Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Storing your Collection of Malware Samples with Malwarehouse - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Storing your Collection of Malware Samples with Malwarehouse

Scott Roberts released a simple yet easy to use Python script to store and query your collection of malware samples into a SQLite database. The process is simple; it allows storage (indexing basic sample metadata) and retrieval of your samples. The database allows for query by filename, MD5 and SHA256 hashes. The malwarehouse package can be downloaded here.

I changed my database location from the malwarehouse.py script option_base_dir = os.path.expanduser("~/Desktop/malwarehouse/") to option_base_dir = os.path.expanduser("~/malwarehouse/") because this server doesn't have X-Windows running.

  • First a simple menu:

  • Entering a malware sample into the SQLite database:

guy@seeker:~/malwarehouse$ ./malwarehouse.py -s zz87lhfda88.com -t PWS-LegMir.dll -n "Low detection" 1.exe

  • Result when malware sample 1.exe is processed:

guy@seeker:~/malwarehouse$ ./malwarehouse.py -s zz87lhfda88.com -t PWS-LegMir.dll -n "Low detection" 1.exe
Parsing Malware
Analysis complete. Loading.
Sample 1.exe loaded...
Loading Malware 1.exe
Creating /home/guy/malwarehouse/41f5e475e086c991873a35c58234213fc01331d655f3f39a2f1a6d2f0e0ed6b8

  • Reviewing the last record with the 3 available methods:

guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 41f5e475e086c991873a35c58234213fc01331d655f3f39a2f1a6d2f0e0ed6b8
guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 4f871a6b9f17c0923963e7dfc73efa58
guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 1.exe

  • Reviewing the last 3 recorded inserted into the malwarehouse database:

If you are looking for a simple and yet effective way of tracking your malware samples, malwarehouse is probably for you. I'm sure Scott Robert is open to suggestions to improve this project . His contact information is listed on the Github download page.


[1] blog.thevigilant.com
[2] https://github.com/sroberts/malwarehouse

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

411 Posts
ISC Handler
Hey Guy...you need to fix the github link..there is a rogue %20 after the second forward slash.
HackDefendr

65 Posts Posts
Link is fixed.
Guy

411 Posts Posts
ISC Handler
a solution looking for a problem?
Jouser

6 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!