The current release doesn't print anything in txt and timeline file. Git committed on Mar 25, 2019 has no such errors.

I just downbloaded the lstest archive and installed it. Once executed dow whatever.... then use Ctlr to close Noriben ite hang and doesn't ever close. Even just after a few minutes of reallty just windows operating.

On my MAC OSx I used the following command:
python /Users/malware/Desktop/noriben/Noriben-master/NoribenSandbox.py --update --screenshot -t 45 -f ./calc.exe

The file is able to go to the Win7 machine, and perform the analysis I see the logs in the "C:\Noriben_Logs" folder, but it is it no reporting back to my MAC. I see the following error:
"[!] Error trying to copy file from guest. Continuing. Error 0xff: Unexpected Error"

Here is a part of my of my config:

vmrun_os = {'windows': os.path.expanduser(r'C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe'),
            'mac': os.path.expanduser(r'/Applications/VMware Fusion.app/Contents/Library/vmrun')}
debug = False
timeout_seconds = 300
#VMX = r'E:\VMs\Windows.vmwarevm\Windows.vmx'
VMX = os.path.expanduser(r'/Volumes/1TB SSD/VMs/Windows 7 (64)/Windows 7 x64.vmwarevm/Windows 7 x64.vmx')
VMRUN = vmrun_os['mac']
VM_SNAPSHOT = 'RN1'
VM_USER = 'admin'
VM_PASS = 'password'
#noriben_path = 'C:\\\\Users\\\\{}\\\\Desktop'.format(VM_USER)
#noriben_path on my WIN7 Machine:
noriben_path = 'C:\\\\Users\\\\admin\\\\Desktop\\\\Noriben'.format(VM_USER)
guest_noriben_path = '{}\\\\Noriben.py'.format(noriben_path)
procmon_config_path = '{}\\\\ProcmonConfiguration.pmc'.format(noriben_path)
report_path_structure = '{}/{}_NoribenReport.zip'  # (host_malware_path, host_malware_name_base)
host_screenshot_path_structure = '{}/{}.png'  # (host_malware_path, host_malware_name_base)
guest_log_path = 'C:\\\\Noriben_Logs'
guest_zip_path = 'C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\zip.exe'
guest_temp_zip = 'C:\\\\NoribenReports.zip'
#guest_python_path = 'C:\\\\Python27\\\\python.exe'
#guest_python_path Python 3.7 Path:
guest_python_path = 'C:\\\\Users\\\\admin\\\\AppData\\\\Local\\\\Programs\\\\Python\\\\Python37\\\\python.exe'
host_noriben_path = os.path.join(os.path.dirname(os.path.abspath(sys.argv[0])), 'Noriben.py')
#guest_malware_path the following folder "c:\Malware\malware_" was created on the Windows 7 Machine
guest_malware_path = 'C:\\\\Malware\\\\malware_'
error_tolerance = 5
dontrun = False

Hello, I stumbled across this as a project I am working on is somewhat similar, and was curious if this is still actively being developed?

Hi I'm trying to use Noriben with a Yara rules folder from https://github.com/Yara-Rules/rules/tree/master/malware

Something wrong?

I am having an issue getting Noriben to recognize that the python yara extensions are installed. I've confirmed that they are by using the python command prompt and running this command; import python, which is successful doesn't generate any errors. Yet when I start Noriben it shows that the yara extensions are not being detected see screenshot below.

Thanks
Robert

I've kept the ProcmonConfiguration.PMC name because that's what SysInternals has always referred to it as. I don't want people to think that this is using an entirely new file format when they may already have PMC's lying around.

However, this should be doable with the --filter (-f) option and pointing it to another filename. It could even be something remotely shared (SMB) if ransomware is corrupting it.

This is equivalent to running: procmon.exe /BackingFile "Noriben.pml" /Quiet /Minimized /LoadConfig "A.DAT", where I have ProcmonConfiguration.PMC named A.DAT.

That appears to work perfectly. Now 1 more thought, it appears also to be encrypting the.pml file. I know procmon allows you to change the name of that file with the commandline option of /BackingFile can you also do that with the --f or -f and change the output log file name? I dont want to change the name just the log files extension.

