
Copyright (C) 2018-2026 Alexandre Borges (https://exploitreversing.com)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
See GNU Public License on <http://www.gnu.org/licenses/>.
Important note: Malwoverview does NOT submit samples to any endpoint by default,
so it respects possible Non-Disclosure Agreements (NDAs). There're specific options
that explicitly submit samples, but these options are explained in the help.
Malwoverview.py is a first response tool for threat hunting, which performs an initial and quick triage of malware samples, URLs, IP addresses, domains, malware families, IOCs and hashes. Additionally, Malwoverview is able to get dynamic and static behavior reports, submit and download samples from several endpoints. In few words, it works as a client to main existing sandboxes.
This tool aims to :
Alexandre Borges (https://github.com/alexandreborges) | project owner and main developer
Artur Marzano (https://github.com/Macmod) | co-main developer
Corey Forman (https://github.com/digitalsleuth) | responsible for REMnux integration
Christian Clauss (https://github.com/cclauss)
Since version 6.0.0, there is a new branch named "dev". All contributions and proposals must be done into this "dev" branch.
Professionals who want to contribute must open an issue explaining your proposed improvement and how it would make the project better. Once it has been accepted, so she/he is authorized to submit the PR, which will be tested.
Once all changes are tested, this new version of Malwoverview is replicated to the master branch and a new Python package is generated.
This tool has been tested on REMnux, Ubuntu, Kali Linux, macOS and Windows. Malwoverview can be installed by executing the following command:
* pip3.11 install git+https://github.com/alexandreborges/malwoverview
or...
* python -m pip install -U malwoverview
If you want to install the Malwoverview on macOS, you have to execute the following commands:
* /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
* brew install libmagic
* pip3 install urllib3==1.26.6
* pip3 install -U malwoverview
* Add Python binary directory to the PATH variable by editing .bash_profile file in your home
directory. Example:
export PATH=$PATH:/Users/alexandreborges/Library/Python/3.9/bin
* Execute: . ./.bash_profile
If you are installing Malwoverview on Windows, make sure that the following conditions are true
AFTER having installed Malwoverview:
* python-magic is NOT installed. (pip show python-magic)
* python-magic-bin IS installed. (pip show python-magic-bin)
Some features require optional dependencies. Install them as needed:
* YARA scanning: pip install malwoverview[yara]
* PDF report export: pip install malwoverview[pdf]
* TUI dashboard: pip install malwoverview[tui]
* All optional: pip install malwoverview[all]
It is possible to start using Malwoverview does without inserting all APIs. However, to use all options of Malwoverview, you must insert the respective API of the following services: VirusTotal, Hybrid Analysis, URLHaus, Malshare, Polyswarm, Alien Vault, Malpedia, Triage, IPInfo, Malware Bazaar, ThreatFox, VulnCheck, Shodan, AbuseIPDB, GreyNoise and URLScan.io into the .malwapi.conf configuration file, which must be present (or created) in the home directory (/home/[username] or /root on Linux, and C:\Users[username] on Windows. Alternatively, users can create a custom configuration file and indicate it by using the -c option.
To highlight: if the .malwapi.conf file does not exist in your home directory, so you must create it!
The .malwapi.conf configuration file has the following format:
[VIRUSTOTAL]
VTAPI =
[HYBRID-ANALYSIS]
HAAPI =
[MALSHARE]
MALSHAREAPI =
[HAUSSUBMIT]
HAUSSUBMITAPI =
[POLYSWARM]
POLYAPI =
[ALIENVAULT]
ALIENAPI =
[MALPEDIA]
MALPEDIAAPI =
[TRIAGE]
TRIAGEAPI =
[IPINFO]
IPINFOAPI =
[BAZAAR]
BAZAARAPI =
[THREATFOX]
THREATFOXAPI =
[VULNCHECK]
VULNCHECKAPI =
[URLHAUS]
URLHAUSAPI =
[SHODAN]
SHODANAPI =
[ABUSEIPDB]
ABUSEIPDBAPI =
[GREYNOISE]
GREYNOISEAPI =
[URLSCANIO]
URLSCANIOAPI =
[LLM]
PROVIDER = claude
CLAUDE_API_KEY =
CLAUDE_MODEL = claude-opus-4-8
GEMINI_API_KEY =
OPENAI_API_KEY =
OPENAI_MODEL = gpt-4o-mini
OLLAMA_URL = http://localhost:11434
OLLAMA_MODEL = llama3.1
The APIs can be requested on the respective service websites:
$ claude mcp add malwoverview \
-- python -m otcore.mcp_server <graph>