Script to read from a file a list of SHA256, input into virustotal & extract the MD5+SHA1 values & output to a text file

sunhux
sunhux used Ask the Experts™
on
I'm looking for a script or portable tool (ideally a Windows batch or VB as my office laptop don't have
PS access but Pwrshell scripts are welcome as I can do it on my personal PC with more efforts) that
could read a file containing a lists of SHA256 hashes (line by line is fine), input into
   https://www.virustotal.com/#/home/search  (the 3rd tab), hit ENTER, click on "Details" tab,
extract out the values under MD5 & SHA-1 & populate into 2 columns in a text file.

If the value can't be found in virustotal, return a "Nil" value for both columns.

I often get threat Intels that give IOCs' hashes in SHA256 but the trendmicro tool (EDR) tool I have can
only accept MD5 or SHA-1  hash values

Though I can enter them manually into virustotal,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
That should actually be relatively easy

You can even do it low-tech by doing a Curl or the like to an address like https://www.virustotal.com/#/file/4cb9d17539d2f6b1763d1cb968cf5d7459ec56c22a0d4ba1e55f7994865ffce9/detection and check the size of the response

If I have a gap I will put something together for you
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Seems there's a nice command line tool already
vt file 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

Open in new window

https://github.com/VirusTotal/vt-cli
https://github.com/VirusTotal/vt-cli/releases

Author

Commented:
Thanks.
Got the windows 64bit version & ran it but it gave a message:

C:\share>vt file 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
Error: An API key is needed. Either use the --apikey flag or run "vt init" to set up your API key
Usage:
  vt file [hash]... [flags]
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Author

Commented:
Followed the instruction to initialize but was prompted for API key

C:\share>vt init
VirusTotal Command-Line Interface: Threat Intelligence at your fingertips.

Enter your API key:



C:\share>vt --apikey 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
A command-line tool for interacting with VirusTotal.
Usage:
  vt [command]
David FavorFractional CTO
Distinguished Expert 2018

Commented:
To produce a hashes from strings, you must have the original string.

So you can't convert an SHA256 to an MD5 hash + expect the MD5 hash to match the original string.

You must start with the original strings to convert all your hashes correctly.

Author

Commented:
@David
In the case of virustotal, it's not a conversion:  virustotal has it in its database
the equiv hash values in MD5, SHA1 & SHA256, so we're retrieving the equiv
values already stored in virustotal
Top Expert 2014

Commented:
Are you trying to produce the MD5 & SHA hashes?  If so, use FCIV:
https://support.microsoft.com/en-us/help/889768/how-to-compute-the-md5-or-sha-1-cryptographic-hash-values-for-a-file

Or Get-FileHash command withing Powershell

Or are you trying to verify hash values against the actual files to see if they've changed?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Referring to your question title...

1) Script to read from a file a list of SHA256, input into Virustotal.

You'll open a Virustotal support ticket for the correct way to inject data into their system.

2) extract the MD5+SHA1 values & output to a text file

This doesn't really make sense, as #1 suggests you already have a text file of all your hashes, required to inject into Virustotal.

Likely best to attach a copy of an actual data file you're using, as some clarification is required to answer your question.

Author

Commented:
Shaun almost got it but somehow the tool came out with an error when run.

@aikimark, I don't have the IOC file, rather the threat Intel gave me a list of
IOCs hashes:
eg: I got the intel from:
      https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

Then I would copy one at a time the hashes into virustotal: refer to 2 attached screens
where 1 copy the 1st line of hash to obtain the equiv MD5/SHA1 hashes:
VT must have the intel from certain sources/vendors who have the actual malware files.

If I have the malware files (ie IOC file itself), I would have been able to do like what
aikimark did to get its MD5/sha1 values but I dont have that malware file only the
hash value of the malware file.


Now, refer to 3rd attachment: this is the file containing the list of hashes copied from
the link above: the vt tool that Shaun shares was suppose to be able to read (ie I'll
just prefix each of the hash value with   'vt ...options...   SHA256_hashvalue' & it'll
return the equiv MD5 value from VT.


Shaun understands what I need
vt1.JPG
vt2.JPG
Kerbdlliochashes.txt
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
You get your API key from your Virus total account. Then you run VT init

Author

Commented:
Shaun, I've got my VT account & logged in to search for API key:
mind sharing how or where in VT can we get this key?

