Group-IB THF REST API Python Bindings
Project description
Python bindings for Group-IB THF REST API
Latest Version: 1.0.6
Description
The Group-IB THF Python Client enables you to fully integrate Group-IB THF Polygon into your malware analysis framework. Group-IB THF Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction.
You can use this library with
- Group-IB THF Cloud — our Cloud hosted instance
- On-premise installations of Group-IB THF — for even more power and privacy
License
The code is written in Python and licensed under MIT.
Requirements
- python 3.6 or higher
Getting Started
Installation
pip install pythf
For upgrading pythf to a more recent version, use
pip install --upgrade pythf
API Key
In order to perform any queries via the API, you will need to get the API token for your Group-IB THF user.
- Open Group-IB THF Huntbox web interface.
- Navigate to "Profile" and click "Generate Auth Token".
- Copy this token. This is your API Key.
Sample Code
- Let's start by sending some file ("sample.exe") for analysis:
from pythf import Polygon
polygon = Polygon("MY_API_KEY")
analysis = polygon.upload_file(open("sample.exe", "rb"))
- If you want to detonate some URL, use the next method:
analysis = polygon.upload_url("https://very-malicious-url.com")
Now we have the analysis object.
To update analysis status and get info about it, use the next method:
info = analysis.get_info(extended=True)
Notice: parameter extended allows you to get full or short info about analysis process. The short version of the information is as follows:
{
"status": "IN PROGRESS" | "FINISHED" | "FAILED",
"verdict": None | True | False,
"report_url": "https://...",
"error": "Some error" # optional field only for "FAILED" status
}
If the "verdict" is True then object is malicious.
Notice: THF need some time to generate the report url. Until it happens, the response will not contain this field.
- You can get full report as a dictionary:
report = analysis.get_report()
- There is a way to download some detonation artifacts and the report:
archived_report = analysis.export_report() # Export report as .tar.
pdf_report = analysis.export_pdf_report() # Export report as PDF
pcap = analysis.export_pcap() # Export all network activity as .pcap file.
screen_video = analysis.export_video() # Export the screen-video of the detonation process.
Notice: If there is no artifact, all this methods raise ObjectNotFoundError.
- You can check some hash reputation with this method:
reputation = polygon.get_hash_reputation("md5", "ac55cf33c4691f863bfb3af8c06a7244")
You can get reputation for md5, sha1, sha256 hash types.
The method returns a dict object:
{
"found": true | false,
"verdict": true | false,
"malware_families": [],
"score": float in [0; 100]
}
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file pythf-1.0.6.tar.gz.
File metadata
- Download URL: pythf-1.0.6.tar.gz
- Upload date:
- Size: 10.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6e6075952e18bcbd77d6f33044525f9cce35290794f5f6b1a107f4993fb12f73 |
|
| MD5 | 1a911aa0f6c8c8a387f040dd25d401ec |
|
| BLAKE2b-256 | 179522dd7e8d2599b98e890368b8fa4d80dc840a66124d920de75632029b8066 |