Please let me know if that works for you

Originally posted by @Rurik in #30 (comment)

Hi
I wanted to check if you have noriben working for virtualbox.
I was using noriben.py but then I found the videos with .sh file but I only have 32bit machines so vmware is not an option. I guess is more complete to run noribensandbox file than just noriben.py right?

Thanks

Good night
I adapted the code to linux environment but I am having the following error.

Error: A file was not found

Follows the code of the script.

#!/bin/bash

DELAY=90
WINDOWSDELAY=20
VMRUN="/usr/bin/vmrun"
FW="/media/Fw/Fw.vmx"
FW_SNAPSHOT="Fw"
VMX="/media/SandBox/SandBox.vmx"
VM_SNAPSHOT="SandBox"
VM_USER=Administrador
VM_PASS=Box1001
NORIBEN_PATH="C:\Tools\Noriben\Noriben.py"
PYTHON_PATH="C:\Python27\Python.exe"
ZIP_PATH="C:\Tools\Noriben\zip.exe"
LOG_PATH="C:\Tools\Noriben\Reports"
REPORT_PATH="C:\Tools\Noriben\Reports\NoribenReports.zip"

MALWAREFILE=$1
MALWARE_PATH="C:\Sample\Sample.exe"

if [ ! -f "$1" ]
then
echo "Please provide executable filename as an argument."
echo "For example:"
echo "$0 ~/malware/ef8188aa1dfa2ab07af527bab6c8baf7"
exit
fi

FILENAME=$(basename $MALWAREFILE)

##Firewall
"$VMRUN" -T vmware revertToSnapshot "$FW" $FW_SNAPSHOT
"$VMRUN" -T vmware start "$FW"

sleep 60

##SANDBOX
"$VMRUN" -T vmware revertToSnapshot "$VMX" $VM_SNAPSHOT
"$VMRUN" -T vmware start "$VMX"
"$VMRUN" -T vmware -gu $VM_USER -gp $VM_PASS copyFileFromHostToGuest "$VMX" "$MALWAREFILE" "$MALWARE_PATH"

sleep $WINDOWSDELAY

"$VMRUN" -T vmware -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" "$PYTHON_PATH" "$NORIBEN_PATH" -d -t $DELAY --cmd "$MALWARE_PATH" --output "$LOG_PATH"
if [ $? -gt 0 ]; then
echo "[!] File did not execute in VM correctly."
exit
fi

"$VMRUN" -T vmware -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" "$ZIP_PATH" -j "$REPORT_PATH" "$LOG_PATH\."
if [ $? -eq 12 ]; then
echo "[!] ERROR: No files found in Noriben output folder to ZIP."
exit
fi

"$VMRUN" -T vmware -gu $VM_USER -gp $VM_PASS copyFileFromGuestToHost "$VMX" "$REPORT_PATH" /reports/Report_$FILENAME.zip

"$VMRUN" -T vmware revertToSnapshot "$VMX" $VM_SNAPSHOT

##FIREWALL
"$VMRUN" -T vmware revertToSnapshot "$FW" $FW_SNAPSHOT

From Roman Hussey:

Hmmm... I have the weird situation where the PMC obviously does not get applied.

For example, I do have:

[Exclude] Process Name is prm64.exe

... in my PMC config. However, looking at the pml / csv generated I see:

"1:24:03.3782382
PM","prm64.exe","2844","RegQueryValue","HKLM\System\CurrentControlSet\Control\TimeZoneInformation\StandardName"
[...]

Do you have any idea why the filters defined in the pmc are not being
applied by noriben / procmon?

In many runs, especially in Win7+, there are dozens of references to:
"[CreateFolder] Explorer.exe:XXXX > PathToMalware"

The script should have an additional filter, manually implemented into logic, that takes a given malware command line:
"C:\Malware\a.exe"
"%UserProfile\Desktop\Malware\a.exe"

Get os.path.dirname() and use that as a literal (*$) filter.

