Skip to content

VirusTotal#

README

This analyzer let you run Virustotal services on several datatypes:

  • file
  • hash
  • domain
  • fqdn
  • ip
  • url

The program uses VirusTotal API v3.

Major improvements have been added with VirusTotal_GetReport flavor. Now, with the classical scan results, the report can display:

  • A Summary: with qualitative informnation about the detection

  • Crowdsourced YARA results with known Yara rules to detect the threat

  • Contacted IP addresses, domains and URLs if any
  • Crowdsourced IDS results with known IDS rules to detect the threat
  • Sandbox verdict if any

Extracted Observables#

Moreover, these domains, IP addresses, URLs as well as detection YARA and IDS rules reported are added to the extracted Observables, ready to be imported and actioned in TheHive.

VirusTotal_Scan#

Author: CERT-BDF, StrangeBee
License: AGPL-V3
Version: 3.1
Supported observables types:
- file
- url
Registration required: True
Subscription required: False
Free subscription: N/A
Third party service: https://www.virustotal.com/

Description#

Use VirusTotal to scan a file or URL.

Configuration#

key API key for Virustotal
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
polling_interval Define time interval between two requests attempts for the report
Default value if not configured 60
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
highlighted_antivirus Add taxonomy if selected AV don't recognize observable
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False

Templates samples for TheHive#

No template samples to display.

VirusTotal_Rescan#

Author: CERT-LDO
License: AGPL-V3
Version: 3.1
Supported observables types:
- hash
Registration required: True
Subscription required: True
Free subscription: N/A
Third party service: https://www.virustotal.com/

Description#

Use VirusTotal to run new analysis on hash.

Configuration#

key API key for Virustotal
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
polling_interval Define time interval between two requests attempts for the report
Default value if not configured 60
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
highlighted_antivirus Add taxonomy if selected AV don't recognize observable
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
download_sample Download automatically sample as observable when looking for hash
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
download_sample_if_highlighted Download automatically sample as observable if highlighted antivirus didn't recognize
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

No template samples to display.

VirusTotal_GetReport#

Author: CERT-BDF, StrangeBee
License: AGPL-V3
Version: 3.1
Supported observables types:
- file
- hash
- domain
- fqdn
- ip
- url
Registration required: True
Subscription required: False
Free subscription: N/A
Third party service: https://www.virustotal.com/

Description#

Get the latest VirusTotal report for a file, hash, domain or an IP address.

Configuration#

key API key for Virustotal
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
polling_interval Define time interval between two requests attempts for the report
Default value if not configured 60
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
rescan_hash_older_than_days Rescan hash observable if report is older than selected days
Default value if not configured 30
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
highlighted_antivirus Add taxonomy if selected AV don't recognize observable
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
download_sample Download automatically sample as observable when looking for hash
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
download_sample_if_highlighted Download automatically sample as observable if highlighted antivirus didn't recognize
Default value if not configured N/A
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

VirusTotal: long report

VirusTotal_DownloadSample#

Author: LDO-CERT
License: AGPL-V3
Version: 3.1
Supported observables types:
- hash
Registration required: True
Subscription required: True
Free subscription: N/A
Third party service: https://www.virustotal.com/

Description#

Use VirusTotal to download the original file for an hash.

Configuration#

key API private key for Virustotal
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

No template samples to display.