Created
May 3, 2021 20:14
-
-
Save n3l5/e441404e8666d65df7074204af3493c3 to your computer and use it in GitHub Desktop.
PowerShell script to query AbuseCH Malware Bazaar for a give hash or file(path).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[CmdletBinding()] | |
param ( | |
[Parameter(Mandatory=$False)] | |
[string]$FileHash, | |
[Parameter(Mandatory=$False)] | |
[String]$FilePath | |
) | |
#Set up proxy auth | |
$pxyauth = new-object System.Net.WebClient | |
$pxyauth.Headers.Add("user-agent", "PowerShell Script") | |
$pxyauth.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials | |
#Check for existence of HASH or PATH | |
if (!($FileHash -or $FilePath)) { | |
Write-Host "" | |
Write-Host -ForegroundColor Yellow 'Missing the HASH or the PATH, you must supply one.' | |
Write-Host "" | |
exit | |
} | |
#Check for existence of only one | |
if ($FileHash -and $FilePath) { | |
Write-Host "" | |
Write-Host -ForegroundColor Yellow 'You have both a HASH and PATH, you must supply only one.' | |
Write-Host "" | |
exit | |
} | |
#Check if Path then hash the file; SHA256 by default | |
if ($FilePath){ | |
if (Test-Path $FilePath -PathType Leaf){ | |
$fhash = Get-FileHash $FilePath | foreach {$_.hash} | |
} | |
} | |
#If Hash then make hash $fhash and pass | |
else { | |
$fhash = $FileHash | |
} | |
#Set up the query | |
$body = @{'query'='get_info'; 'hash'=$fhash} | |
$uri = "https://mb-api.abuse.ch/api/v1/" | |
#Make the query | |
$response = invoke-restmethod -URI $uri -Method POST -Body $body | |
#Check if the query found the hash. | |
if ($response.query_status -eq 'hash_not_found'){ | |
Write-Host '>>>>>>>>>> The sample hash was not found on Malbazaar <<<<<<<<<<' | |
exit | |
} | |
#If the response was 200 (OK), continue with the data extraction | |
else{ | |
Write-Host '###############<<< File Info >>>###############' | |
Write-Host '#################################################' | |
$file_name = $response.data.file_name | |
Write-Host '' | |
Write-Host "Filename:"$file_name | |
Write-Host '' | |
$file_type_mime = $response.data.file_type_mime | |
$file_type = $response.data.file_type | |
Write-Host "MIME File Type:"$file_type_mime | |
Write-Host " File Type:"$file_type | |
Write-Host '' | |
$first_seen = $response.data.first_seen | |
$last_seen = $response.data.last_seen | |
Write-Host "First Seen: "$first_seen | |
Write-Host " Last Seen: "$last_seen | |
Write-Host '' | |
$malbazaar_signature = $response.data.signature | |
Write-Host 'Signature: '$malbazaar_signature | |
Write-Host '' | |
$tags = $response.data.tags | |
Write-Host "Tags:"$tags | |
Write-Host '' | |
Write-Host '' | |
#yararules | |
$yara_rules = $response.data.yara_rules | |
if ($yara_rules){ | |
Write-Host '###############<<< YARA rule information >>>###############' | |
Write-Host '#############################################################' | |
Write-Host '' | |
foreach ($yar in $yara_rules){ | |
$yar_name = $yar.rule_name | |
$yar_desc = $yar.description | |
Write-Host "YARA Rule name:"$yar_name | |
Write-Host "YARA Rule desc:"$yar_desc | |
Write-Host '' | |
Write-Host '' | |
} | |
} | |
Write-Host '###############<<< File HASH information >>>###############' | |
Write-Host '#############################################################' | |
Write-Host '' | |
$sha256_hash = $response.data.sha256_hash | |
$sha1_hash = $response.data.sha1_hash | |
$md5_hash = $response.data.md5_hash | |
Write-Host " MD5 hash: "$md5_hash | |
Write-Host " SHA1 hash: "$sha1_hash | |
Write-Host "SHA256 hash: "$sha256_hash | |
Write-Host '' | |
$imphash_hash = $response.data.imphash | |
$ssdeep_hash = $response.data.ssdeep | |