There is this error:
[!] Python module "requests" not found. Internet functionality is now disabled.
--===[ Noriben v1.6.3 ]===--
--===[ @bbaskin ]===--

However, running pip3 install requests gives:
Requirement already satisfied (use --upgrade to upgrade): requests in c:\program files (x86)\python35-32\lib\site-packages\requests-2.9.1-py3.5.egg

Thanks.

I found a issue of Version 1.8.2.
Noriben will crash with the following message, when I specify "--pml".

Traceback (most recent call last):
File "Noriben.py", line 1488, in
main()
File "Noriben.py", line 1365, in main
with open(timeline_file, newline='', encoding='utf-8') as f:
FileNotFoundError: [Errno 2] No such file or directory: 'Noriben_06_Jul_18__12_31_034122_timeline.csv'

I found a bug around 1364 line.

        print('[*] Saving timeline to: {}'.format(timeline_file))
       # codecs.open(timeline_file, 'w', 'utf-8').write('\r\n'.join(timeline))
       with open(timeline_file, newline='', encoding='utf-8') as f:
           writer = csv.writer(f)
           writer.writerows(timeline)

I modified it such as following. It seems to work.

       print('[*] Saving timeline to: {}'.format(timeline_file))
       codecs.open(timeline_file, 'w', 'utf-8').write('\r\n'.join(timeline))
       # with open(timeline_file, newline='', encoding='utf-8') as f:
           # writer = csv.writer(f)
           # writer.writerows(timeline)

I found another small issue with the time settings in the noriben.py file. I set it to 14 seconds and I get the following error all of the time;

[_] Converting session to CSV: Noriben_29_Apr_14__15_05_01_614000.csv
Traceback (most recent call last):
File "c:\noriben\noriben.py", line 1055, in
main()
File "c:\noriben\noriben.py", line 1046, in main
events = parse_csv()
File "c:\noriben\noriben.py", line 683, in parse_csv
av_hits = virustotal_scan_file(md5)
File "c:\noriben\noriben.py", line 395, in virustotal_scan_file
response = urllib2.urlopen(req)
File "C:\Python27\lib\urllib2.py", line 126, in urlopen
return _opener.open(url, data, timeout)
File "C:\Python27\lib\urllib2.py", line 406, in open
response = meth(req, response)
File "C:\Python27\lib\urllib2.py", line 519, in http_response
'http', request, response, code, msg, hdrs)
File "C:\Python27\lib\urllib2.py", line 444, in error
return self._call_chain(_args)
File "C:\Python27\lib\urllib2.py", line 378, in _call_chain
result = func(*args)
File "C:\Python27\lib\urllib2.py", line 527, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 404: Not Found

However if i set the value in the noriben.py file to 0 and then use control c to stop Noriben in less than 14 seconds I don't get the error at all.

Regards,
Robert

Will need to verify and resolve.

From email:

I want to direct the resultant 'csv_file' to a particular directory, but haven't been able to do so despite making changes to the 'output_dir' value in 'Noriben.py'.

I noticed when you run Noriben (non Sandbox) you can pretty much examine any files (including word files), but on the sandbox mode, it is restricted to PE Files. The following error generates when submitting a .doc file.

[*] Disabling automatic running due to magic signature: Rich Text Format data, version 1, ANSI
[*] Processing: Cyber Threat Advisory - NOV 2017.doc

The tool can analyze any files when you run the tool directly on the machine, and it produces an excellent report. Check below on the analysis on a malicious doc file:

Noriben_20_Mar_19__23_09_482659.txt

On a side note, your tool has been cutting down my analysis time! Continue the great work your contribution helps many people!

Malware appears to be encrypting the.pml file. I know procmon allows you to change the name of that file with the commandline option of /BackingFile can you also do that with the --f or -f and change the output log file name? I dont want to change the name just the log files extension.

Any chance this can be added as an option?

Thanks
Robert

Here's an added twist. This only happens occasionally. Thoughts?

