Custom script to upload malware sample(s) to a Viper instance with the web API. (mostly useful for bulk uploads) Will tag the sample (if PE) with the imphash, which makes it searchable.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import os | |
from os import listdir | |
from os.path import isfile, join | |
import hashlib | |
import magic | |
import re | |
import pefile | |
import requests | |
VIPER_AUTH_TOKEN = 'Token PUTYOURTOKENHERE' | |
VIPER_UPLOAD_URL = "http://localhost:8080/api/v3/project/default/malware/upload/"#adjust this for wherever you need, local or other | |
req_header = {'Authorization': VIPER_AUTH_TOKEN} | |
MALWARE_DIR = '/malstuff/upload/' | |
path = MALWARE_DIR | |
def files(path): | |
for file in os.listdir(path): | |
if os.path.isfile(os.path.join(path, file)): | |
yield file | |
def sha256hash(file): | |
BSIZE = 65536 | |
hnd = open(file, 'rb') | |
hash256 = hashlib.sha256() | |
while True: | |
info = hnd.read(BSIZE) | |
if not info: | |
break | |
hash256.update(info) | |
return hash256.hexdigest() | |
for each_file in files(path): | |
file = os.path.join(path, each_file) | |
magictype = magic.from_file(file) | |
if re.match(r'^PE[0-9]{2}\s\S*\s\([A-Z]{3}\)|^PE[0-9]{2}\+\s\S*\s\([a-z]{6}\)|^PE[0-9]{2}\+\s\S*\s\([A-Z]{3}\)', magictype): | |
p = pefile.PE(file) | |
imphash = p.get_imphash() | |
fhash = sha256hash(file) | |
print(each_file, "-", fhash, imphash, magictype) | |
payload = { "tag_list": imphash } | |
else: | |
print(each_file) | |
files = {'file': (each_file.split('/')[-1], open(file, 'rb'))} | |
response = requests.post( | |
url=VIPER_UPLOAD_URL, headers=req_header, data=payload, files=files, verify=False) | |
print(f'Upload: {response.json()!r}') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment