Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Script to fetch data from virustotal and add two specific objects to an event.

  • File object
  • VirusTotal object

Afterwards it will create a Relation between those two (file -> analysed-with -> virustotal-report)

Small blog post on the tool

The script makes use of the public VirusTotal API In order to use the API you must sign up to VirusTotal Community( Once you have a valid VirusTotal Community account you will find your personal API key in your personal settings section. This key is all you need to use the VirusTotal API.

Remember to create the file "":

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

misp_url = 'https://misp_instance/'
misp_key = '' # The MISP auth key can be found on the MISP web interface under the automation section
misp_verifycert = True

proxies = {
    "http" : '',
    "https": ''

vt_url = ''
vt_key = 'API KEY'

Sample Usage:

~# python3 -u 5b53275a-003c-4dcc-b4ce-710f9f590eb0 -a "USBGuard" --force -c 7657fcb7d772448a6d8504e4b20168b8
Virustotal to MISP
(c)2018 eCrimeLabs

- Checking if checksum is valid - true
- Checking if UUID format is valid - true
- UUID for MISP event detected
- Checksum 7657fcb7d772448a6d8504e4b20168b8 was not detected in the event
- The artefact was found on Virustotal
- Creating object(s)
	* Permalink:
	* Detection: 64/67
	* Last scan: 2018-07-21 02:03:58

	* MD5: 7657fcb7d772448a6d8504e4b20168b8
	* SHA1: 84c7201f7e59cb416280fd69a2e7f2e349ec8242
	* SHA256: 54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71
	* VirusTotal detections:
		Bkav ( Detection: W32.ZeustrackerZS.Trojan
		MicroWorld-eScan ( Detection: Gen:Variant.Kazy.8782
		CMC ( Detection: Trojan.Win32.Lebag!O
		CAT-QuickHeal (14.00) Detection: Trojan.Ramnit.A
		McAfee ( Detection:
		Malwarebytes ( Detection: Trojan.Zbot
		Zillya ( Detection: Trojan.Zbot.Win32.81569
		SUPERAntiSpyware ( Detection: Trojan.Agent/Gen-FakeSecurity
		TheHacker ( Detection: Trojan/Lebag.agu
		K7GW (10.54.27826) Detection: Riskware ( 0015e4f11 )
		K7AntiVirus (10.54.27825) Detection: Riskware ( 0015e4f11 )
		Invincea ( Detection: heuristic
		Baidu ( Detection: Win32.Worm.Autorun.f
		Babable (9107201) Detection: No detection
		F-Prot ( Detection: W32/Ramnit.K.gen!Eldorado
		Symantec ( Detection: W32.Ramnit
		TotalDefense ( Detection: Win32/Ramnit.B!Dropper
		TrendMicro-HouseCall (9.950.0.1006) Detection: TSPY_ZBOT.SMHA
		Paloalto (1.0) Detection:
		ClamAV ( Detection: Win.Trojan.Ramnit-7847
		Kaspersky ( Detection: Worm.Win32.Autorun.icp
		BitDefender (7.2) Detection: Gen:Variant.Kazy.8782
		NANO-Antivirus ( Detection: Trojan.Win32.DownLoad2.wtigj
		ViRobot (2014.3.20.0) Detection: Trojan.Win32.Agent.109056.CR
		Avast (18.4.3895.0) Detection: Win32:Kryptik-JOV [Trj]
		Tencent ( Detection:
		Ad-Aware ( Detection: Gen:Variant.Kazy.8782
		Sophos (4.98.0) Detection: Troj/ZXC-G
		Comodo (29383) Detection: TrojWare.Win32.Kryptik.KLV
		F-Secure (11.0.19100.45) Detection: Gen:Variant.Kazy.8782
		DrWeb ( Detection: Win32.HLLW.Tazebama.235
		VIPRE (68268) Detection: Trojan.Win32.Generic!BT
		TrendMicro ( Detection: TSPY_ZBOT.SMHA
		McAfee-GW-Edition (v2017.3010) Detection:
		Emsisoft (2018.4.0.1029) Detection: Gen:Variant.Kazy.8782 (B)
		SentinelOne ( Detection: static engine - malicious
		Cyren ( Detection: W32/Ramnit.K.gen!Eldorado
		Jiangmin (16.0.100) Detection: Trojan/Generic.dkmt
		Webroot ( Detection: Trojan:Win32/Eyestye.H
		Avira ( Detection: TR/Drop.Liks.A
		Fortinet ( Detection: W32/Kryptik.KLV!tr
		Antiy-AVL ( Detection: Worm/Win32.Autorun.icp
		Kingsoft (2013.8.14.323) Detection: Win32.Troj.Undef.(kcloud)
		Endgame (3.0.0) Detection: malicious (high confidence)
		Arcabit ( Detection: Trojan.Kazy.D224E
		AegisLab (4.2) Detection: Worm.Win32.Autorun.o!c
		ZoneAlarm (1.0) Detection: Worm.Win32.Autorun.icp
		Avast-Mobile (180720-04) Detection: No detection
		Microsoft (1.1.15100.1) Detection: Trojan:Win32/Ramnit
		AhnLab-V3 ( Detection: Trojan/Win32.Zbot.R19508
		ALYac ( Detection: Gen:Variant.Kazy.8782
		AVware ( Detection: Trojan.Win32.Generic!BT
		MAX (2017.11.15.1) Detection: malware (ai score=100)
		VBA32 ( Detection: Worm.AutoRun
		Cylance ( Detection: Unsafe
		Zoner (1.0) Detection: Win32.Ramnit.A
		ESET-NOD32 (17750) Detection: Win32/Ramnit.A
		Rising ( Detection: Trojan.Win32.Generic.127B2A0E (C64:YzY0OklB66P4SAs3)
		Yandex ( Detection: Trojan.Ramnit!cLbJ7UZPdfE
		Ikarus ( Detection: Virus.Win32.Virtob
		eGambit (None) Detection: No detection
		GData (A:25.17830B:25.12774) Detection: Gen:Variant.Kazy.8782
		AVG (18.4.3895.0) Detection: Win32:Kryptik-JOV [Trj]
		Cybereason (1.2.27) Detection: malicious.7d7724
		Panda ( Detection: Trj/Ramnit.F
		CrowdStrike (1.0) Detection: malicious_confidence_100% (W)
		Qihoo-360 ( Detection: Win32/Trojan.544

- The MISP objects seems to have been added correctly to the event....

The tool will exit without adding anything to MISP in case the checksum(MD5, SHA1, SHA256) was not found on VirusTotal. In some cases you might still want the value you have added to MISP then use the option -f or --force

This allows you to easilier add additional informaiton should you get it later and it will then allready be in object format.


Script to fetch data from virustotal and add it to a specific event as an object








No releases published


No packages published