Skip to main content



Hunting maliciousness

A lot of times, during the installation phase of malware and later dropping/downloading the subsequent stage malicious code from the internet, the malicious code is placed in the downloads or the users/<userid>/appdata/* folders and executed from there.

Lets say you get hold of the MD5s of all binaries either located in these locations or the ones which have executed from these locations using tools like GRR or using some live forensic collection tool or using your custom script to fetch these MD5s. You might want to perform some initial triage on these MD5s using VT scores etc.

You can place these MD5 hashes in a text file and use the following python script to iterate through MD5 hashes and check the VT score for it. This script basically use the VT API 2.0 and would require you to sign up for a free public API access account, which allows 4 queries in a minute. That is why I am using the time.sleep(15) to limit the queries to 4 a minute.

The response from VT is documented he…

Latest Posts

Hunting exfils

DDE Exploitation Detection

Locky or Trickbot - Campaign and Infrastructure Analysis