Let me know how to install/use this key as well.

Author

Commented:
When I look at the 'Help' of vt, doesn't seem to have the feature to retrieve the
MD5/SHA1 equiv of an SHA256 value given:

C:\share>vt --help
A command-line tool for interacting with VirusTotal.

Usage:
  vt [command]

Available Commands:
  analysis    Get a file or URL analysis
  completion  Output shell completion code for the specified shell (bash or zsh)
  domain      Get information about Internet domains

  file        Get information about files  <==
...

Flags:
  -k, --apikey string   api key
  -h, --help            help for vt
  -v, --verbose         verbose output

Use "vt [command] --help" for more information about a command.

Author

Commented:
There's script for this purpose but the site is probably outdated:

https://www.darksh3ll.gr/index.php/48-perl-script-check-sha256-against-virustotal
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Shaun, I've got my VT account & logged in to search for API key:
mind sharing how or where in VT can we get this key?
vtkey.png
Let me know how to install/use this key as well.
run this an it will prompt for it
vt init

Open in new window

Author

Commented:
Thanks, got the API key under my profile icon (not to select "Profile"), drag down to "Settings"
& registered key using 'vt init'  &  
"Your API key has been written to config file C:\Users\sunhux/.vt.toml"

Ran the command but nothing was returned (nothing created in current folder nor in c:\temp )
C:\share>vt file c:\temp\vtIOChashes.txt
C:\share>

Contents of  c:\temp\vtIOChashes.txt are 6 lines of IOC hashes:
89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3
a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
8bf22202e4fd4c005afde2266413cba9d1b749b1a2d75deac0c35728b5eb3af8
df8210d20c5eb80d44ba8fa4c41c26c8421dcb20168e4f796e4955e01ebc9e13
94fab926b73a6a5bc71d655c8d611b40e80464da9f1134bfce7b930e23e273ab
4321a9f95901a77b4acfbaef3596cf681712345e1cbd764873c6643fe9da7331
Top Expert 2016

Commented:
The SHA256 Hash of "The Quick Brown Fox Jumped over the Lazy Dog's Back" is 0C0511F6922BA5BBA6910C58858133BFBE127FC9CF69C2F095DFCD6287EA5B71
MD5 = E0861D227E9791553107CEFD40CD3B5C

I'm getting the impression you want to send them the SHA256Key and if there is a match retrieve the MD5 key

Author

Commented:
correct David, just that I needed an automated way if doing it instead of manually copy/paste/Enter as I sometimes have a hundred over SHA256 hashes
Technical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Contents of  c:\temp\vtIOChashes.txt are 6 lines of IOC hashes:
89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3
a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
8bf22202e4fd4c005afde2266413cba9d1b749b1a2d75deac0c35728b5eb3af8
df8210d20c5eb80d44ba8fa4c41c26c8421dcb20168e4f796e4955e01ebc9e13
94fab926b73a6a5bc71d655c8d611b40e80464da9f1134bfce7b930e23e273ab
4321a9f95901a77b4acfbaef3596cf681712345e1cbd764873c6643fe9da7331
Each line is a separate vt.exe search.

vt file 89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3
vt file a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
vt file 8bf22202e4fd4c005afde2266413cba9d1b749b1a2d75deac0c35728b5eb3af8
vt file df8210d20c5eb80d44ba8fa4c41c26c8421dcb20168e4f796e4955e01ebc9e13
vt file 94fab926b73a6a5bc71d655c8d611b40e80464da9f1134bfce7b930e23e273ab
vt file 4321a9f95901a77b4acfbaef3596cf681712345e1cbd764873c6643fe9da7331

Open in new window


For example, the file one is
md5: "c313f8a5fd8ca391fc85193bc879ab02"
sha1: "c9d6b6fa37ca3d8cb57248993bb7c8a8fcd1bc89"

Author

Commented:
Thanks, think I got it:  will have to prefix it with "vt file"  &  suffix it  with ' find "md5" ' if I want its md5 value, correct me if I'm mistaken :

C:\> vt file 89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3 | find "md5"
    md5: "c313f8a5fd8ca391fc85193bc879ab02"

C:\> vt file 89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3 | find "sha1"
    sha1: "c9d6b6fa37ca3d8cb57248993bb7c8a8fcd1bc89"
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
That's it. Obviously, you can do some clever things with Powershell etc.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial