...
Virustotal can be used to analyze suspicious files and URLs to detect types of malware including viruses, worms, and trojans.
Connect Virustotal with Devo SOAR
Navigate to Automations > Integrations.
Search for Virustotal.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Key: The API key to connect to the Virustotal.
After you've entered all the details, click Connect.
Actions for Virustotal
Analyze Domain
Retrieves a domain report
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Column Name | Select the name of the column in the parent table containing the domain to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
...
| Code Block |
|---|
## Analyze File Hash
Retrieves a file hash report
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :---------- | :----------------------------------------------------------------------------------- | :------- |
| Column Name | Name of the column in the parent table containing file hash to submit to VirusTotal. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: analysis details
``` {json}{
"scans": {
"Alibaba": {
"detected": true,
"version": "0.3.0.5",
"result": "Backdoor:Win32/Nepoe.530869dc",
"update": "20190527"
},
"Cybereason": {
"detected": true,
"version": "1.2.449",
"result": "malicious.69043a",
"update": "20190616"
}
},
"scan_id": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
"sha1": "5b63d3bf46aec2126932d8a683ca971c56f7d717",
"resource": "cbed16069043a0bf3c92fff9a99cccdc",
"response_code": 1,
"scan_date": "2020-10-30 00:34:19",
"permalink": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
"verbose_msg": "Scan finished, information embedded",
"total": 72,
"positives": 63,
"sha256": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962",
"md5": "cbed16069043a0bf3c92fff9a99cccdc",
"lh_report_url": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
"error": null,
"has_error": false
} |
Analyze IP Address
Retrieves an IP address report
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Column Name | Name of the column in the parent table containing IP address to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
...
| Code Block |
|---|
## Analyze URL
Analyze URL by VirusTotal
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :---------- | :----------------------------------------------------------------------------------------------- | :------- |
| Action Type | Select an action type. | Required |
| Column Name | Select the name of the column in the parent table containing the domain to submit to VirusTotal. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: analysis details
``` {json}{
"permalink": "https://www.virustotal.com/gui/url/34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553/detection/u-34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
"resource": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
"url": "https://playground.dev.logichub.com/",
"response_code": 1,
"scan_date": "2020-10-02 12:28:26",
"scan_id": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
"verbose_msg": "Scan finished, scan information embedded in this object",
"has_error": false,
"error": null,
"filescan_id": null,
"positives": 0,
"total": 79,
"scans": {
"MalwareDomainList": {
"detected": false,
"result": "clean site",
"detail": "http://www.malwaredomainlist.com/mdl.php?search=playground.dev.logichub.com"
},
"Web Security Guard": {
"detected": false,
"result": "clean site"
},
"OpenPhish": {
"detected": false,
"result": "clean site"
}
}
} |
Analyze File
Analyze File by VirusTotal
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Action Type | Select an action type. | Required |
Column Name | Select the name of the column in the parent table containing the domain to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
...
If you face a timeout error please increase the Action Timeout (Default is 360 seconds).
File Behavior Reports
Get all behavioural information from each sandbox about the file.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
File Hash | Jinja-templated text containing the File Hash | Required |
Output
JSON containing the following items:
...
| Code Block |
|---|
## Summarise File Behavior Reports
Get a summary with behavioural information about the file. The summary consists in merging together the reports produced by the multiple sandboxes we have integrated in VirusTotal.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :------------------------------------------------------------------ | :------- |
| File Hash | [Jinja-templated](doc:jinja-template) text containing the File Hash | Required |
### Output
JSON containing the following items:
``` {json}{
"data": {
"calls_highlighted": [
"GetTickCount"
],
"files_opened": [
"C:\\WINDOWS\\system32\\winime32.dll",
"C:\\WINDOWS\\system32\\lpk.dll",
"C:\\WINDOWS\\system32\\usp10.dll",
"C:\\WINDOWS\\WinSxS\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\\comctl32.dll",
"C:\\WINDOWS\\system32\\winmm.dll",
"C:\\WINDOWS\\system32\\winspool.drv",
"C:\\WINDOWS\\WindowsShell.Manifest",
],
"modules_loaded": [
"comctl32.dll",
"C:\\WINDOWS\\system32\\ws2_32.dll",
"version.dll",
"USER32.dll",
"IMM32.dll",
"C:\\WINDOWS\\system32\\user32.dll"
],
"mutexes_created": [
"CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
"CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
"CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500",
"MSCTF.Shared.MUTEX.EBH"
],
"mutexes_opened": [
"ShimCacheMutex"
],
"processes_terminated": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_tree": [
{
"name": "****.exe",
"process_id": "1036"
},
{
"name": "9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91.exe",
"process_id": "2340"
}
],
"registry_keys_opened": [
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\996E.exe",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled",
"\\REGISTRY\\USER\\S-1-5-21-1482476501-1645522239-1417001333-500\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers",
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\COMCTL32.dll",
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SHELL32.dll",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\wave5"
],
"tags": [
"DIRECT_CPU_CLOCK_ACCESS",
"RUNTIME_MODULES"
],
"text_highlighted": [
"&Open",
"&Cancel",
"&About",
"Cate&gory:",
"Host &Name (or IP address)",
"&Port",
"22",
"Connection type:",
"Ra&w",
"&Telnet",
"Rlog&in"
]
}
} |
Release Notes
v4.1.1- Added 2 new actionsFile Behavior ReportsandSummarise File Behavior Reports.v4.0.0- Updated architecture to support IO via filesystem
...