Skip to content


Subversion checkout URL

You can clone with
Download ZIP
VirusTotal Public+Private api v2 full
Branch: master

logger dissabled

latest commit c84178dd9d
andriy authored
Failed to load latest commit information.
doc big update
vt logger dissabled
.gitignore Update .gitignore Update
requirements.txt setup tools added :) big update

VirusTotal public and private APIv2 Full support

This script was made public into the official VT API documentation page.

Before using the tool you must set your api key near the end of the file or in ~.vtapi.

  • ~.vtapi file content:
  • your type of api access, if private: type=private, if public, you can leave it empty, it will be automatically reconized as public
  • if you have access to VT Intelligence, you need set to True


  • requests
  • texttable
  • python-dateutil

These can be installed via PIP or a package manager. Example of installing all dependencies using pip:

pip install -r requirements.txt


  • Big code update
  • new --as-owner option
  • Team cymru asn data removed, as vt provide it now
  • Can be used as library, value must be as list:
    • return_raw parameter will return original raw response json
    • Example:
      • vt.getIP(**{'value': [''],'return_raw':True})
    • return_json will return only data what you specify, as for example passive_dns, asn, etc
    • Example:
      • vt.getDomain(**{'return_json':True, 'asn':True, 'passive_dns':True, 'value':['']})


  • Private api download bugfix
  • Url parameter now reconize correctly in download
  • Some other bug fixes


  • Team-Cymru ASN info, now apart of number will show data, example:
  • [+] TEAM-CYMRU ASN details: 15169 - US - arin - 2000-03-30 - GOOGLE - Google Inc.,US

17.04.2015 - added new domain and ip options, other new stuff soon

  • detected-referrer-samples
  • undetected-referrer-samples
  • whois
  • whois-timestamp
  • passive-dns
  • asn
  • country
  • subdomains
  • domain-siblings
  • categories
  • alexa-cat
  • alexa-rank
  • opera-info
  • drweb-cat *


  • Support downoad by passsing link of sample
    • Example: vt --download<hash_here>/analysis/


  • Download from VT intelligence


  • -dds, --detected-downloaded-samples now works correctly
  • -wh, --whois added
  • requests InsecureRequestWarning: Unverified HTTPS request is being made - disabled


  • Now doesn't matter if you put -d or -i for domain/ip, it will catch it correctly :)
    • Example: -d it will be passed to ip not to domain, and vice versa


  • Big upgrade, with bug fixes, code cleaning, a lot of improvement
  • Now you can have file with list of hashes to download, or pass them as param
  • Domain walk - will get all ips and check information about them
  • Private api improvement and full support, before was hardcoded 4 items to check, now if you have private api will check up to 25 items in only one petition
  • You can pass more then 4 url/hashes to check with your public api, it will do it with waiting before every 4 petition, the same for private api but between 25 petitions
  • Can retrieve information about many domain/ips, now you don't need bash loop or check one by one :)
  • etc

PS I will try to document all tricks of using of this script, when I will have a bit of time


  • Ip search (-i) now can be used scheme search like this http://ip, urlparse will extract domain
  • Windows expand user home support added, thanks to @truekonrads


  • Search bug fixed
  • Domain search (-d) now can be used scheme search like this, urlparse will extract domain


  • Now show file name when scan/search file
  • In file-search option can now be used md5 hash
  • Rescan option now support wildcard, for example samples/*, will generate file hash on the fly


  • Bug fix related with csv dumps


  • Table improvement, now result show is more prettiest, column sizes adjustment


  • Added option --csv, which permit dump AVs result into csv file

  • Now AVs results are sorted from a to z, to help found more quickly searched AV result

  • Added AV version and Last AV signature update


  • Added posibility to scan urls passed in file, filename must be urls_for_scan.txt and one url per line.

    Execution as arg: -u/-ur urls_for_scan.txt

  • Removed limits for 4 urls only with public api

20.11.2013 Updates:

  • Small bug fixed, when internet connection doesn't work correctly

  • Added option for file(s) search, without submitting file. Now you don't need to get hash of file and search it in VT if you just want to get the report, check option -fs/--file-search

  • In search without verbose mode now if someone/all of Kaspersky/Sophos/TrendMicro don't have results, you will see detections by others engines

16.11.2013 Updates:

  • Code optimization/cleaning, and small print fix

15.11.2013 Updates:

  • Added support for get apikey from file, now you can put is as before into apikey value at line 1409 or put it to config file if api key not in value , will check by default ~/.vtapi, but you can put it to another file and use -c/--config-file option

  • Limit reached issue patched

special thanks to @kellewic and @urbanski

few public API functions getted from Chris Clark script
And finally has been added full public and private API support by Andriy Brukhovetskyy (doomedraven)

License: Do whatever you want with it :)

Small manual with examples

Some examples:

python -d

Status: Domain found in dataset

[+] Passive DNS replication 2013-10-19 2013-10-19 2013-10-19 2013-10-19 2013-10-19 ....

python -u -ur Searching for url(s) report:

Scanned on:           2013-10-23 18:11:02
Detected by:          0 / 47

Status      : Scan finished, scan information embedded in this object
Scanned url :

Permanent Link:

python -s 0a1ab00a6f0f7f886fa4ff48fc70a953

Scanned on:           2013-10-20 14:13:11
Detected by:          15 / 48

Sophos Detection:     Troj/PDFEx-GD
Kaspersky Detection:  HEUR:Exploit.Script.Generic
TrendMicro Detection: HEUR_PDFJS.STREM

Results for MD5:     0a1ab00a6f0f7f886fa4ff48fc70a953
Results for SHA1:    0e734df1fbde65db130e4cf23577bdf8fde73ca8
Results for SHA256:  be9c0025b99f0f8c55f448ba619ba303fc65eba862cac65a00ea83d480e5efec

Permanent Link:
Something went wrong with that request. Please try again.