VirusTotal#
README
This analyzer let you run Virustotal services on several datatypes:
- file
- hash
- domain
- fqdn
- ip
- url
The program uses VirusTotal API v3.
Major improvements have been added with VirusTotal_GetReport flavor. Now, with the classical scan results, the report can display:
- A Summary: with qualitative informnation about the detection
- Crowdsourced YARA results with known Yara rules to detect the threat
- Contacted IP addresses, domains and URLs if any
- Crowdsourced IDS results with known IDS rules to detect the threat
- Sandbox verdict if any
Extracted Observables#
Moreover, these domains, IP addresses, URLs as well as detection YARA and IDS rules reported are added to the extracted Observables, ready to be imported and actioned in TheHive.
VirusTotal_Scan#
Author: CERT-BDF, StrangeBee
License: AGPL-V3
Version: 3.1
Supported observables types:
- file
- url
Registration required: True
Subscription required: False
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Use VirusTotal to scan a file or URL.
Configuration#
key | API key for Virustotal |
---|---|
Default value if not configured | N/A |
Type of the configuration item | string |
The configuration item can contain multiple values | False |
Is required | True |
polling_interval | Define time interval between two requests attempts for the report |
---|---|
Default value if not configured | 60 |
Type of the configuration item | number |
The configuration item can contain multiple values | False |
Is required | False |
highlighted_antivirus | Add taxonomy if selected AV don't recognize observable |
---|---|
Default value if not configured | N/A |
Type of the configuration item | string |
The configuration item can contain multiple values | True |
Is required | False |
Templates samples for TheHive#
No template samples to display.
VirusTotal_Rescan#
Author: CERT-LDO
License: AGPL-V3
Version: 3.1
Supported observables types:
- hash
Registration required: True
Subscription required: True
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Use VirusTotal to run new analysis on hash.
Configuration#
key | API key for Virustotal |
---|---|
Default value if not configured | N/A |
Type of the configuration item | string |
The configuration item can contain multiple values | False |
Is required | True |
polling_interval | Define time interval between two requests attempts for the report |
---|---|
Default value if not configured | 60 |
Type of the configuration item | number |
The configuration item can contain multiple values | False |
Is required | False |
highlighted_antivirus | Add taxonomy if selected AV don't recognize observable |
---|---|
Default value if not configured | N/A |
Type of the configuration item | string |
The configuration item can contain multiple values | True |
Is required | False |
download_sample | Download automatically sample as observable when looking for hash |
---|---|
Default value if not configured | N/A |
Type of the configuration item | boolean |
The configuration item can contain multiple values | False |
Is required | False |
download_sample_if_highlighted | Download automatically sample as observable if highlighted antivirus didn't recognize |
---|---|
Default value if not configured | N/A |
Type of the configuration item | boolean |
The configuration item can contain multiple values | False |
Is required | False |
Templates samples for TheHive#
No template samples to display.
VirusTotal_GetReport#
Author: CERT-BDF, StrangeBee
License: AGPL-V3
Version: 3.1
Supported observables types:
- file
- hash
- domain
- fqdn
- ip
- url
Registration required: True
Subscription required: False
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Get the latest VirusTotal report for a file, hash, domain or an IP address.
Configuration#
key | API key for Virustotal |
---|---|
Default value if not configured | N/A |
Type of the configuration item | string |
The configuration item can contain multiple values | False |
Is required | True |
polling_interval | Define time interval between two requests attempts for the report |
---|---|
Default value if not configured | 60 |
Type of the configuration item | number |
The configuration item can contain multiple values | False |
Is required | False |
rescan_hash_older_than_days | Rescan hash observable if report is older than selected days |
---|---|
Default value if not configured | 30 |
Type of the configuration item | number |
The configuration item can contain multiple values | False |
Is required | False |
highlighted_antivirus | Add taxonomy if selected AV don't recognize observable |
---|---|
Default value if not configured | N/A |
Type of the configuration item | string |
The configuration item can contain multiple values | True |
Is required | False |
download_sample | Download automatically sample as observable when looking for hash |
---|---|
Default value if not configured | N/A |
Type of the configuration item | boolean |
The configuration item can contain multiple values | False |
Is required | False |
download_sample_if_highlighted | Download automatically sample as observable if highlighted antivirus didn't recognize |
---|---|
Default value if not configured | N/A |
Type of the configuration item | boolean |
The configuration item can contain multiple values | False |
Is required | False |
Templates samples for TheHive#
VirusTotal_DownloadSample#
Author: LDO-CERT
License: AGPL-V3
Version: 3.1
Supported observables types:
- hash
Registration required: True
Subscription required: True
Free subscription: N/A
Third party service: https://www.virustotal.com/
Description#
Use VirusTotal to download the original file for an hash.
Configuration#
key | API private key for Virustotal |
---|---|
Default value if not configured | N/A |
Type of the configuration item | string |
The configuration item can contain multiple values | False |
Is required | True |
Templates samples for TheHive#
No template samples to display.