Didier Stevens

VirusTotal Tools

virustotal-search.py is a Python program to search VirusTotal for hashes.

virustotal-submit.py is a Python program to submit files to VirusTotal.

To get these tools to work, you need to get a VirusTotal API key and add it to these program. You need a VirusTotal account to get your API key.

virustotal-search

Did you know that you can search VirusTotal? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to identify the file.

There are several tools to submit a batch of files to VirusTotal, but I didn’t find any that just searches VirusTotal for a list of search terms via VirusTotal’s API.

Thus I wrote my own Python program. It accepts a file with a list of hashes, and produces a CSV file with the result. Here is an example displayed with InteractiveSieve:

virustotal-search.py supports proxies (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy).

And my program respects VirusTotal’s rate limitation (4 requests per minute), I don’t want it to DoS VirusTotal.

virustotal-search_V0_1_8.zip (http)
MD5: 69A4504E06E97585EDBA4BBD60EAC36C
SHA256: 16FA2F9748959A88BE38B4A2FF006FC658FB4FF8932F3EC2E2568F48EB9FAE85
virustotal-submit

I created this tool because I needed to submit a sample stored in a password protected ZIP-file (not the ZIP-file), without extracting the sample to disk.

To submit a file to VirusTotal, you just run virustotal-submit.py sample.exe.

If you submit a ZIP file, virustotal-submit.py will extract the first file to memory and submit that to VirusTotal. The ZIP file can be password protected with password “infected”. To submit the ZIP file itself, use option -z.

To submit a batch of samples, create a textfile with the name of the files to submit and use option -f.

virustotal-submit.py supports proxies (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy).

Python module poster is required for this tool.

virustotal-submit_V0_0_3.zip (https)
MD5: 3F9F5421F711E2930AB6F80D87DF9E2B
SHA256: 37CCE3E8469DE097912CB23BAC6B909C9C7F5A5CEE09C9279D32BDB9D6E23BCC

91 Comments »

  1. […] virustotal-search and virustotal-submit have their own page now: VirusTotal Tools. […]

    Pingback by Update: virustotal-submit.py V0.0.3 | Didier Stevens — Saturday 14 December 2013 @ 22:22

  2. Great tool !

    Just encountered a python exception when searching for hash ‘0164dc11b05124166f83da841b2cefbf91a8a1ee105820b416d9493263ebd222’ : one AV result has a ‘None’ version…

    Comment by Thierry — Monday 13 January 2014 @ 11:12

  3. @Thierry What version of the virustotal-search did you use?

    Comment by Didier Stevens — Tuesday 14 January 2014 @ 1:53

  4. I am having an issue with the v3 of the virus search – I am getting the error “;Error jsonalias.loads;No JSON object could be decoded;’Traceback (most recent call last):\n File “virustotal-search.py”, line 200, in GetReports\n oResults = jsonalias.loads(jsonResponse)\n File “/usr/lib64/python2.7/json/__init__.py”, line 338, in loads\n return _default_decoder.decode(s)\n File “/usr/lib64/python2.7/json/decoder.py”, line 365, in decode\n obj, end = self.raw_decode(s, idx=_w(s, 0).end())\n File “/usr/lib64/python2.7/json/decoder.py”, line 383, in raw_decode\n raise ValueError(“No JSON object could be decoded”)\nValueError: No JSON object could be decoded\n'” Any ideas?

    Comment by Anonymous — Tuesday 28 January 2014 @ 13:19

  5. Version0.0.3 is an old version, use the last version: 0.1.0.

    Comment by Didier Stevens — Wednesday 29 January 2014 @ 7:36

  6. Running version 0.1.0 – It runs fine for a few hours (at default rate), and then I get an “Error jsonalias.loads;No JSON object could be decoded;’Traceback (most recent call last):\n File “virustotal-search.py”, line 200, in GetReports…” error. It appears to be the same error as ‘Anonymous’ posted. The script won’t run again until I reboot my workstation (Windows 7).

    Comment by Jon — Tuesday 14 April 2015 @ 19:32

  7. @Jon Look in file virustotal-search-*.csv for the last successful request. Then search in your file for that searchterm. What is the next searchterm?

    Comment by Didier Stevens — Tuesday 14 April 2015 @ 19:45

  8. It looks like I somehow hit my API limit. I thought I was running this script at home under a different API key, but I think I was running them both under the same API key. I think the rfox on eboot was just by chance, since I didn’t reboot until the next day.

