Skip to content
/ malware-detector Public

Scans a directory with large collection of Yara rules and then performs a slower scan quering VirusTotal by MD5 hash. Requires free VirusTotal API Key for complete results. Supports automatic archive extraction.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

radtonev/malware-detector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
put_files_here
put_files_here
 
 
yara_rules
yara_rules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
scan.sh
scan.sh
 
 

Repository files navigation

🛡️ Malware Detector

This Bash script automates the process of analyzing files for malware indicators by combining file extraction, YARA signature scanning, and MD5 hash lookup via the VirusTotal API.

✨ Features

  • Archive Handling: Automatically detects and extracts contents from common archive formats (.zip, .rar, .tar) into a dedicated folder.
  • Targeted Scanning: Compiles a list of all files (including extracted contents) for comprehensive analysis.
  • YARA Integration: Executes YARA rules against all collected files and generates a summary of rule hits.
  • VirusTotal Lookup: Calculates MD5 hashes and performs API lookups via the vt-cli tool, providing status and descriptive results for detected malware.
  • Rate Limiting: Includes a mandatory 15-second delay between VirusTotal hash checks to comply with public API usage limits.

⚙️ Prerequisites

You must have the following tools installed and accessible in your system's PATH:

  1. YARA: The pattern matching Swiss knife for security researchers.
    • sudo apt update & sudo apt install yara
  2. unzip, unrar, tar: For archive extraction.
  3. vt-cli: The official VirusTotal Command Line Interface tool.
    • sudo snap install vt-cli
    • sudo snap alias vt-cli.vt vt
    • Tip: if you receive any warnings just execute the recommended commands
  4. Standard Linux Utilities: awk, sed, grep, find, md5sum, wc.

🚀 Getting Started

1. File Structure

Organize your files with the following directory structure:

put_files_here/ # ⬅️ Directory where you place files for scanning

yara_rules/ # ⬅️ Directory containing your YARA rules

2. Configuration

Open scan.sh and set the following variables in the --- Configuration --- section:

Variable Description
YARA_RULE Path to your main YARA index file (e.g., ./yara_rules/index.yar).
SOURCE_DIR Directory containing your files (Default: ./put_files_here).
VIRUSTOTAL_APIKEY Crucial. Set your API key here. If left empty, the script will not perform virustotal check.

3. Execution

Ensure the script is executable and run it:

chmod +x scan.sh
./scan.sh

4. Examine

The script will export scanning results in the same directory.

files.txt -> Intermediate list of all files (both original and extracted) that were processed for hashing and scanning.

hashes.txt -> Intermediate list of MD5 hashes and the corresponding file paths, used as input for the VirusTotal loop.

yara_detections.txt -> Final report showing YARA rule hits. Lists the count of detections followed by the file path

yara_results.txt -> Raw, unmodified output from the yara scan.

virustotal_detections.txt -> Final summary of files identified as malicious by VirusTotal. Includes the file path, the number of malicious vendors (rank), and the MD5 hash.

virustotal/ -> Directory containing the full, raw VirusTotal report for every checked hash.

✨ Credits

Yara rules collection: https://github.com/Yara-Rules/rules/tree/master#

About

Scans a directory with large collection of Yara rules and then performs a slower scan quering VirusTotal by MD5 hash. Requires free VirusTotal API Key for complete results. Supports automatic archive extraction.

Topics

dfir yara virustotal malware-detection

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages