Ioccheck - A Tool For Simplifying The Process Of Researching IOCs
A tool for simplifying the process of researching file hashes, IP addresses, and other indicators of compromise (IOCs).
Features
- Look up hashes across multiple threat intelligence services, from a single command or a few lines of Python.
- Currenty supports the following services:
- Planned support:
pip install ioccheckYou can also run the code directly
git clone https://github.com/ranguli/ioccheck && cd ioccheckpoetry installUsage
VirusTotal URL: https://virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/ [*] VirusTotal detections: 61 engines (81%) detected this file. ╒══════════════╤════════════╤═══════════════════════════════╕ │ Antivirus │ Detected │ Result │ ╞══════════════╪════════════╪═══════════════════════════════╡ │ Malwarebytes │ No │ │ ├──────────────┼────────────┼───────────────────────────────┤ │ Avast │ Yes │ EICAR Test-NOT virus!!! │ ├──────────────┼────────────┼───────────────────────────────┤ │ ClamAV │ Yes │ Win.Test.EICAR_HDB-1 │ ├──────────────┼────────────┼───────────────────────────────┤ │ Kaspersky │ Yes │ EICAR-Test-File │ ├──────────────┼────────────┼───────────────────────────────┤ │ BitDefender │ Yes │ EICAR-Test-File (not a virus) │ ├──────────────┼────────────┼───────────────────────────────┤ │ Paloalto │ No │ │ ├──────────────┼────────────┼───────────────────────────────┤ │ TrendMicro │ Yes │ Eicar_test_file │ ├──────────────┼────────────┼───────────────────────────────┤ │ FireEye │ Yes │ EICAR-Test-File (not a virus) │ ├──────────────┼────────────┼───────────────────────────────┤ │ Sophos │ Yes │ EICAR-AV-Test │ ├──────────────┼────────────┼───────────────────────────────┤ │ Microsoft │ Yes │ Virus:DOS/EICAR_Test_File │ ├──────────────┼────────────┼───────────────────────────────┤ │ McAfee │ Yes │ EICAR test file │ ├──────────────┼────────────┼───────────────────────────────┤ │ Fortinet │ Yes │ EICAR_TEST_FILE │ ├──────────────┼────────────┼───────────────────────────────┤ │ AVG │ Yes │ EICAR Test-NOT virus!!! │ ╘══════════════╧════════════╧═══════════════════════════════╛ [*] VirusTotal reputation: 3392 ">
➜ ioccheck 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0fChecking hash 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f.[*] Hashing algorithm:SHA256[*] VirusTotal URL:https://virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/[*] VirusTotal detections:61 engines (81%) detected this file.╒══════════════╤════════════╤═══════════════════════════════╕│ Antivirus │ Detected │ Result │╞══════════════╪════════════╪═══════════════════════════════╡│ Malwarebytes │ No │ │├──────────────┼────────────┼───────────────────────────────┤│ Avast │ Yes │ EICAR Test-NOT virus!!! │├──────────────┼────────────┼───────────────────────────────┤│ ClamAV │ Yes │ Win.Test.EICAR_HDB-1 │├──────────────┼────────────┼───────────────────────────────┤│ Kaspersky │ Yes │ EICAR-Test-File │├──────────────┼────────────┼───────────────────────────────┤│ BitDefender │ Yes │ EICAR-Test-File (not a virus) │├──────────────┼────────────┼────────────────────────────── ─┤│ Paloalto │ No │ │├──────────────┼────────────┼───────────────────────────────┤│ TrendMicro │ Yes │ Eicar_test_file │├──────────────┼────────────┼───────────────────────────────┤│ FireEye │ Yes │ EICAR-Test-File (not a virus) │├──────────────┼────────────┼───────────────────────────────┤│ Sophos │ Yes │ EICAR-AV-Test │├──────────────┼────────────┼───────────────────────────────┤│ Microsoft │ Yes │ Virus:DOS/EICAR_Test_File │├──────────────┼────────────┼───────────────────────────────┤│ McAfee │ Yes │ EICAR test file │├──────────────┼────────────┼───────────────────────────────┤│ Fortinet │ Yes │ EICAR_TEST_FILE │├──────────────┼────────────┼───────────────────────────────┤│ AVG │ Yes │ EICAR Test-NOT virus!!! │╘══════════════╧════════════╧═══════════════════════════════╛[*] VirusTotal reputation:3392Using the API
Creating a hash
>>> from ioccheck import Hash>>> from ioccheck.services import VirusTotal>>> eicar = Hash("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f")>>> # What kind of hash is this?>>> print(eicar.hash_type)SHA256Looking up a hash
>>> # With no arguments, check() tries all supported services. API keys grabbed from ~/.ioccheck by default.>>> eicar.check()>>> # Alternatively:>>> eicar.check(services=VirusTotal, config_path=/foo/bar/.ioccheck)Researching a hash
>>> # Check the VirusTotal report to see if Sophos detects our hash>>> eicar.reports.virustotal.get_detections(engines=["Sophos"]){'Sophos': {'category': 'malicious', 'engine_name': 'Sophos', 'engine_version': '1.0.2.0', 'result': 'EICAR-AV-Test', 'method': 'blacklist', 'engine_update': '20210314'}}>>> # What is this hash known as?>>> print(eicar.reports.virustotal.name)'eicar.com-2224'>>> # How many AV engines are detecting this hash?>>> eicar.reports.virustotal.detection_count60>>> # Just show me the VirusTotal API response!>>> eicar.reports.virustotal.api_response<vt.object.Object file 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f>Source: feedproxy.google.com
Ioccheck - A Tool For Simplifying The Process Of Researching IOCs
Reviewed by Anonymous
on
5:36 AM
Rating:
Reviewed by Anonymous
on
5:36 AM
Rating:
