Autopsy Plugin

Urlhaus check

url check ver 1 10 (ZIP, 4.50 KB)

Sha256: 9f37fded9b7d3ce5100f8a29b239bec2337ff2ac90ec3d0d5b4161d87dbda87e

Prerequisites

Download the zip-file - https://urlhaus.abuse.ch/downloads/csv

extract this csv.txt and rename this file to urlhaus.csv and place the file here DRIVE:\Autopsy_out\YOUR_CASE\ModuleOutput (Im working on automation to this)

Then in autopsy

Then in autopsy First run the ingestmodule "recent history" this extracts the output from the SQLite databases from the browsers in the data set. then you can run the "URLhaus Lookup Module"

The output is shown 2 places in the left pane under Analysis Results - Interesting Results - URLhaus Match and the Autopsy output folder DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module with the extract file "urlhaus_output.csv" that contains the match against URLhaus list.

You can verify the module works and matches, by looking in the logfile DRIVE:\Autopsy_out\Ubuntu_test\Log\autopsy.log.0 this will show something like this

"
INFO: Found ingest module factory: name = URLhaus Lookup Module, version = 1.10
2025-04-09 09:14:08.369 URLhausCheckModule startUp
INFO: Starting up URLhaus module.
2025-04-09 09:14:09.664 URLhausCheckModule startUp
INFO: Loaded 47879 unique domains/hosts from URLhaus.
2025-04-09 09:14:09.664 URLhausCheckModule startUp
INFO: URLhaus module startup complete.
INFO: URLhaus Lookup Module analysis of Ubuntu2025.vmdk starting
2025-04-09 09:14:09.685 URLhausCheckModule process
2025-04-09 09:14:09.692 URLhausCheckModule process

....
tested URLs list
....

2025-04-09 09:14:09.817 URLhausCheckModule process
2025-04-09 09:14:09.818 URLhausCheckModule process
INFO: Constructed module output directory path: DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module
2025-04-09 09:14:09.819 URLhausCheckModule process
INFO: Created module output directory: DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module
2025-04-09 09:14:09.819 URLhausCheckModule process
INFO: Writing 18 matches to DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module\urlhaus_output.csv
2025-04-09 09:14:09.821 URLhausCheckModule process
INFO: Successfully wrote URLhaus output CSV.
INFO: URLhaus Lookup Module analysis of Ubuntu2025.vmdk finished
2025-04-09 09:14:09.822 URLhausCheckModule shutDown
INFO: Shutting down URLhaus module.
INFO: Found ingest module factory: name = URLhaus Lookup Module, version = 1.10
"

The tool is free to use and download and modity and share as you like. Hope you give me some credit :)