Mlget is designed to fetch malware from a variety of sources so that you don’t have to manually hunt for a hash everywhere.
|Version This ReadMe Matches
These are the services that Mlget can query. The version number corresponds to the version release number on github.
|Added in Version
|Sometimes hangs when querying the public instance due to Cloudflare
|Works for paid instances only
|List is redownloaded upon each run. Recommend not adding unless needed.
|Sometimes the hash is found in the analysis archive. Mlget will extract, identify, and save the file. The archive along with the rest of the files extracted are deleted.
|VXUnderground’s malware repository
|This endpoint is heavily rate limited, so if downloading in bulk expect to hit the limit quickly
For the best mileage, use sha256 hashes.
Mlget also has the ability to upload to MWDB and AssemblyLine. Those are configured separately from the download sources.
Additional Features Baked In
- Auto archive extraction
- Will delete the archive upon extraction
- Will automatically hash the file downloaded to make sure they match.
- If not a match, will delete the downloaded file and try the next service
Adding services to query to the config
The file created can be found at
Dumping the config to the console
Download a single hash
Downloading multiple hashes
mlget <hash> <hash> <hash>
Pass in a file of hashes (one has per line) to download
mlget --read <filename>
Read in a file over the Internet containing a list of hashes
This works great for companies like ESET who put their hashes in files on github.
mlget --read https://raw.githubusercontent.com/eset/malware-ioc/master/king_tut/samples.sha256
Specify the Download Source
mlget --from [al,cs,fs,ha,iq,js,mp,ms,mb,mw,os,ps,tr,um,us,ve,vt,vx] <hash>
mlget --from [al,cs,fs,ha,iq,js,mp,ms,mb,mw,os,ps,tr,um,us,ve,vt,vx] --read <filename>
Download hashes from a file and record the ones not found into another file
mlget --read <filename> --output
Download hashes from a file and have the file updated to leave just the ones not found
mlget --readupdate <filename>
Check current directory for the hash(es) prior to querying the different web services
If the hash is found locally, it will skip querying the web services
mlget --precheckdir <hash>
Don’t extract the downloaded file
This will cause the hash validation routine not to run.
mlget --noextraction <hash>
To force mlget to query the MWDB upload instance as well for the hash(es)
Mlget will not query UploadMWDB or UploadAssemblyLine unless this flag is set.
mlget --downloadonly <hash>
UploadAssemblyLine to the config, mlget can upload the downloaded files to MWDB and/or AssemblyLine (respectively).
Uploading to Assembly Line
mlget --uploadal <hash>
Force the file to be resubmitted to Assembly Line if it already exists
mlget --uploadal --f <hash>
Upload to MWDB
mlget --uploadmwdb <hash>
Upload to MWDB with tags
mlget --uploadmwdb --tag <tag0> --tag <tag1> <hash>
Upload to MWDB with comments
mlget --uploadmwdb --comment <comment0> --comment <comment1> <hash>
I’m alway looking for additional services to add to this. Happy to take suggestions. Please submit bug/feature requests to the github project.
- any.run does not appear to support sample downloading at this time; if this changes, please reach out.
- If someone has VMRay access and is willing to test, let me know and I’ll add it.