Malwoverview: A Comprehensive Tool for Malware Analysis and Threat Intelligence

Introduction

Malwoverview is a robust, rapid response tool designed for cybersecurity professionals and threat hunters. It provides a comprehensive solution for initial and quick triage of malware samples, URLs, IP addresses, domains, malware families, Indicators of Compromise (IOCs), and hashes. The tool acts as a client to numerous leading sandboxes and intelligence platforms, including VirusTotal, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, Malware Bazaar, ThreatFox, Triage, and IPInfo. Beyond malware analysis, Malwoverview also offers capabilities to check for vulnerabilities in Android devices and retrieve vulnerability records directly from NIST, making it an indispensable asset for proactive security operations.

Installation

Malwoverview is a Python-based tool that has been tested across various operating systems, including REMnux, Ubuntu, Kali Linux, macOS, and Windows.

The recommended installation method is via pip:

# For Python 3.11 or later
pip3.11 install git+https://github.com/alexandreborges/malwoverview

Alternatively, you can use:

python -m pip install -U malwoverview

macOS Specific Installation Notes:

If you are installing Malwoverview on macOS, execute the following commands:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install libmagic
pip3 install urllib3==1.26.6
pip3 install -U malwoverview
# Add Python binary directory to the PATH variable (example)
export PATH=$PATH:/Users/alexandreborges/Library/Python/3.9/bin
. ./.bash_profile

Windows Specific Installation Notes:

For Windows installations, ensure that python-magic-bin is installed and python-magic is not installed after Malwoverview setup.

API Configuration:

To leverage the full capabilities of Malwoverview, you will need to configure API keys for the services you intend to use. Create a file named .malwapi.conf in your home directory (e.g., /home/[username] or /root on Linux, C:\Users\[username] on Windows). This file should contain your API keys in the following format:

[VIRUSTOTAL]
VTAPI = your_virustotal_api_key

[HYBRID-ANALYSIS]
HAAPI = your_hybrid_analysis_api_key

# ... and so on for other services like MALSHARE, POLYSWARM, ALIENVAULT, etc.

Refer to the official documentation for details on obtaining API keys for each service.

Examples

Malwoverview offers a wide array of options for both malware analysis and vulnerability research. Here are a few examples demonstrating its versatility:

Malware Analysis Examples:

• Scan a directory for malware samples:

  malwoverview -d /home/remnux/malware/windows_2/
  

• Get a VirusTotal report for a specific file:

  malwoverview -v 1 -V 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e.exe
  

• Search URLHaus for malicious URLs by tag (e.g., Qakbot):

  malwoverview -j 4 -J Qakbot
  

• Retrieve combined IP address information from multiple intelligence services:

  malwoverview -ip 3 -IP 8.8.8.8
  

Vulnerability Research Examples (NIST CVE Database):

• Search for Windows vulnerabilities (CPE/Product Search):

  malwoverview --nist 1 --NIST "windows" --ncves 50
  

• Search for a specific CVE ID (e.g., Log4Shell):

  malwoverview --nist 2 --NIST "CVE-2021-44228"
  

• Search for Remote Code Execution (RCE) vulnerabilities by keyword:

  malwoverview --nist 4 --NIST "remote code execution" --ncves 50
  

Why Use Malwoverview?

Malwoverview stands out as a critical tool for any cybersecurity professional due to several key advantages:

• Centralized Intelligence: It aggregates data from a vast network of threat intelligence platforms, providing a single point of access for comprehensive insights.
• Rapid Triage: Designed for first response, it enables quick analysis of suspicious artifacts, significantly reducing incident response times.
• Versatile Capabilities: From static and dynamic malware analysis to URL and IP reputation checks, and even Android vulnerability assessments, Malwoverview covers a broad spectrum of threat hunting needs.
• Vulnerability Management: The integration with the NIST CVE database adds a powerful layer for identifying and researching software vulnerabilities.
• Privacy-Conscious: By default, Malwoverview does not submit samples to any endpoint, respecting potential Non-Disclosure Agreements (NDAs). Explicit options for submission are clearly documented.
• Active Development: The project benefits from continuous updates and community contributions, ensuring it remains relevant and effective against evolving threats.

Links

• GitHub Repository: https://github.com/alexandreborges/malwoverview
• PyPI Project: https://pypi.org/project/malwoverview/