-
Notifications
You must be signed in to change notification settings - Fork 28
Using the VirusTotal API on a Budget
VT is cool. Registering and getting an API key is free. Getting an enterprise license and features are NOT! With a free API key (last I checked!), you get 4 lookups/minute, max of 500/day. That's a lot, for us normal folk! Here is one possible way to take advantage of this useful service.
I want to lookup a few (not thousands!) hash values "programmatically." If I have one or two, the manually visiting the web UI for Virus Total is great, for 10-20 it's too cumbersome. I like WSL on Windows, though you can obviously do the same via stand-alone Linux endpoint. Basically, register for a free account, get an API key, setup your Linux distro of choice, then use a simple one-liner to slowly feed your desired hash values to VT, returning a few key indicators.
As above, register at VT, get an API key, then download the precompiled "VT" (vt-cli) tool here: vt-cli-releases [example commands below]
mkdir vt
cd vt
wget https://github.com/VirusTotal/vt-cli/releases/download/1.0.1/Linux64.zip
unzip Linux64.zip
./vt init
Copy and paste your VT API Key! Then run a test to check a single hash value, as below:
/.vt file 91f12a300565ebdb762a988cd52ef42d8ccf9ce9fd2079ea52e398c3a0692ac8 --include=-id,last_analysis_results.*.result
Now, when you want to test multiple hash values, create a file, e.g. "hashes.txt" with one hash per line, then run the command below (be patient, we're staying under the "free" wire!), with output to "vt_results.txt":
cat hashes.txt | while read line; do ./vt file $line --include=_id,last_analysis_results.*.result >> vt_results.txt; sleep 20; done
NOTE: If you are using a hash list output from some other command/tool, don't forget to dedup the list:
cat longlistwithduplicates.txt | sort -u >> hashes.txt