[] Termination of Procmon commencing... please wait
[] Running cmdline: "c:\tools\procmon.exe" /Terminate
[] Procmon terminated
[] Checking for existence of file: C:\capture\Noriben_23_Feb_23__07_18_668505.pml
[!] Error creating PML file!
[*] Exiting with error code: 8: Error creating PML
Terminate batch job (Y/N)? y

I'm still encountering these issue daily with ransomware. What are you thoughts about adding an option to just eliminate the extension of the output file altogether? Many of the samples that I've encountered don't encrypt files that don't have extensions.

Hello,

Noriben does not create the text file when I'm using a large binary to analyze, like 3.5GB

If magic of file contains unicode, such as with magic against a Word Doc, NoribenSandbox's prefilter that's based upon magic will crash.

Hello,

Currently encountered this issue on Win 10 x64.
The command Noriben.py -p file.pml doesn't help with this problem.

I guess the registry lenght changed quite a lot since Win 7.
This only crashes after .pml generation which means the file is stills saved but not in .txt format.

--===[ Noriben v1.8.3
--===[ Brian Baskin [[email protected] / @bbaskin]
[*] Using filter file: ProcmonConfiguration.PMC
Traceback (most recent call last):
File "Noriben.py", line 1046, in parse_csv
if int(reg_length):
ValueError: invalid literal for int() with base 10: '2\xa0691'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "Noriben.py", line 1494, in
main()
File "Noriben.py", line 1364, in main
parse_csv(csv_file, report, timeline)
File "Noriben.py", line 1063, in parse_csv
error_output.append(original_line.strip())
AttributeError: 'list' object has no attribute 'strip'

After the analysis the virtual machine does not shut down, can the python code be updated to send the "vmrun stop", and possibly make that a variable where the user can define after how many seconds to initiate the "vmrun stop" command.

Also, I don't mind being a Ginnie pig for any of the code testing!

Hello,

I'm having issues when I try to run noriben.py and I get the following results:

`[] Termination of Procmon commencing... please wait
[] Procmon terminated
Traceback (most recent call last):
File "C:\Analyze\Noriben-master\Noriben.py", line 1060, in parse_csv
if int(float(reg_length)):
ValueError: could not convert string to float: '3\xa0256'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Analyze\Noriben-master\Noriben.py", line 1512, in
main()
File "C:\Analyze\Noriben-master\Noriben.py", line 1499, in main
parse_csv(csv_file, report, timeline)
File "C:\Analyze\Noriben-master\Noriben.py", line 1077, in parse_csv
error_output.append(original_line.strip())
AttributeError: 'list' object has no attribute 'strip'`

I'm running Python version 3.9.1

Even If I try with the followng:

Noriben.py --debug -t 30
Will results with the same error as above.

How can I resolve this?

First time it worked perfectly, but now it seems to struggle.

Best regards

Hi, thanks for your tool.
Your work is much appreciated
I'm trying to start it but I get the following error:
C:\Python34>python.exe c:\Noriben-master\Noriben.py
--===[ Noriben v1.6.2 ]===--
Traceback (most recent call last):
File "c:\Noriben-master\Noriben.py", line 1202, in
main()
File "c:\Noriben-master\Noriben.py", line 997, in main
print(header2 % (' ' * (padding / 2), ' ' * (padding / 2)))
TypeError: can't multiply sequence by non-int of type 'float'

C:\Python34>

I test on windows 7 64 bit with Python 3.4.3 (64 bit version) and Python 3.2.5.1 32 bit version, getting the same error.
May you help me to fix this error?

Thanks a lot.

there is an error when trying to use noriben frontend, but the path is right
path VMX = r'D:\Users\user\Documents\VM\win7x64\win7x64.vmx'

[*] Processing: .\suspicious_exe.exe
Error: Unrecognized command: D:\Users\user\Documents\VM\win7x64\win7x64.vmx
[!] Error trying to copy file to guest. Error 0xffffffff: Unexpected Error

I installed procmon.exe in directory: "C:\ProgramData\chocolatey\lib\sysinternals\tools\Procmon.exe".
After Ctrl+C to terminate Noriben.py, 2 message boxes pop up, indicating "Unable to open xxx.pml for reading" and "The file was not saved.: There are no items to be saved."
But if I place a copy of procmon.exe in the same directory with Noriben.py, everything works just fine.
After some digging, I thought the problem happens when using procmon.exe to convert pml to csv file, some relative path stuff...
I'd prefer to not place a copy of procmon.exe in the Noriben.py directory, so that I can automatically update procmon.exe when new releases arrives.