    Comment by Jon — Wednesday 15 April 2015 @ 13:35

  9. @jon I have a new version that I’ll release soon. When you hit your daily quota, you can instruct this new version to wait and resume when your daily quota is reset.

    Comment by Didier Stevens — Wednesday 15 April 2015 @ 19:02

  10. […] new version op virustotal-search adds a bunch of options to manage the local database, and 2 features I want to highlight […]

    Pingback by Update: virustotal-search Version 0.1.2 Daily Quota Handling and CVEs | Didier Stevens — Monday 27 April 2015 @ 0:01

  11. Didier – great tool! Ran it once and perfect results. When I ran it the second time, and all subsequent times, I’m getting this: “Traceback (most recent call last):
    File “virustotal-search.py”, line 510, in
    Main()
    File “virustotal-search.py”, line 507, in Main
    VirusTotalSearch(args[0], options)
    File “virustotal-search.py”, line 454, in VirusTotalSearch
    statuscode = GetReports(searchTermsToRequest[0:4], reports, options.comment, dNotFound)
    File “virustotal-search.py”, line 280, in GetReports
    LogResult(searchTermComments[iIter][0], searchTermComments[iIter][1], oResults[iIter], True, withComment)
    File “virustotal-search.py”, line 241, in LogResult
    oLogger.PrintAndLog(formats, parameters)
    File “virustotal-search.py”, line 171, in PrintAndLog
    line = self.separator.join(formats) % parameters
    UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xff in position 0: ordinal not in range(128)”

    Running version: 0.1.2

    Any suggestions?

    Thanks!

    Steve Bunting

    Comment by Steve Bunting — Friday 5 June 2015 @ 17:25

  12. Didier – forget above post! 2nd run hash list was using Unicode and not ASCII. My bad… thanks anyway! – Steve

    Comment by Steve Bunting — Friday 5 June 2015 @ 17:37

  13. Above text shows:
    virustotal-search_V0_1_2.zip (https)
    MD5: 62C8031738E6E20FEC38337010496DF6
    SHA256: 317AF862A62CF78FC58604EDB77AA3C00EC1543D2337EC634749C25CC5E4908C

    Downloaded file shows:
    md5sum *
    2e7dbaeb1a2d6054ae9db9a323bbf4ea virustotal-search.py
    62c8031738e6e20fec38337010496df6 virustotal-search_V0_1_2.zip

    sha256sum *
    d4a3069929fe84beb9189e0488117c8707a9805e56d4a34fd7c0f23a8c7a8291 virustotal-search.py
    317af862a62cf78fc58604edb77aa3c00ec1543d2337ec634749c25cc5e4908c virustotal-search_V0_1_2.zip

    Could you confirm if the file above is valid? Thanks!!

    Comment by Anonymous — Tuesday 11 August 2015 @ 17:58

  14. I don’t see the problem, can you give more info? I see that the hashes you calculated are the same than the ones I posted.

    Comment by Didier Stevens — Tuesday 11 August 2015 @ 19:29

  15. […] virustotal-tools: Interact with the VirusTotal database from the command-line […]

    Pingback by REMnux: Distribución de Linux especializada en en el análisis de malware | Skydeep — Thursday 20 August 2015 @ 1:49

  16. How do we create a list of hashes to scan?

    Comment by Anonymous — Wednesday 26 August 2015 @ 14:29

  17. Nevermind. Figured out you just needed to use a simple text file. This works great! Thanks so much for making it!

    Comment by Anonymous — Wednesday 26 August 2015 @ 15:50

  18. VirusTotal Public API support “shared” public key in a way of tuple(key, IP), so probably don’t need each user to create an account. On their FAQ:
    ==================
    I integrated the public API in free software, the default request rate is too low to attend all my users

    The public API request can be fixed by the tuple (api key, IP address). Whenever this is done it is this tuple the one having the 4 requests/minute limitation and not the key on its own. This means that you can include a unique key in the software you have developed and each one of your users (provided they are not sharing their IP address) will experience a different 4 requests/minute limitation. Contact us in order to make your key a shared key, this is a free setting.
    ==================

    Comment by Tyler — Wednesday 17 February 2016 @ 0:41

  19. This tool is great! Keep up the great work.

    Have you considered adding a progress bar, using something like tqdm? Here’s a link for reference: https://pypi.python.org/pypi/tqdm

    Comment by Brian — Wednesday 16 March 2016 @ 17:26

  20. No, I try to develop Python tools with as little external modules as possible.

    Comment by Didier Stevens — Wednesday 23 March 2016 @ 19:55

  21. i need a tool, which can read API secuences from a csv file ( second columns) and download json, executable file,pcap file and etc from virustotal

    Comment by botmaster — Sunday 29 May 2016 @ 11:19

  22. Can you use this tool in its current format to scan a list of IP addresses using VT? Or can I make a feature request to have a cmdline argument that says the contents of the text file is IP addresses to scan through?