Write-Host " IMPHASH: "$imphash_hash | |
Write-Host '' | |
Write-Host " SSDEEP: "$ssdeep_hash | |
Write-Host '' | |
Write-Host '' | |
Write-Host '###############<<< File Intelligence information >>>###############' | |
Write-Host '#####################################################################' | |
Write-Host '' | |
$delivery_method = $response.data.delivery_method | |
Write-Host "Delivery method:"$delivery_method | |
Write-Host '' | |
$intelligence = $response.data.intelligence.clamav | |
Write-Host 'Intelligence: ClamAV'$intelligence | |
Write-Host '' | |
Write-Host '' | |
#ReversingLabs = $response.data.vendor_intel.ReversingLabs | |
$ReversingLabs_verdict = $response.data.vendor_intel.ReversingLabs.status | |
$ReversingLabs_threatname = $response.data.vendor_intel.ReversingLabs.threat_name | |
$ReversingLabs_firstseen = $response.data.vendor_intel.ReversingLabs.first_seen | |
Write-Host '###############<<< REVERSINGLABS info >>>###############' | |
Write-Host '##########################################################' | |
Write-Host 'ReversingLabs verdict:'$ReversingLabs_verdict | |
Write-Host 'ReversingLabs threatname:'$ReversingLabs_threatname | |
Write-Host 'ReversingLabs firstseen:'$ReversingLabs_firstseen | |
Write-Host '' | |
Write-Host '' | |
#ANYRUN = $response.data.vendor_intel.ANY.RUN | |
$anyrun ='ANY.RUN' | |
$ANYRUN_verdict = $response.data.vendor_intel.$anyrun.verdict | |
$ANYRUN_firstseen = $response.data.vendor_intel.$anyrun.date | |
$ANYRUN_URL = $response.data.vendor_intel.$anyrun.analysis_url | |
Write-Host '###############<<< ANY.RUN info >>>###############' | |
Write-Host '####################################################' | |
Write-Host $anyrun 'verdict:'$ANYRUN_verdict | |
Write-Host $anyrun 'firstseen:'$ANYRUN_firstseen | |
Write-Host $anyrun 'Analysis URL:'$ANYRUN_URL | |
Write-Host '' | |
Write-Host '' | |
#HatchingTriage = $response.data.vendor_intel.Triage | |
Write-Host '###############<<< HatchingTriage info >>>###############' | |
Write-Host '###########################################################' | |
$HatchingTriage_verdict = $response.data.vendor_intel.Triage.score | |
$HatchingTriage_malwarefamily = $response.data.vendor_intel.Triage.malware_family | |
$HatchingTriage_tags = $response.data.vendor_intel.Triage.tags | |
$HatchingTriage_URL = $response.data.vendor_intel.Triage.link | |
Write-Host 'Hatching Triage verdict:'$HatchingTriage_verdict | |
Write-Host 'Hatching Triage Malware family:'$HatchingTriage_malwarefamily | |
Write-Host 'Hatching Triage tags:'$HatchingTriage_tags | |
Write-Host 'Hatching Triage Analysis URL:'$HatchingTriage_URL | |
Write-Host '' | |
Write-Host '' | |
#UnpacME | |
$unpac_me = $response.data.vendor_intel.UnpacMe | |
if ($unpac_me){ | |
Write-Host '##################<<< Unpac Me info >>>##################' | |
Write-Host '###########################################################' | |
Write-Host '' | |
foreach ($unp in $unpac_me){ | |
$md5 = $unp.md5_hash | |
$sha256 = $unp.sha256_hash | |
$link = $unp.Link | |
$det = $unp.detections | |
Write-Host " MD5 hash:"$md5 | |
Write-Host "SHA256 hash:"$sha256 | |
Write-Host "Link:"$link | |
Write-Host "Detections:"$det | |
Write-Host '' | |
} | |
} | |
#Malware Bazaar Page info | |
$url = 'https://bazaar.abuse.ch/sample/' | |
Write-Host '###############<<< AbuseCH Malware Bazaar info >>>###############' | |
Write-Host '###################################################################' | |
Write-Host '' | |
Write-Host 'AbuseCH Malware Bazaar page:' | |
Write-Host $url$sha256_hash | |
Write-Host '' | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
❤️