Besides turning of the VirusTotal functionality, any thoughts on how to rectify this?

C:\Python27\lib\site-packages\requests\packages\urllib3\util\ssl_.py:90: Insecur
ePlatformWarning: A true SSLContext object is not available. This prevents urlli
b3 from configuring SSL appropriately and may cause certain SSL connections to f
ail. For more information, see https://urllib3.readthedocs.org/en/latest/securit
y.html#insecureplatformwarning.

Thanks
Robert

I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test?

In Procmon if you enable File > Backing File... > Virtual Memory, that may be able to get around this issue. However, I can not guess the performance issues, or ultimate memory usage, of that.

Then one small edit to the script, within "launch_procmon_capture()" to force this:

Change:
cmdline = '"{}" /BackingFile "{}" /Quiet /Minimized'.format(procmonexe, pml_file)

To:
cmdline = '"{}" /PagingFile /Quiet /Minimized'.format(procmonexe)

Originally posted by @Rurik in #42 (comment)

I can add any processes to the whitelist (I normally just use the global one), but how do I add the process System:4 specifically? I wasn't able to use "System:4" in the normal regex and can't see how to include the specific process number (4) otherwise.

The text file that is created once Noriben is terminated only contains what appears to be default information, see below. This happens every time. This is the latest beta version.

-=] Sandbox Analysis Report generated by Noriben v1.6
-=] Developed by Brian Baskin: [email protected] @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben

-=] Execution time: 47.61 seconds
-=] Processing time: 4.41 seconds
-=] Analysis time: 1.43 seconds

Processes Created:

File Activity:

Registry Activity:

Network Traffic:

Unique Hosts:

I'm getting quite a bit of Chinese data in the Noriben texts output file in numerous places, a sample is below.

[RegSetValue] svchost.exe:8732 > \REGISTRY\A{7b42fa3c-6aa4-0406-a1bc-87c340d8b210}\DeliveryOptimization\Swarms\4536136f0eaaffe9ee1c675547cd50b2ed0c09fe\CdnURL = Ðèèàt^^f\èØê\ÈØ\ÈÊØÒìÊäò\Úà\ÚÒÆäÞæÞÌè\ÆÞÚ^ÌÒØÊæèäÊÂÚÒÜÎæÊäìÒÆÊ^ÌÒØÊæ^nÌÈhhbjZdpÌhZhÄjÄZpnÆfZnfÄÂÄÌpjhrp~ bzbjlpnfdhrL dzhdL fzdL hz�¢äbnÐ�êlʲjê�¤¬�fJdÌܦd�hðÔb�àJd̪Ä�¦¦¤Ø�ÄÖ´b�è®�¤ð���nâÔî¬à�Ð��ôÜîJdÌrÜ�ÎÐè̤äòª��̤ä���JfÈJfÈ

Not sure whats causing this, any idea?

Thanks
Robert

Here is the error that is being displayed upon execution. Python version- python-3.11.2 32bit

[*] Running cmdline: "c:\tools"\procmon.exe" /BackingFile "Noriben_20_Feb_23__11_47_843808.pml" /Quiet /Minimized /LoadConfig "c:\noriben\ProcmonConfiguration.PMC"
Traceback (most recent call last):
File "c:\noriben\noriben.py", line 1591, in
main()
File "c:\noriben\noriben.py", line 1524, in main
launch_procmon_capture(procmonexe, pml_file, pmc_file)
File "c:\noriben\noriben.py", line 976, in launch_procmon_capture
subprocess.Popen(cmdline)
File "C:\Users\oasec\AppData\Local\Programs\Python\Python311-32\Lib\subprocess.py", line 1024, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\oasec\AppData\Local\Programs\Python\Python311-32\Lib\subprocess.py", line 1493, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [WinError 5] Access is denied

Once again thanks for such a great tool!
Robert

"I am getting this error that "procmon64.exe" cannot be found in %Temp%, and that leads to failure in production of the csv file. Apparently its a procmon issue where it cancels the request to extract to create procmon64.exe immediately after making it."