    Comment by randomaccess — Monday 13 June 2016 @ 23:31

  23. I’ll put it on my todo list.

    Comment by Didier Stevens — Wednesday 15 June 2016 @ 8:25

  24. Anyway the output can include the other hashes? i.e. I feed the script a list with sha-1 and the script pull sha256 and md5 along with the other information

    Comment by Anonymous — Wednesday 15 June 2016 @ 18:37

  25. Hello guys, I have put together a tool called AFOT, which combines some of the scripts on this blog and automate them to make your life a lot easier. Thank you for all the knowledge you provide to us! You can find the github project here: https://github.com/harris21/afot . Please let me know what you think about it. Cheers!

    Comment by harris3103 — Thursday 21 July 2016 @ 13:42

  26. […] the dumped processes against Virus Total to see if there are any hits. Didier Stevens has a great set of scripts to do this, so mad props to him! You can get a lot of false positives doing this, but it can also […]

    Pingback by Fun stuff with Volatility | 31ric — Wednesday 27 July 2016 @ 18:51

  27. Hi, the interactivesieve doesn’t load it properly… are you sure its working alright now?

    Comment by Anonymous — Thursday 15 September 2016 @ 19:37

  28. What’s the problem?

    Comment by Didier Stevens — Thursday 15 September 2016 @ 20:57

  29. I am seeing the error below. Any ideas how I can fix that please?

    3F9F5421F711E2930AB6F80D87DF9E2B,287defe5e9612af4e001a872c27f28c7;Error VTHTTPRe
    portRequest;0

    Comment by David — Wednesday 21 September 2016 @ 19:22

  30. No, I can not reproduce your error:

    C:\Test>virustotal-search.py test.txt
    3F9F5421F711E2930AB6F80D87DF9E2B;1;1;2016-02-15 05:38:55;0;54;https://www.virustotal.com/file/37cce3e8469de097912cb23bac6b909c9c7f5a5cee09c9279d32bdb9d6e23bcc/analysis/1455514735/;;
    287defe5e9612af4e001a872c27f28c7;1;1;2016-09-16 16:41:10;0;54;https://www.virustotal.com/file/1a03b0d1384e8b1903613616f841aa05abc162014bb53adb3b65c3bb701fbfd1/analysis/1474044070/;;

    Comment by Didier Stevens — Wednesday 21 September 2016 @ 19:41

  31. I’ll give it a try on another machine. Thanks for getting back to me

    Comment by David — Wednesday 21 September 2016 @ 21:14

  32. […] new version of virustotal-search.py accepts input from […]

    Pingback by Update: virustotal-search.py Version 0.1.4 | Didier Stevens — Sunday 23 October 2016 @ 0:02

  33. Hi,

    I created a file with full paths to files which I want to upload.
    When I try to run virustotal-submit.py I am getting an error:

    $ python virustotal-submit.py –file=filename-vt
    Traceback (most recent call last):
    File “virustotal-submit.py”, line 209, in
    Main()
    File “virustotal-submit.py”, line 204, in Main
    VirusTotalSubmit(File2Strings(options.file), options)
    File “virustotal-submit.py”, line 161, in VirusTotalSubmit
    filename = filenames[0]
    TypeError: ‘NoneType’ object has no attribute ‘__getitem__’

    APIKEY has been added to both your programs.
    Could you please check this and write how to fix it?

