Skip to content

cristianzsh/amcache-evilhunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
binaries
binaries
 
 
images
images
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
amcache-evilhunter.py
amcache-evilhunter.py
 
 
build.sh
build.sh
 
 
demo.mp4
demo.mp4
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

AmCache-EvilHunter

AmCache-EvilHunter is a command-line tool to parse and analyze Windows Amcache.hve registry hives, identify evidence of execution, suspicious executables, and integrate VirusTotal/OpenTIP lookups for enhanced threat intelligence.

demo.mp4

Features

  • Parse offline Amcache.hve registry hives.
  • Filter records by date range (--start, --end).
  • Search records using keywords (--search).
  • Identify known suspicious executables (--find-suspicious).
  • Identify executables without a publisher (--missing-publisher).
  • Kaspersky OpenTIP integration for hash lookups (--opentip, --only-detections).
  • VirusTotal integration for hash lookups (--vt, --only-detections).
  • Export results to JSON (--json) or CSV (--csv).

Requirements

Install dependencies via pip:

pip3 install -r requirements.txt

Installation

git clone https://github.com/cristianzsh/amcache-evilhunter.git
cd amcache-evilhunter
pip3 install -r requirements.txt

Usage

python3 amcache_evilhunter.py -i path/to/Amcache.hve [OPTIONS]

Options

Flag Description
-i, --input PATH Path to Amcache.hve (required)
--start YYYY-MM-DD Only include records on or after this date
--end YYYY-MM-DD Only include records on or before this date
--search TERMS Comma-separated, case-insensitive search terms
--find-suspicious Filter only records matching known suspicious patterns
--missing-publisher Filter only records with missing Publisher
--exclude-os Only include non-OS-component files
--opentip Enable Kaspersky OpenTIP lookups (requires OPENTIP_API_KEY env variable)
-v, --vt Enable VirusTotal lookups (requires VT_API_KEY env variable)
--only-detections Show/save only files with ≥1 VT detection
--json PATH Path to write full JSON output
--csv PATH Path to write full CSV output
-V, --version Show version information

Examples

  • Parse and display all records:

    python3 amcache_evilhunter.py -i Amcache.hve

  • Filter by date range and search for "notepad":

    python3 amcache_evilhunter.py -i Amcache.hve --start 2021-01-01 --end 2021-12-31 --search notepad

  • Identify suspicious executables and query VirusTotal:

    python3 amcache_evilhunter.py -i Amcache.hve --find-suspicious -v

  • Export VirusTotal detections to JSON:

    export VT_API_KEY=YOUR_API_KEY
python3 amcache_evilhunter.py -i Amcache.hve -v --only-detections --json detections.json

Environment variables

  • VT_API_KEY: Your VirusTotal API key used for file hash lookups.
  • OPENTIP_API_KEY: Your OpenTIP API key used for file hash lookups.

Building executables

A build.sh script is provided to generate standalone binaries for both Linux and Windows (via Wine).

chmod +x build.sh
./build.sh

License

This project is licensed under the MIT License. See LICENSE for details.

About

Parse and analyze a Windows Amcache.hve registry hive, VirusTotal integration.

Topics

automation incident-response malware forensics dfir malware-detection amcache

Resources

Readme

License

MIT license
Activity

Stars

100 stars

Watchers

0 watching

Forks

8 forks
Report repository

Releases 3

v0.0.3 Latest
Aug 3, 2025
+ 2 releases

Packages

No packages published

Languages