Mal-Hash Updates

DFIR, Malware, PowerShell

Mal-Hash.ps1

  • The script takes the input of a file, calculates the hashes (MD5, SHA1, SHA256), and then submits the SHA256 hash to Virus Total* for analysis.
  • The script will also run Strings against the sample.
  • The script will check Malware Bazaar to see if a sample matching the hash is available.
  • The hashes, strings, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report.
  • Timestamp of the analysis is recorded in UTC.

VTHashSub.ps1

  • The script takes a hash value as input and submits the hash to Virus Total* for analysis.
  • The script will check Malware Bazaar to see if a sample matching the hash is available.
  • The hashes, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report.
  • Timestamp of the analysis is recorded in UTC.

Mal-Hash.ps1 and VTHashSub.ps1 will operate (via PowerShell) on Windows, Mac & Linux.

* Virus Total API key expected in vt-api.txt.

Latest updates:

  • n of x vendors detected
  • VT permalink
  • Malware Bazaar results

Both scripts available on my GitHub page:

https://github.com/dwmetz/Mal-Hash

One thought on “Mal-Hash Updates

  1. Pingback: Week 29 – 2023 – This Week In 4n6

Leave a comment