    Thank you in advance
    Jakub

    Comment by Jakub — Monday 28 November 2016 @ 13:24

  34. You get this error because the file can not be read. Maybe you gave the wrong filename, or the file is not in the current directory, …

    Comment by Didier Stevens — Monday 28 November 2016 @ 13:30

  35. Thank you very much for this useful script! I would however like to mention that the option –md5 should be deprecated and instead replaced by –sha256. Even better, just rename it to –hash and use sha256 as the hash function…

    Comment by Jan — Friday 10 February 2017 @ 13:24

  36. You forgot to explain why you think this option needs to be deprecated.

    Comment by Didier Stevens — Friday 10 February 2017 @ 13:31

  37. Hi , first of all I am so happy to find your blog, I am naive to python language ,and I need to generate a report form virustotal for my research , my dataset includes more than 10000 hashes , could you please share with me which steps I should take in order I will able to use the script you wrote. Thanks ! Alsa

    Comment by Alsa — Tuesday 28 February 2017 @ 12:56

  38. Are you familiar with the command line?

    Comment by Didier Stevens — Saturday 4 March 2017 @ 9:36

  39. I have tried to run it in Linux (python virustotal-search.py test ) .actually it generated the report but I guess I should use other comment in way to generate the report correctly. I need all the features of virustotall Intelligence . I am stuck and I cant carry on my research bcuz I cant have my dataset

    Comment by Anonymous — Saturday 4 March 2017 @ 10:52

  40. So the report was generated correctly. But you miss the info from VTI? That’s normal, this tool is not for VTI.

    Comment by Didier Stevens — Saturday 4 March 2017 @ 10:57

  41. no ,the report didnt generate properly.

    Search Term;Requested;Response;Scan Date;Detections;Total;Permalink;AVs;CVEs
    8b4a209a6201d73b1c8a911d9a53b1f4;1;1;2017-02-24 00:35:18;35;59;https://www.virustotal.com/file/3514426249a681892efc46c3112f1c90d9ccb52bdebaf10538a8f8ba1099bfb0/analysis/1487896518/;ALYac#Gen:Variant.Kazy.309034#20170223#1.0.1.9 AVG#Generic34.CMLH#20170223#16.0.0.4756 AVware#Trojan.Win32.Generic!BT#20170223#1.5.0.42 Ad-Aware#Gen:Variant.Kazy.309034#20170223#3.0.3.794 AegisLab#Troj.Ransom.W32.Blocker.arle!c#20170223#4.2 Arcabit#Trojan.Kazy.D4B72A#20170223#1.0.0.795 Avast#MSIL:GenMalicious-JR [Trj]#20170223#8.0.1489.320 Avira#TR/Dropper.MSIL.Gen#20170223#8.3.3.4 Baidu#Win32.Trojan.WisdomEyes.16070401.9500.9998#20170223#1.0.0.2 BitDefender#Gen:Variant.Kazy.309034#20170223#7.2 CMC#Trojan-Ransom.Win32.Blocker!O#20170223#1.1.0.977
    3fed6dc3c8c4121a53abf0e67d04ddb1;1;1;2016-02-06 00:34:51;42;54;https://www.virustotal.com/file/531b86f8f5d9f75cd44e147479013b0434d8bfc7cd15ccab49676c7cccbb23e7/analysis/1454718891/; …….

    Comment by Anonymous — Saturday 4 March 2017 @ 11:07

  42. Yes, the report generated properly. This is the type of report that virustotal-search.py produces.
    It does work correctly.

    Comment by Didier Stevens — Saturday 4 March 2017 @ 11:20

  43. ohk , thanhk you for your reply , is there any way to work on this script in a way to generate a report from VTI , if that a case any recommendation ?

    Comment by Anonymous — Saturday 4 March 2017 @ 15:36

  44. That is explained here: https://www.virustotal.com/intelligence/help/automation/

    Comment by Didier Stevens — Saturday 4 March 2017 @ 19:51

  45. thank you so much!

    Comment by Anonymous — Sunday 5 March 2017 @ 0:07

  46. […] Look up a suspicious file hash in the virustotal.com database remnux-didier (APT) https://blog.didierstevens.com/programs/virustotal-tools/ Examine File Properties and Contents: Scan ClamAV clamscan Clam antivirus engine clamav-daemon […]

    Pingback by Remnux-A tool for reverse engineering Malware – Infohub — Saturday 8 April 2017 @ 22:40

  47. hey! I´m trying to use it but I got an error:
    Module poster missing: https://pypi.python.org/pypi/poster

    please, could you help me with this?

    Thank you in advance!

    Comment by ratapelua — Tuesday 11 April 2017 @ 14:23

  48. It means that the poster module is not installed on your machine, and that you need to install it.

    Comment by Didier Stevens — Tuesday 11 April 2017 @ 14:28

  49. is there a way to submit URLs, multipleurls.txt?

