Document toolboxDocument toolbox

Virus Total

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
7 min read
[ 1 Connect Virustotal with Devo SOAR ] [ 2 Actions for Virustotal ] [ 2.1 Analyze Domain ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Analyze IP Address ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Analyze File ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 File Behavior Reports ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 3 Release Notes ]

Virustotal can be used to analyze suspicious files and URLs to detect types of malware including viruses, worms, and trojans.

Connect Virustotal with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Virustotal.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. API Key: The API key to connect to the Virustotal.

  9. After you've entered all the details, click Connect.

Actions for Virustotal

Analyze Domain

Retrieves a domain report

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Column Name

Select the name of the column in the parent table containing the domain to submit to VirusTotal.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: analysis details

``` {json}{ "BitDefender category": "business", "domain_siblings": [ "msg.logichub.com", "info.logichub.com", "stg.logichub.com" ], "sophos category": "advertisements", "undetected_downloaded_samples": [ { "date": "2019-09-16 16:35:55", "positives": 0, "total": 70, "sha256": "5085cc9e65c2c0c473b7a92d7667a20daf58bef2f8961b4faefafb8d3468a2db" } ], "whois": "Admin City: Scottsdale\nAdmin Country: US\nAdmin Email: 005338d93d01f529s@domainsbyproxy.com\nAdmin Organization: Domains By Proxy, LLC\nAdmin Postal Code: 85260\nAdmin State/Province: Arizona\nCreation Date: 2010-03-31T18:05:17Z\nDNSSEC: unsigned\nDomain Name: LOGICHUB.COM\nDomain Name: logichub.com\nDomain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\nDomain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited\nDomain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited\nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\nDomain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\nName Server: NS53.DOMAINCONTROL.COM\nName Server: NS54.DOMAINCONTROL.COM\nRegistrant City: 373f4980ad3d2d01\nRegistrant Country: US\nRegistrant Email: 005338d93d01f529s@domainsbyproxy.com\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: 9fad764be0c7e95d\nRegistrant Name: 80315b2e6ac1a801\nRegistrant Organization: b46a98a26fe2fd9f\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: d5f66d3a005b000d\nRegistrant Postal Code: b9448b1c75ff534d\nRegistrant State/Province: 30bdd2917a604c83\nRegistrant Street: 037792fd5a6fe619\nRegistrant Street: f38c0adea706dbc3\nRegistrar Abuse Contact Email: abuse@godaddy.com\nRegistrar Abuse Contact Phone: +1.4806242505\nRegistrar Abuse Contact Phone: 480-624-2505\nRegistrar IANA ID: 146\nRegistrar Registration Expiration Date: 2030-03-31T18:05:17Z\nRegistrar URL: http://www.godaddy.com\nRegistrar WHOIS Server: whois.godaddy.com\nRegistrar: GoDaddy.com, LLC\nRegistry Admin ID: Not Available From Registry\nRegistry Domain ID: 1590984107_DOMAIN_COM-VRSN\nRegistry Expiry Date: 2030-03-31T18:05:17Z\nRegistry Registrant ID: Not Available From Registry\nRegistry Tech ID: Not Available From Registry\nTech City: Scottsdale\nTech Country: US\nTech Email: 005338d93d01f529s@domainsbyproxy.com\nTech Organization: Domains By Proxy, LLC\nTech Postal Code: 85260\nTech State/Province: Arizona\nUpdated Date: 2020-04-05T17:12:07Z\nUpdated Date: 2020-04-05T17:12:10Z", "detected_downloaded_samples": [ { "date": "2020-05-05 15:52:49", "positives": 1, "total": 75, "sha256": "5085cc9e65c2c0c473b7a92d7667a20daf58bef2f8961b4faefafb8d3468a2db" } ], "response_code": 1, "detected_referrer_samples": [], "verbose_msg": "Domain found in dataset", "Forcepoint ThreatSeeker category": "information technology", "undetected_urls": [ [ "https://www.logichub.com/", "1101a118b616f943e890e9e8e8f49161f4336e0a7815ddee08d8a233e0ba7ff9", 0, 80, "2020-10-15 18:50:15" ] ], "Comodo Valkyrie Verdict category": "media sharing", "undetected_referrer_samples": [ { "date": "2020-04-22 14:21:44", "positives": 0, "total": 0, "sha256": "9388089e4a60d5cd88e2c99a2e060e8fa8cb897b123f5bac62290a925e7a022c" } ], "resolutions": [ { "last_resolved": "2017-02-07 00:00:00", "ip_address": "107.180.0.110" } ], "detected_urls": [], "lh_report_url": null, "error": null, "has_error": false }

## Analyze File Hash Retrieves a file hash report ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------- | :----------------------------------------------------------------------------------- | :------- | | Column Name | Name of the column in the parent table containing file hash to submit to VirusTotal. | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: analysis details ``` {json}{ "scans": { "Alibaba": { "detected": true, "version": "0.3.0.5", "result": "Backdoor:Win32/Nepoe.530869dc", "update": "20190527" }, "Cybereason": { "detected": true, "version": "1.2.449", "result": "malicious.69043a", "update": "20190616" } }, "scan_id": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059", "sha1": "5b63d3bf46aec2126932d8a683ca971c56f7d717", "resource": "cbed16069043a0bf3c92fff9a99cccdc", "response_code": 1, "scan_date": "2020-10-30 00:34:19", "permalink": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059", "verbose_msg": "Scan finished, information embedded", "total": 72, "positives": 63, "sha256": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962", "md5": "cbed16069043a0bf3c92fff9a99cccdc", "lh_report_url": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059", "error": null, "has_error": false }

Analyze IP Address

Retrieves an IP address report

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Column Name

Name of the column in the parent table containing IP address to submit to VirusTotal.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: analysis details