To investigate

I would like to buy you a beer!

But your Pledgie link isn't working 😢

parse_csv does not take into account the commas that could be in data. Perhaps switching to csv.writer after outputting the data as a list of fields for each row would take care of this issue easily.

Is it possible for you to make it so that you're able to change the name and extension of the procmon configuration file? We're analyzing malware and would like to be able to change the filename and extension. The malware is encrypting the configuration file and procmon is failing. We can do that now on the command-line, but it doesn't recognize it. we validated the filename of the configuration file does match what we specify on the command-line.

IMO this would be great functionality as it appears that the pmc extension is now on the files to encrypt list of certain malware.

Thanks
Robert

After the file is sent to the virtual machine Windows requires the user to accept "yes" for procmon to initiate. I tried going to "User account control settings” and selecting "never" notify, but that does not resolve the issue. Any thoughts?

Hello.
And sorry for my bad English.
Sadly no one doesn't know about this great tool Noriben.
And I can't find the way to resolve this problem.
So I have to ask you.

The text file that is created by Noriben and timeline.csv terminated only default information.
Like this.

-=] Sandbox Analysis Report generated by Noriben v1.8.3
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben

-=] Analysis time: 1.34 seconds

Processes Created:

File Activity:

Registry Activity:

Network Traffic:

Unique Hosts:

As you know there are a similer case
"Textfile doesnt contain any data " issue on Mar 2015 · 17
I read it. And I guess this is the same case.
In this case this problem is resolved by installing latest version.
But I can't.

python version is 3.8.2
OS is win7
And this deploy on virtual box.
CSV is written.

The VirusTotal API allows retrieving reports by MD5, SHA1 and SHA256, with SHA256 probably being the most reliable (in terms of uniqueness).

Padding a binary to match a certain MD5 hash is a quite trivial task, and has been exploited in the wild for quite some time. And since the white-list feature relies on MD5 hashes, malicious files could easily be crafted to yield the same hash as any common/legit executable. Which in turn would result in that file not being analyzed any further.
By switching to a cryptographically (more) secure hashing algorithm, this kind of disguise becomes practically infeasible, while only unremarkably slowing down the "pre-analysis phase".

This is the first time that I use Noriben, I followed the steps that the comments mention on the script file, and I pretty sure that I'm using the correct syntax for the command execution for the malware testing.
The first error comes when I simple run the "Noriben.py" script, the others when I put some malware samples to work.
Anyone knows what's the cause of these issues and how to correct them?
I'll appreciate it so much.
PD: I'm using Flare VM distribution for malware analysis.

There are two small code issues that need to be fixed, for the hashing and virus total options to work correctly.

1. Line 570 needs to be: hashval = hash_line[0]

2. Line 613 needs to be: time.sleep(60)

I have read your readme file on github as well as the blogs on ghettoforensics but I have a few open questions. I would like to request clarification in the documentation for the software required to be installed on the vm versus what needs to be in the directory with the noriben python file. For example, you mention the usage of procmon a bunch as it is used heavily. It is not mentioned whether or not procmon should be installed on the vm prior to usage or if the binary should be in the directory with Noriben.py. How is procmon used? is it executed at the point of execution of the vm or somewhere else?

btw great work on noriben! I can't wait to start using it once i get clarification so i can finish setup on my vm.

-sonofagl1tch

Hey

Just loaded this up today and hit a few snags at first.

Kept getting errors about not being able to open the PML for reading found that it was trying to read the file before the first process had fully terminated and released it. solved that on my side simply enough by adding a 30 second sleep timer to process_pml_to_csv maybe my VM is exceptionally slow? There is probably a better fix, but it was a quick plaster

I also had issues with adding the hash list in read_hash_file function looks like the csv reader line was updated a few months back to:
reader = csv.DictReader(hash_file_handle)

but later code is still expecting a list:

hashval = hash_line[0]

Again quick fix for me just changed it back to:

csv.reader(hash_file_handle)

thanks