Florentino is a cross-platform file analysis framework.
It is useful for extracting static resources from malwares and unknown file analysis.
It can help malware analysts and security researchers to quickly get a glance at an unknown file.
- Golang
- D.I.E
- iocextract
- VirusTotal
- Floss
- Strings
Without these programs, it was a lost war from beginning.
Anytime we want to analyze an unknown file, there are a couple of steps which are almost identical Florentino aims to automate some of these boring steps so an analyst can move faster with manual and dynamic analysis.
Florentino: “Flowers, women – I desire all that is beautiful.”
Features
Florentino is written in go, and it’s fast!. You can run it before any other tool in your chain to gain a good grasp of your target file. Most of the time, it’s all you need to determine if a file is malicious or not!
1- File detection engine
Thanks to D.I.E, Florentino can detect hundreds of file types.
- Number of com signatures: 200
- Number of Text signatures: 14
- Number of com signatures: 3
- Number of MSDOS signatures: 306
- Number of PE/PE+ signatures: 525
- Number of DS signatures: 19
- Number of EP signatures: 3
- Number of ELF/ELF64 signatures: 16
- Number of MACH/MACH64 signatures: 8
- Total signatures: 1117
Beside file detection, entropy and packer detection also performed.
2- Scan engine
Florentino can work various sources to analyze the file.
VirusTotal: we check it for an existing report
Strings and IOC scan: Florentino takes it; further it will extract, scan and possibly deobfuscate strings from binary files
Binary scan: Florentino can work with PE x86/x64, Macho x86/x64, ELF x86/x64 files it will obtain imported symbol and libraries
3- Packer detection and unpacking
Currently only support PE x86 Files
unpack engine : unpac.me
4- Report
All reports are stored as a text file in /data directory
Please note Florentino is not a reversing suite and its only aim is only to fasten the first analysis Florentino is modular and easy to extend with your own tools.
Version
1.0.1-alpha
Installation and Usage
Usage
Florentino is straightforward to use; all you have to do is install dependencies and setup .EVN file (there is an example env)
Build and Run
- cd cmd
- mkdir data
- touch .evn
- example .evn
DIEC_PATH=/tools/diec FLOSS_PATH=/tools/floss VIRUSTOTAL_API=YOUR_API_KEY
- go build main
- Florentino -f FILE-TO-ANALYSIS
- now data will be available in /data