Script to read from a file a list of SHA256, input into virustotal & extract the MD5+SHA1 values & output to a text file

I'm looking for a script or portable tool (ideally a Windows batch or VB as my office laptop don't have
PS access but Pwrshell scripts are welcome as I can do it on my personal PC with more efforts) that
could read a file containing a lists of SHA256 hashes (line by line is fine), input into
   https://www.virustotal.com/#/home/search  (the 3rd tab), hit ENTER, click on "Details" tab,
extract out the values under MD5 & SHA-1 & populate into 2 columns in a text file.

If the value can't be found in virustotal, return a "Nil" value for both columns.

I often get threat Intels that give IOCs' hashes in SHA256 but the trendmicro tool (EDR) tool I have can
only accept MD5 or SHA-1  hash values

Though I can enter them manually into virustotal,
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
That should actually be relatively easy

You can even do it low-tech by doing a Curl or the like to an address like https://www.virustotal.com/#/file/4cb9d17539d2f6b1763d1cb968cf5d7459ec56c22a0d4ba1e55f7994865ffce9/detection and check the size of the response

If I have a gap I will put something together for you
Shaun VermaakTechnical SpecialistCommented:
Seems there's a nice command line tool already
vt file 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

Open in new window

https://github.com/VirusTotal/vt-cli
https://github.com/VirusTotal/vt-cli/releases
sunhuxAuthor Commented:
Thanks.
Got the windows 64bit version & ran it but it gave a message:

C:\share>vt file 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
Error: An API key is needed. Either use the --apikey flag or run "vt init" to set up your API key
Usage:
  vt file [hash]... [flags]
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

sunhuxAuthor Commented:
Followed the instruction to initialize but was prompted for API key

C:\share>vt init
VirusTotal Command-Line Interface: Threat Intelligence at your fingertips.

Enter your API key:



C:\share>vt --apikey 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
A command-line tool for interacting with VirusTotal.
Usage:
  vt [command]
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
To produce a hashes from strings, you must have the original string.

So you can't convert an SHA256 to an MD5 hash + expect the MD5 hash to match the original string.

You must start with the original strings to convert all your hashes correctly.
sunhuxAuthor Commented:
@David
In the case of virustotal, it's not a conversion:  virustotal has it in its database
the equiv hash values in MD5, SHA1 & SHA256, so we're retrieving the equiv
values already stored in virustotal
aikimarkCommented:
Are you trying to produce the MD5 & SHA hashes?  If so, use FCIV:
https://support.microsoft.com/en-us/help/889768/how-to-compute-the-md5-or-sha-1-cryptographic-hash-values-for-a-file

Or Get-FileHash command withing Powershell

Or are you trying to verify hash values against the actual files to see if they've changed?
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Referring to your question title...

1) Script to read from a file a list of SHA256, input into Virustotal.

You'll open a Virustotal support ticket for the correct way to inject data into their system.

2) extract the MD5+SHA1 values & output to a text file

This doesn't really make sense, as #1 suggests you already have a text file of all your hashes, required to inject into Virustotal.

Likely best to attach a copy of an actual data file you're using, as some clarification is required to answer your question.
sunhuxAuthor Commented:
Shaun almost got it but somehow the tool came out with an error when run.

@aikimark, I don't have the IOC file, rather the threat Intel gave me a list of
IOCs hashes:
eg: I got the intel from:
      https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

Then I would copy one at a time the hashes into virustotal: refer to 2 attached screens
where 1 copy the 1st line of hash to obtain the equiv MD5/SHA1 hashes:
VT must have the intel from certain sources/vendors who have the actual malware files.

If I have the malware files (ie IOC file itself), I would have been able to do like what
aikimark did to get its MD5/sha1 values but I dont have that malware file only the
hash value of the malware file.


Now, refer to 3rd attachment: this is the file containing the list of hashes copied from
the link above: the vt tool that Shaun shares was suppose to be able to read (ie I'll
just prefix each of the hash value with   'vt ...options...   SHA256_hashvalue' & it'll
return the equiv MD5 value from VT.


Shaun understands what I need
vt1.JPG
vt2.JPG
Kerbdlliochashes.txt
Shaun VermaakTechnical SpecialistCommented:
You get your API key from your Virus total account. Then you run VT init
sunhuxAuthor Commented:
Shaun, I've got my VT account & logged in to search for API key:
mind sharing how or where in VT can we get this key?