    Comment by chase — Tuesday 25 April 2017 @ 2:51

  50. No

    Comment by Didier Stevens — Thursday 4 May 2017 @ 7:12

  51. Hi, using 1.4 and trying to understand a bit more about some of the database/pkl options. I read the help but didn’t find anything else. Hope I didn’t miss it if it is out there. So the following options:

    -g, –globaldb use global database (pkl file) in same directory as program
    -r, –refresh refresh the database sequentially
    -R, –refreshrandom refresh the database randomly
    -a AFTER, –after=AFTER

    my comments

    -g: It seems like the program is using the .pkl file whether I add the -g option or not. When I begin a query, it quickly skips anything in the .pkl file whether or not I use this option.
    -r, -R, -a: Can a refresh be done while parsing new hashes or is it something to run against the database outside of normal queries?
    What is the refresh based on? The date of lookup stored in the pkl file or the date virustotal originally saw the file?
    When I refresh the database sequentially, what exactly is happening?

    Awesome program. I took a look at the python, but wasn’t able to answer my own questions, lol. Thanks!

    Comment by Matt — Sunday 4 June 2017 @ 22:11

  52. […] works, but doesn’t scale well. Fortunately, Didier Stevens has a Python tool to help us out with this very problem. We can provide the script with a list of all of the files […]

    Pingback by Incident Investigation: It’s All About Context – Guru Meditation — Monday 21 August 2017 @ 21:22

  53. C:>python virustotal-search.py test.txt
    File “virustotal-search.py”, line 91
    print sys.exc_info()
    ^
    SyntaxError: invalid syntax

    i’m getting the above error while executing the file

    Comment by Anonymous — Wednesday 30 August 2017 @ 5:09

  55. virustotal-search.py will create/use virustotal-search.pkl in the current directory, unless you use option -g, then it uses the .pkl file in the folder where virustotal-search.py is located.
    I assume you used virustotal-search.py in the same directory where it was located, and that is why you don’t see a difference whether you use -g or not.

    Comment by Didier Stevens — Sunday 29 October 2017 @ 13:21

  56. Regarding the -n NOTFOUND (–notfound=NOTFOUND) option. What about adding this to the database (pkl file)? For example, the data row could still contain the hash of the file but the virustotal link would contain NF or something similar. The -r (refresh) option could still be used to update these fields as needed. There may be a benefit to having all the information in a single output file. I have seen cases where a malware variant is unrecognized by VirusTotal when I first encounter it, but several days later it has been identified so updating entries that are “not found” can be useful. I’m not implying the current implementation is bad or broken, though. Just something I was thinking about.

    Regarding the -r (–refresh) option. What are the criteria for refresh? Is it the date the query was made from your script or the date the binary was last seen by VirusTotal? If I have 100,000 entries in my pkl file and I perform a refresh, will that be 100,000 queries against my API key?

    Thanks!

    Comment by Matt — Friday 23 February 2018 @ 18:02

  57. I am getting the following error…

    C:\>Python27\python.exe C:\Python27\Scripts\virustotal-search.py C:\Users\user\Desktop\vt.txt
    Traceback (most recent call last):
    File “C:\Python27\Scripts\virustotal-search.py”, line 526, in
    Main()
    File “C:\Python27\Scripts\virustotal-search.py”, line 523, in Main
    VirusTotalSearch(args[0], options)
    File “C:\Python27\Scripts\virustotal-search.py”, line 432, in VirusTotalSearch
    oLogger = CSVLogger(‘virustotal-search’, headers, separator=options.separator)
    File “C:\Python27\Scripts\virustotal-search.py”, line 168, in __init__
    self.f = open(self.filename, ‘w’)
    IOError: [Errno 13] Permission denied: ‘virustotal-search-20181215-132800.csv’

    Comment by Anonymous — Saturday 15 December 2018 @ 18:45

  58. This is your error: IOError: [Errno 13] Permission denied: ‘virustotal-search-20181215-132800.csv’
    You have to allow the Python script to write files.

    Comment by Didier Stevens — Sunday 16 December 2018 @ 10:39

  59. Thank you!

    Comment by Anonymous — Tuesday 18 December 2018 @ 21:57

  60. If anyone runs in to the same issue as question 58… running as admin helped.

    Comment by Anonymous — Tuesday 18 December 2018 @ 21:58

  61. If you just make sure your current directory is writable, it works without having to be an admin.

    Comment by Didier Stevens — Sunday 23 December 2018 @ 8:15

  62. Any way to get the associated hashes back as well? (ie: If you search for the SHA256, you get back the MD5 and SHA1 hashes as well, like is shown in the details field?)

