VirusTotal & hash lists

We'll take UAC's md5 hash output and query VirusTotal's API to search for malicious binaries.

If you execute UAC and select an appropriate profile (like full, or ir_triage) you'll have a list of hashes of executables which were running at the time of acquisition. Within process folder within live_response, you'll hash_running_process.md5 and .sha1

Edit those and strip the first column. If you're using Notepad++, you can just open the file, press Alt + Shift and select the second column and delete it. Save this as a new file, called process.md5 (you need the original listing to identify the process and map it back to pstree/cmd).

  1. Download VirusTotal search from Didier Stevens' website (

  2. Fetch an API key from VirusTotal (free for small volume queries)

  3. Make sure you have Python2.7 installed

  4. Execute the following command

$ python2.7 -k APIKEY hashes.md5

This will display the results via the console, as well as save it as a CSV file.

Last updated