Skip to content

VMRay#

VMRay#

Author: Nils Kuhnert, CERT-Bund
License: AGPL-V3
Version: 4.1
Supported observables types:
- hash
- file
- url
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

VMRay Sandbox file and URL analysis.

Configuration#

url Define the URL of the service
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
key Define the API key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
certverify Verify certificates
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
certpath Path to certificate file, in case of self-signed etc.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
verdict_only If set to true, only the verdict (or the score for VMRay versions < 4.0) will be added as labels.
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
query_retry_wait The amount of seconds to wait before trying to fetch the results.
Default value if not configured 10
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
recursive_sample_limit The maximum amount of recursive samples which will be analyzed. 0 disables recursion.
Default value if not configured 10
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
reanalyze If set to true, known samples will be re-analyzed on submission. This is enabled by default.
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
shareable If set to true, the hash of the sample will be shared with VirusTotal if the TLP level is white or green.
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
archive_password The password that will be used to extract archives.
Default value if not configured malware
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
archive_compound_sample If set to true, files inside archives are treated as a single, compound sample. Otherwise, each file is treated as its own sample.
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
max_jobs Limits the amount of jobs that can be created by jobrules for a submission.
Default value if not configured N/A
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
enable_reputation If set to true, reputation lookups will be performed for submitted samples and analysis artifacts (file hash and URL lookups) by the VMRay cloud reputation service and additional third party services. The user analyzer setting is used as default value for this parameter.
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
enable_whois If set to true, domains seen during analyses are queried with external WHOIS service. The user analyzer setting is used as default value for this parameter.
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
analyzer_mode Specifies which types of analyzers will be used for analyzing this sample. Supported strings are 'reputation', 'reputation_static', 'reputation_static_dynamic', 'static_dynamic', and 'static'. The user analyzer setting is used as default value for this parameter.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
known_malicious If set to true, triage will be used to pre-filter known malicious samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
known_benign If set to true, triage will be used to pre-filter known benign samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
tags Tags to attach to the sample.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
timeout Analysis timeout in seconds.
Default value if not configured N/A
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
net_scheme_name Name of the network schema.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

No template samples to display.