    Comment by Adam Bailey — Thursday 3 January 2019 @ 1:32

  63. Not with the tool like it is. I’ll check if it’s possible.

    Comment by Didier Stevens — Friday 4 January 2019 @ 6:48

  64. Hi is there a way to pull the PE Compile times with this type of tool?

    Comment by EG Thek — Thursday 28 February 2019 @ 13:08

  65. No, that information is not provided via the public API.

    Comment by Didier Stevens — Friday 1 March 2019 @ 12:02

  66. I have the sample File names Test VT.txt, both the .py file and sample in same directory (VT).. Im executing from the same directory
    If I run this command:
    C:\VT>virustotal-search.py Test VT.txt
    Im getting an error:
    File “C:\VT>virustotal-search.py”, line 91
    print sys.exc_info()
    ^
    SyntaxError: invalid syntax

    How to proceed this? Please help….

    Comment by Never Mind Help me Please. — Monday 4 March 2019 @ 15:02

  68. Please tell me the solution for this
    Traceback (most recent call last):
    File “C:\Users\Administrator\Downloads\virustotal-search_V0_1_4\virustotal-sea
    rch.py”, line 526, in
    Main()
    File “C:\Users\Administrator\Downloads\virustotal-search_V0_1_4\virustotal-sea
    rch.py”, line 523, in Main
    VirusTotalSearch(args[0], options)
    File “C:\Users\Administrator\Downloads\virustotal-search_V0_1_4\virustotal-sea
    rch.py”, line 467, in VirusTotalSearch
    statuscode = GetReports(searchTermsToRequest[0:4], reports, options.comment,
    dNotFound)
    File “C:\Users\Administrator\Downloads\virustotal-search_V0_1_4\virustotal-sea
    rch.py”, line 278, in GetReports
    if oResults[iIter][‘response_code’] == 1:
    IndexError: list index out of range

    Comment by Harsha Dudeja — Thursday 7 November 2019 @ 11:06

  69. What did you do?

    Comment by Didier Stevens — Friday 8 November 2019 @ 0:14

  70. virustotal-search.py 1.txt -k where the text file has around 25 hashes

    Comment by Hopes and Giggles! — Friday 8 November 2019 @ 3:08

  71. I can’t reproduce your problem. You’ll have to provide more details (Python version, OS, …).
    Can you share the content of your hash file?
    If not, then try with another hash file: create a text file containing hash d41d8cd98f00b204e9800998ecf8427e and test again.

    Comment by Didier Stevens — Friday 8 November 2019 @ 16:14

  72. Hi there,

    I am facing the same issue as comment no. 29, I ran the below on ubuntu 16.04 with python version 2.7:
    python2.7 virustotal-search.py -k test.txt

    and I get the below error:
    3F9F5421F711E2930AB6F80D87DF9E2B,287defe5e9612af4e001a872c27f28c7;Error VTHTTPReportRequest;0

    The csv file does get generated but only the above error entry is shown in a singe line.

    Comment by Anonymous — Wednesday 13 November 2019 @ 12:12

  73. The Comment field where is shows the file name seems to be missing from my outputted csv file. How do I enable it?

    Comment by frank trezza — Tuesday 19 November 2019 @ 17:11

  74. What is the exact command you used?

    Comment by Didier Stevens — Tuesday 19 November 2019 @ 19:22

  75. c:\Python27\python.exe virustotal-search.py -k APIKEYGOESHERE hashes.txt

    Comment by Anonymous — Tuesday 19 November 2019 @ 19:30

  76. If you want to include comments, you need to use option -c.

    Comment by Didier Stevens — Friday 22 November 2019 @ 7:35

  77. Hi,

    When i run the script on a text file with multiple hashes, it returns the results of the first hash and gives me the “The requested resource is not among the finished” message. I used the delay option but it didn’t seem to help. I’m using python2.7. What am I missing?

    Comment by raquelgerlani — Thursday 9 January 2020 @ 16:06

  78. “The requested resource is not among the finished, queued or pending scans” -> this means VT doesn’t have a scan report for that hash, e.g. that a file with that hash wasn’t submitte to VT.

