Malwoverview – Malware Initial Triage Tool

Malwoverview is a first response tool to perform an initial and quick triage in a directory containing malware samples, specific malware sample, suspect URL and domains. Additionally, it allows to download and send samples to main online sandboxes.

Malwoverview – Malware  Initial Triage Tool
Malwoverview – Malware Initial Triage Tool

This tool aims to :

  1. Determining similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
  2. Determining whether executable malware samples are packed or not packed according to the following rules: 2a. Two or more sections with Entropy > 7.0 or < 1.0 ==> Packed. 2b. One one section with Entropy > 7.0 or two sections with SizeOfRawData ==> Likely packed. 2c. None section with Entropy > 7.0 or SizeOfRawData ==> not packed.
  3. Determining whether the malware samples contain overlay.
  4. Determining the .text section entropy.Malwoverview.py only examines PE/PE+ files, skipping everything else.
  5. Checking each malware sample against Virus Total.

Important note: Malwoverview does NOT submit samples to Virus Total or Hybrid Analysis by default. It submits only hashes, so respecting Non-Disclosure Agreements (NDAs). Nonetheless, if you use the “-V” (uppercase) or “-A” (uppercase), so Malwoverview SUBMITS your malware sample to Virus Total or Hybrid Analysis, respectively.

You can read more and download this tool over here: https://github.com/alexandreborges/malwoverview

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments