Leave a β if you like this Repository
Triage-Fetch is a malware intelligence automation tool that monitors the Triage API for newly detected malware samples. It automatically fetches detailed analysis reports, extracts key indicators, and delivers them to Telegram in real-time.
The application runs as a persistent listener, continuously polling Triage for new samples matching your configured criteria (malware families and/or tags), then processes and distributes analysis data through Telegram with structured reports and raw sample files.
Important
This tool requires valid Triage API credentials (Researcher License) and Telegram Bot credentials to function. Ensure you have proper authorization before using this tool.
- π Automated Malware Monitoring β Continuously polls Triage API for new samples matching your filters.
- π Comprehensive Analysis Extraction β Automatically pulls and extracts:
- Malware family and type
- SHA256 and file hashes
- File size and metadata
- Threat scores and classifications
- YARA rules matches
- C2 addresses and network indicators
- Behavioral analysis results
- π€ Telegram Integration β Sends formatted analysis reports directly to your Telegram:
- Direct messages to personal chats
- Group messages with forum topic support
- HTML formatted reports with detailed metadata
- πΎ Local Report Storage β Automatically saves:
- Plain text analysis reports
- JSON configuration files with extracted data
- XOR-encrypted malware samples (
.malwareextension)
- π― Flexible Filtering β Configure detection by:
- Malware families (e.g.,
xworm,emotet, etc.) - Custom tags
- Threat score thresholds
- Malware families (e.g.,
- π€ Bot Command Handler β Real-time Telegram commands:
/get <sample_id>β Fetch a specific sample on-demand
- πΎ Persistent Tracking β Automatically remembers processed samples:
- Stores Malware Hashes in
seen_hashes.db - Prevents reprocessing on restart
- Resumes monitoring seamlessly after restarts
- Stores Malware Hashes in
- β±οΈ Configurable Polling β Adjust polling interval and max results per poll
- π¨ Beautiful CLI β Colored terminal output with timestamps and status indicators
- Configuration: Set up your Triage API key, Telegram bot token, and filtering criteria in
config.json - Start Listener: Run
python main.py - The tool will:
- Query the Triage API for samples matching your filters
- Mark current samples as baseline (won't reprocess existing ones)
- Enter monitoring mode, polling at your configured interval
- Automatically process and report any new samples via Telegram
- Handle incoming bot commands for on-demand analysis
- Receive Updates: Get notifications in your personal Telegram chat and/or group
β Fully automated β runs continuously once configured.
- π Python 3.9+
- π¦ Dependencies:
pip install requests colorama- π Internet connection
- π Triage API Key (Researcher License) (Create account at tria.ge)
- π€ Telegram Bot Token (Create via @BotFather)
Edit config.json to configure the application:
{
"triage": {
"api_key": "your_triage_api_key_here",
"malware_family": ["xworm", "emotet"],
"malware_tags": ["trojan", "ransomware"],
"poll_interval": 30,
"max_results": 50
},
"telegram": {
"bot_token": "your_telegram_bot_token_here",
"chat_id": "your_personal_chat_id",
"group_id": "your_group_chat_id",
"topic_id": "forum_topic_id_optional"
}
}Configuration Options:
api_keyβ Your Triage API authentication tokenmalware_familyβ Filter by malware family names (string or list)malware_tagsβ Filter by tags (array)poll_intervalβ Seconds between API polls (default: 30)max_resultsβ Maximum results per poll (default: 50)bot_tokenβ Your Telegram bot token (obtained from @BotFather)chat_idβ Your personal Telegram chat ID (optional, for direct messages)group_idβ Target group chat ID (optional, for group notifications)topic_idβ Forum/topic ID within group (optional, for threaded messages)
ββ fetcher/ β Core application modules
β ββ banner.py β CLI banner and startup display
β ββ bot.py β Telegram bot command handler (/get commands)
β ββ config.py β Configuration file loader
β ββ formatter.py β Data extraction and formatting utilities
β ββ sniper.py β Automate something with the fetched C2s
β ββ telegram.py β Telegram Bot API integration
β ββ triage.py β Triage API client (search, download, fetch)
ββ scripts/ β Utility scripts for sample management
β ββ decode_sample.py β Python Script to decode .malware files
β ββ delete_db.bat β Windows batch script to delete the entire Seen Hashes Database
β ββ delete_db.sh β Linux/macOS shell script to delete the entire Seen Hashes Database
β ββ delete_reports.bat β Windows batch script to delete reports folder
β ββ delete_reports.sh β Linux/macOS shell script to delete reports folder
ββ config.json β Configuration file (Triage API key, Telegram token, ...)
ββ main.py β Main application logic and listener loop
ββ LICENSE β MIT License file
ββ README.md β This file
pip install requests colorama# Edit config.json with your:
# - Triage API key
# - Telegram bot token
# - Chat IDs for notifications
# - Fetch Configurationspython main.pyOnce running, interact with your Telegram bot:
/get <sample_id> # Fetch a specific sample on-demand
The scripts/ folder contains helper utilities for managing reports and samples:
Decodes XOR-encrypted .malware files back to their original binary format.
Usage:
# Linux/macOS
python ./scripts/decode_sample.py "reports/xworm/abc123.../filename.malware"
# Windows
python .\scripts\decode_sample.py "reports\xworm\abc123...\filename.malware"What it does:
- Takes a
.malwarefile as input - XOR-decodes it with key
0xAA(reverses the encryption applied during download) - Outputs the original binary file (without the
.malwareextension) - Example:
filename.malwareβfilename.exe
β οΈ Note: The decoded file is the actual malware binary. Handle with care in isolated environments.
Safely removes all downloaded reports and samples with confirmation prompt.
Usage:
# Linux/macOS
./scripts/delete_reports.sh
# Windows
.\scripts\delete_reports.batWhat it does:
- Prompts for confirmation before deletion
- Permanently deletes the entire
reports/folder and all contents - Useful for cleanup or starting fresh
- Requires manual confirmation (Ctrl+C to cancel)
Safely delete your Seen Hashes Database with confirmation prompt.
Usage:
# Linux/macOS
./scripts/delete_db.sh
# Windows
.\scripts\delete_db.batWhat it does:
- Prompts for confirmation before deletion
- Permanently deletes the entire
seen_hashes.dbfile - Useful for cleanup or starting fresh
- Requires manual confirmation (Ctrl+C to cancel)
The application creates a structured directory hierarchy for reports:
reports/
ββ <malware_family>/
β ββ <sha256>/
β β ββ report.txt β Plain text analysis report
β β ββ config.json β Extracted metadata (JSON)
β β ββ <filename>.malware β XOR-encrypted sample
β ββ <malware_family>/
β ββ ...
Each report includes:
- Metadata: File info, hashes, threat scores
- Detection: YARA rules, family classification
- Network: C2 addresses, domains, IPs
- Behavior: API calls, process analysis
- Timestamps: Submission and analysis dates
- β
The application XOR-encrypts downloaded samples with key
0xAA(prevents accidental execution) - π API keys are transmitted securely via HTTPS to Triage
- π Telegram tokens should be kept private and rotated if exposed
Distributed under the MIT License. See LICENSE for more information.
- This tool is designed for cybersecurity researchers and threat intelligence professionals
- Only monitors publicly available malware analysis data from Triage
- Respects Triage API rate limits and polling intervals
- No data is stored or transmitted beyond your local system and configured Telegram chats
This project is intended for legitimate cybersecurity research and threat intelligence purposes only. Users are responsible for compliance with all applicable laws and regulations. Unauthorized access to systems or excessive API usage is prohibited. The author assumes no liability for misuse of this tool.