Malwoverview: First response tool for threat hunting

Malwoverview is an open-source threat hunting tool designed for the initial triage of malware samples, URLs, IP addresses, domains, malware families, IOCs, and hashes.

“Malwoverview is simple and direct, integrating multiple public sandboxes to retrieve and display only relevant information. It enables professionals to gather broad insights into a threat before analyzing it. The tool pulls data from sources like VirusTotal, Hybrid Analysis, Malshare, URLHaus, Polyswarm, AlienVault, Malpedia, Malware Bazaar, Triage, InQuest, and Virus Exchange. Additionally, its specialized IP summary feature has proven valuable in investigations,” Alexandre Borges, the creator of Malwoverview, told Help Net Security.

This tool aims to:

• Determine similar executable malware samples (PE/PE+) based on the import table (imphash) and group them by different colors.
• Show hash information on VirusTotal, Hybrid Analysis, Malshare, Polyswarm, URLHaus, AlienVault, Malpedia, and ThreatCrowd engines.
• Determine whether malware samples contain an overlay and, if needed, extract it.
• Check suspect files on VirusTotal, Hybrid Analysis, and Polyswarm.
• Check URLs on VirusTotal, Malshare, Polyswarm, URLHaus, and AlienVault.
• Download malware samples from Hybrid Analysis, Malshare, URLHaus, Polyswarm, and Malpedia.
• Submit malware samples to VirusTotal, Hybrid Analysis, and Polyswarm.
• List the latest suspected URLs from URLHaus, and payloads from URLHaus
• Search for specific payloads on Malshare.
• Search for similar payloads (PE32/PE32+) on the Polyswarm engine.
• Classify all files in a directory by searching for information on VirusTotal and Hybrid Analysis.
• Generate reports on a suspicious domain using VirusTotal, Malpedia, and ThreatCrowd.
• Check APK packages directly from Android devices against Hybrid Analysis and VirusTotal.
• Submit APK packages directly from Android devices to Hybrid Analysis and VirusTotal.
• Show URLs related to a user-provided tag from URLHaus.
• Show payloads related to a tag (signature) from URLHaus.
• Retrieve information about an IP address from VirusTotal, AlienVault, Malpedia, and ThreatCrowd.
• Show IP address, domain, and URL information from Polyswarm.
• Perform meta-search on Polyswarm Network using various criteria: imphash, IPv4, domain, URL, and malware family.
• Gather threat-hunting information from AlienVault, Malpedia and Malware Bazaar using different criteria.
• Gather IOC information from ThreatFox using different criteria.
• Gather threat-hunting information from Triage using different criteria.
• Evaluate hashes from a given file against VirusTotal.
• Submit large files (≥ 32 MB) to VirusTotal.
• Retrieve various types of information from InQuest Labs and download samples.
• Retrieve and download malware samples from Virus Exchange (vxunderground).
• Retrieve information about a given IP address from the IPInfo or BGPView services.
• Retrieve combined information about a given IP address from multiple services.
• Provide an extra option to save any downloaded file to a central location.

Future plans and download

“Malwoverview is already a built-in tool in REMnux, and the plan is to expand its capabilities by adding new options and public services. Eventually, when time permits, we aim to integrate it into Linux distributions,” Borges explained.

Malwoverview is available for free on GitHub.

Must read:

• GitHub CISO on security strategy and collaborating with the open-source community
• Don’t let these open-source cybersecurity tools slip under your radar
• 33 open-source cybersecurity solutions you didn’t know you needed

I have read and agree to the terms & conditions

Leave this field empty if you're human: