Munin is a online hash checker utility that retrieves valuable information from various online sourcesThe current version of Munin queries the following services:VirustotalMalshareHybridAnalysisNote: Munin is based on the script “VT-Checker", which has been maintained in the LOKI repository.Usageusage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder] [–comment] [-p vt-comment-prefix] [–download] [-d download_path] [–nocache] [–intense] [–retroverify] [-r num-results] [–nocsv] [–verifycert] [–sort] [–debug]Online Hash Checkeroptional arguments: -h, –help show this help message and exit -f path File to process (hash line by line OR csv with hash in each line – auto-detects position and comment) -c cache-db Name of the cache database file (default: vt-hash- db.pkl) -i ini-file Name of the ini file that holds the API keys -s sample-folder Folder with samples to process –comment Posts a comment for the analysed hash which contains the comment from the log line -p vt-comment-prefix Virustotal comment prefix –download Enables Sample Download from Hybrid Analysis. SHA256 of sample needed. -d download_path Output Path for Sample Download from Hybrid Analysis. Folder must exist –nocache Do not use cache database file –intense Do use PhantomJS to parse the permalink (used to extract user comments on samples) –retroverify Check only 40 entries with the same comment and therest at the end of the run (retrohunt verification) -r num-results Number of results to take as verification –nocsv Do not write a CSV with the results –verifycert Verify SSL/TLS certificates –sort Sort the input lines (useful for VT retrohunt results) –debug Debug outputFeaturesMODE A: Extracts hashes from any text file based on regular expressionsMODE B: Walks sample directory and checks hashes onlineRetrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text fileCached objects are stored in JSONCreates CSV file with the findings for easy post-processing and reportingAppends results to a previous CSV if availableDisplaysHash and comment (comment is the rest of the line of which the hash has been extracted)AV vendor matches based on a user defined listFilenames used in the wildPE information like the description, the original file name and the copyright statementSigner of a signed portable executableResult based on Virustotal ratioFirst and last submissionTags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftwareExtra ChecksQueries Malshare.com for sample uploadsQueries Hybrid-Analysis.com for present analysisImphash duplicates in current batch > allows you to spot overlaps in import table hashesGetting startedDownload / clone the repoInstall required packages: pip3 install -r requirements.txt (on macOS add –user)(optional: required for –intense mode) Download PhantomJS and place it in your $PATH, e.g. /usr/local/bin http://phantomjs.org/download.htmlSet the API key for the different services in the munin.ini fileUse the demo file for a first run: python munin.py -f munin-demo.txt –nocacheTypical Command LinesProcess a Virustotal Retrohunt result and sort the lines before checking so that matched signatures are checked in blockspython munin.py -f my.ini -f ~/Downloads/retro_huntProcess an IOC file and show who commented on these samples on Virustotal (uses PhantomJS, higher CPU usage)python munin.py -f my.ini -f ~/Downloads/misp-event-1234.csv –sort –intenseProcess a directory with samples and check their hashes onlinepython munin.py -f my.ini -s ~/malware/case34Get the API Keys used by MuninVirustotalCreate an account here https://www.virustotal.com/#/join-usCheck Profile > My API key for your public API keyMalshareRegister here https://malshare.com/register.phpHybrid AnalysisCreate an account here https://www.hybrid-analysis.com/signupAfter login, check Profile > API keyDownload Munin

Link: http://feedproxy.google.com/~r/PentestTools/~3/0Cc8y6zLvSQ/munin-online-hash-checker-for.html