Let me know how to install/use this key as well.
sunhuxAuthor Commented:
When I look at the 'Help' of vt, doesn't seem to have the feature to retrieve the
MD5/SHA1 equiv of an SHA256 value given:

C:\share>vt --help
A command-line tool for interacting with VirusTotal.

Usage:
  vt [command]

Available Commands:
  analysis    Get a file or URL analysis
  completion  Output shell completion code for the specified shell (bash or zsh)
  domain      Get information about Internet domains

  file        Get information about files  <==
...

Flags:
  -k, --apikey string   api key
  -h, --help            help for vt
  -v, --verbose         verbose output

Use "vt [command] --help" for more information about a command.
sunhuxAuthor Commented:
There's script for this purpose but the site is probably outdated:

https://www.darksh3ll.gr/index.php/48-perl-script-check-sha256-against-virustotal
Shaun VermaakTechnical SpecialistCommented:
Shaun, I've got my VT account & logged in to search for API key:
mind sharing how or where in VT can we get this key?
vtkey.png
Let me know how to install/use this key as well.
run this an it will prompt for it
vt init

Open in new window

sunhuxAuthor Commented:
Thanks, got the API key under my profile icon (not to select "Profile"), drag down to "Settings"
& registered key using 'vt init'  &  
"Your API key has been written to config file C:\Users\sunhux/.vt.toml"

Ran the command but nothing was returned (nothing created in current folder nor in c:\temp )
C:\share>vt file c:\temp\vtIOChashes.txt
C:\share>

Contents of  c:\temp\vtIOChashes.txt are 6 lines of IOC hashes:
89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3
a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
8bf22202e4fd4c005afde2266413cba9d1b749b1a2d75deac0c35728b5eb3af8
df8210d20c5eb80d44ba8fa4c41c26c8421dcb20168e4f796e4955e01ebc9e13
94fab926b73a6a5bc71d655c8d611b40e80464da9f1134bfce7b930e23e273ab
4321a9f95901a77b4acfbaef3596cf681712345e1cbd764873c6643fe9da7331
David Johnson, CDRetiredCommented:
The SHA256 Hash of "The Quick Brown Fox Jumped over the Lazy Dog's Back" is 0C0511F6922BA5BBA6910C58858133BFBE127FC9CF69C2F095DFCD6287EA5B71
MD5 = E0861D227E9791553107CEFD40CD3B5C

I'm getting the impression you want to send them the SHA256Key and if there is a match retrieve the MD5 key
sunhuxAuthor Commented:
correct David, just that I needed an automated way if doing it instead of manually copy/paste/Enter as I sometimes have a hundred over SHA256 hashes
Shaun VermaakTechnical SpecialistCommented:
Contents of  c:\temp\vtIOChashes.txt are 6 lines of IOC hashes:
89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3
a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
8bf22202e4fd4c005afde2266413cba9d1b749b1a2d75deac0c35728b5eb3af8
df8210d20c5eb80d44ba8fa4c41c26c8421dcb20168e4f796e4955e01ebc9e13
94fab926b73a6a5bc71d655c8d611b40e80464da9f1134bfce7b930e23e273ab
4321a9f95901a77b4acfbaef3596cf681712345e1cbd764873c6643fe9da7331
Each line is a separate vt.exe search.

vt file 89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3
vt file a4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d
vt file 8bf22202e4fd4c005afde2266413cba9d1b749b1a2d75deac0c35728b5eb3af8
vt file df8210d20c5eb80d44ba8fa4c41c26c8421dcb20168e4f796e4955e01ebc9e13
vt file 94fab926b73a6a5bc71d655c8d611b40e80464da9f1134bfce7b930e23e273ab
vt file 4321a9f95901a77b4acfbaef3596cf681712345e1cbd764873c6643fe9da7331

Open in new window


For example, the file one is
md5: "c313f8a5fd8ca391fc85193bc879ab02"
sha1: "c9d6b6fa37ca3d8cb57248993bb7c8a8fcd1bc89"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks, think I got it:  will have to prefix it with "vt file"  &  suffix it  with ' find "md5" ' if I want its md5 value, correct me if I'm mistaken :

C:\> vt file 89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3 | find "md5"
    md5: "c313f8a5fd8ca391fc85193bc879ab02"

C:\> vt file 89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3 | find "sha1"
    sha1: "c9d6b6fa37ca3d8cb57248993bb7c8a8fcd1bc89"
Shaun VermaakTechnical SpecialistCommented:
That's it. Obviously, you can do some clever things with Powershell etc.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.