ioccheck
A tool for simplifying the process of researching file hashes, IP addresses, and other indicators of compromise (IOCs).
Features
- Look up hashes across multiple threat intelligence services, from a single command or a few lines of Python.
- Currenty supports the following services:
- Planned support:
Quickstart
pip install ioccheckYou can also run the code directly
git clone https://github.com/ranguli/ioccheck && cd ioccheck
poetry installPopulate ~/.config/ioccheck/credentials with an entry for each service you have credentials for:
[virustotal]
api_key=YOUR_API_KEY_HERE
[malwarebazaar]
api_key=YOUR_API_KEY_HERE
[shodan]
api_key=YOUR_API_KEY_HERE
[twitter]
consumer_key=YOUR_API_KEY_HERE
consumer_secret=YOUR_API_KEY_HERE
access_token=YOUR_API_KEY_HERE
access_secret=YOUR_API_KEY_HEREUsage
➜ ioccheck 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
Checking hash 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f.
[*] Hashing algorithm:
SHA256
[*] VirusTotal URL:
https://virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/
[*] VirusTotal detections:
61 engines (81%) detected this file.
╒══════════════╤════════════╤═══════════════════════════════╕
│ Antivirus │ Detected │ Result │
╞══════════════╪════════════╪═══════════════════════════════╡
│ Malwarebytes │ No │ │
├──────────────┼────────────┼───────────────────────────────┤
│ Avast │ Yes │ EICAR Test-NOT virus!!! │
├──────────────┼────────────┼───────────────────────────────┤
│ ClamAV │ Yes │ Win.Test.EICAR_HDB-1 │
├──────────────┼────────────┼───────────────────────────────┤
│ Kaspersky │ Yes │ EICAR-Test-File │
├──────────────┼────────────┼───────────────────────────────┤
│ BitDefender │ Yes │ EICAR-Test-File (not a virus) │
├──────────────┼────────────┼───────────────────────────────┤
│ Paloalto │ No │ │
├──────────────┼────────────┼───────────────────────────────┤
│ TrendMicro │ Yes │ Eicar_test_file │
├──────────────┼────────────┼───────────────────────────────┤
│ FireEye │ Yes │ EICAR-Test-File (not a virus) │
├──────────────┼────────────┼───────────────────────────────┤
│ Sophos │ Yes │ EICAR-AV-Test │
├──────────────┼────────────┼───────────────────────────────┤
│ Microsoft │ Yes │ Virus:DOS/EICAR_Test_File │
├──────────────┼────────────┼───────────────────────────────┤
│ McAfee │ Yes │ EICAR test file │
├──────────────┼────────────┼───────────────────────────────┤
│ Fortinet │ Yes │ EICAR_TEST_FILE │
├──────────────┼────────────┼───────────────────────────────┤
│ AVG │ Yes │ EICAR Test-NOT virus!!! │
╘══════════════╧════════════╧═══════════════════════════════╛
[*] VirusTotal reputation:
3392Using the API
Creating a hash
>>> from ioccheck import Hash
>>> from ioccheck.services import VirusTotal
>>> eicar = Hash("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f")
>>> # What kind of hash is this?
>>> print(eicar.hash_type)
SHA256Looking up a hash
>>> # With no arguments, check() tries all supported services. API keys grabbed from ~/.ioccheck by default.
>>> eicar.check()
>>> # Alternatively:
>>> eicar.check(services=VirusTotal, config_path=/foo/bar/.ioccheck)Researching a hash
>>> # Check the VirusTotal report to see if Sophos detects our hash
>>> eicar.reports.virustotal.get_detections(engines=["Sophos"])
{'Sophos': {'category': 'malicious', 'engine_name': 'Sophos', 'engine_version': '1.0.2.0', 'result': 'EICAR-AV-Test', 'method': 'blacklist', 'engine_update': '20210314'}}
>>> # What is this hash known as?
>>> print(eicar.reports.virustotal.name)
'eicar.com-2224'
>>> # How many AV engines are detecting this hash?
>>> eicar.reports.virustotal.detection_count
60>>> # Just show me the VirusTotal API response!
>>> eicar.reports.virustotal.api_response
<vt.object.Object file 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f>