    Comment by Didier Stevens — Sunday 12 January 2020 @ 9:45

  79. I have a requirement to get only particular AV vendor detections or not in virustotal for multiple hashes. can anyone help with that please. Thanks

    Comment by Santhosh — Thursday 16 January 2020 @ 16:05

  80. The report is a CSV file, you can process it to drop all AV vendors except yours. The default CSV separator is ; (option -s). The field with the AV alerts separates each AV vendor verdict with , as separator.

    Comment by Didier Stevens — Saturday 18 January 2020 @ 11:16

  81. I need to submit a zip file with password unzip-me to VirusTotal. I’m not seeing an option in virustotal-submit.py where I pass the zip file password on command line. Please advise.

    Comment by Jim Kelly — Friday 31 July 2020 @ 10:56

  82. You can use my tool zipdump.py to extract the file to stdout, and then pipe it into virustotal-submit. Let me know if you have issues doing that, because then I’ll look up the exact command.

    Comment by Didier Stevens — Friday 31 July 2020 @ 12:40

  83. Need help!! I tried “python3 virustotal-search.py file.txt -k VT_API.txt -s , -o Out.csv” and getting Error VTHTTPReportRequest. Please advice.

    43773e3166b6e6fef1d0c8a4e0507d5d09,05b366e84aded169306d3b71488c2de8a907631517b114c2e026126e85e207b8,Error VTHTTPReportRequest,0

    Comment by srilekhanune — Wednesday 9 March 2022 @ 3:01

  84. -k takes your api key, not a file with your api key.

    Comment by Didier Stevens — Wednesday 9 March 2022 @ 11:49

  85. Thanks, Stevens. I tried with API key instead of file (having api key). Still, I am getting the same error. What I am trying is, I have a list of hashes in a text file and I want to know whether they are malware or benign samples.

    I am having a text file with hashes line by line. Is this the correct format to submit the text file?

    Comment by srilekha nune — Wednesday 9 March 2022 @ 16:36

  86. Yes, indeed. I just used it a couple of days ago, it worked fine.

    Comment by Didier Stevens — Wednesday 9 March 2022 @ 17:23

  87. Do I need to set any environmental variables?

    I am trying these four hashes.
    000649278acb9bc9ccc7cdd03f3607da52a977735dcc72f91b2b67b5ad0a90f8
    000ab1743c58592e1ddfd7b39067cb65dfd90663aeb28a66719b43cf5898604e
    001df31d7ed6b3b0a9a00fa265ab7197265e54d1426a3f12bc7e017044d3e245
    00008e964394a8f7fd171be99a97dd49acd3a70240994b4e59eed5dddc3ef53a

    Comment by srilekha nune — Wednesday 9 March 2022 @ 17:46

  88. I can get results for those hashes.
    I took another look at your first comment, and I see that the status code is 0: this means that the Python script was not able to establish a connection.
    Are you in a network that requires going through a proxy to connect to the Internet?

    Comment by Didier Stevens — Wednesday 9 March 2022 @ 19:01

  89. No, connected to AT&T router directly. I am working on mac, maybe I will try on my Ubuntu desktop. Not sure will make any difference.

    Comment by srilekha nune — Wednesday 9 March 2022 @ 19:13

  90. Great to come across this script! Will be very useful to use. I’m trying the below and am getting an error – do you know what the issue is?

    virustotal-search.py filename.txt -k APIKEY -s , -o Output.csv
    Traceback (most recent call last):
    File “/home/xxxxxx/Documents/xxxxxx/virustotal-search.py”, line 594, in
    Main()
    File “/home/xxxxxx/Documents/xxxxxx/virustotal-search.py”, line 591, in Main
    VirusTotalSearch(args[0], options)
    File “/home/xxxxxx/Documents/xxxxxx/virustotal-search.py”, line 419, in VirusTotalSearch
    SetProxiesIfNecessary()
    File “/home/xxxxxx/Documents/xxxxxx/virustotal-search.py”, line 341, in SetProxiesIfNecessary
    urllib.install_opener(urllib.build_opener(urllib.ProxyHandler(dProxies)))
    ^^^^^^^^^^^^^^^^^^^^^
    AttributeError: module ‘urllib’ has no attribute ‘install_opener’

    Comment by Jack — Tuesday 4 July 2023 @ 9:31

  91. What version of Python do you use?

    Comment by Didier Stevens — Sunday 16 July 2023 @ 7:49


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.