``` {json}{ "asn": 7922, "undetected_urls": [ [ "http://cet-nat.comcastcntr.pa.bo.comcast.net/", "2521651e23393ea13e2817a4afee4847b3d35f4d2df2b5917ca332294b5aafd2", 0, 70, "2019-07-11 10:00:22" ] ], "undetected_downloaded_samples": [], "country": "US", "response_code": 1, "as_owner": "Comcast Cable Communications, LLC", "detected_referrer_samples": [], "verbose_msg": "IP address in dataset", "detected_downloaded_samples": [], "undetected_referrer_samples": [ { "date": "2020-04-22 23:08:01", "positives": 0, "total": 75, "sha256": "7206af0ae424df1f3eddf9198a38e24facfa3fb87fd0cff1d3991141efc1e7b7" } ], "detected_urls": [], "resolutions": [ { "last_resolved": "2019-07-11 10:03:20", "hostname": "cet-nat.comcastcntr.pa.bo.comcast.net" } ], "error": null, "has_error": false }

## Analyze URL Analyze URL by VirusTotal ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------- | :----------------------------------------------------------------------------------------------- | :------- | | Action Type | Select an action type. | Required | | Column Name | Select the name of the column in the parent table containing the domain to submit to VirusTotal. | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: analysis details ``` {json}{ "permalink": "https://www.virustotal.com/gui/url/34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553/detection/u-34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706", "resource": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706", "url": "https://playground.dev.logichub.com/", "response_code": 1, "scan_date": "2020-10-02 12:28:26", "scan_id": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706", "verbose_msg": "Scan finished, scan information embedded in this object", "has_error": false, "error": null, "filescan_id": null, "positives": 0, "total": 79, "scans": { "MalwareDomainList": { "detected": false, "result": "clean site", "detail": "http://www.malwaredomainlist.com/mdl.php?search=playground.dev.logichub.com" }, "Web Security Guard": { "detected": false, "result": "clean site" }, "OpenPhish": { "detected": false, "result": "clean site" } } }

Analyze File

Analyze File by VirusTotal

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Action Type

Select an action type.

Required

Column Name

Select the name of the column in the parent table containing the domain to submit to VirusTotal.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: analysis details

``` {json}{ "scans": { "Kaspersky": { "detected": false, "version": "15.0.1.13", "result": null, "update": "20201120" }, "MaxSecure": { "detected": false, "version": "1.0.0.1", "result": null, "update": "20201119" }, "AVG": { "detected": false, "version": "20.10.5736.0", "result": null, "update": "20201120" } }, "scan_id": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145", "sha1": "714c804de08df5f6852a6470773f4edba31c83d9", "resource": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145", "response_code": 1, "scan_date": "2020-11-20 10:12:25", "permalink": "https://www.virustotal.com/gui/file/32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231/detection/f-32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145", "verbose_msg": "Scan finished, information embedded", "total": 61, "positives": 0, "sha256": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231", "md5": "c9cd2d0f3cee5961b579e7a5e9fd123e", "lh_report_url": "https://www.virustotal.com/gui/file/32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231/detection/f-32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145", "error": null, "has_error": false }

## Intelligence Search Search for files (the action is data-heavy, so please try to reduce the limit or increase action timeout in case of timeout error). ### Input Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Argument Name | Description | Required | | :------------ | :----------------------------------------------------------------------------------------- | :------- | | Search Query | [Jinja-Templated](doc:jinja-template) text containing the Search Query. Example: {{query}} | Required | | Limit | Number of results to return (Default is 100000) | Optional | ### Output A JSON object containing multiple rows of result. ``` {json}{ "attributes": { "creation_date": 51351, "downloadable": true, "exiftool": { "Trapped": "False", }, "first_submission_date": 1638251100, "last_analysis_date": 1638257416, "last_analysis_results": "some_object", "last_modification_date": 1638258704, "last_submission_date": 1638257416, "magic": "PDF document, version 1.7", "md5": "md5_hash", "meaningful_name": "/tmp/meaning.tmp", "names": "name_array", "pdf_info": "info_object", "reputation": 0, "sha1": "sha1_example", "sha256": "sha256_example", "size": 2303072, "ssdeep": "example", "tags": [ "pdf", "autoaction" ], "times_submitted": 2, "tlsh": "some_text", "total_votes": { "harmless": 0, "malicious": 0 }, "links": { "self": "https://www.virustotal.com/api/v3/files/sample_id" }, "has_error": false, "id": "sample_id", "error": null, "type": "file" }

Additional Information

  • If you face a timeout error please increase the Action Timeout (Default is 360 seconds).

File Behavior Reports

Get all behavioural information from each sandbox about the file.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

File Hash

Jinja-templated text containing the File Hash

Required

Output

JSON containing the following items:

``` {json}{ "data": [ { "attributes": { "verdicts": [ "UNKNOWN_VERDICT" ], "has_pcap": false, "analysis_date": 1669409515, "processes_tree": [ { "process_id": "2248", "name": "%windir%\System32\svchost.exe -k WerSvcGroup" }, { "process_id": "2940", "name": "wmiadap.exe /F /T /R" }, { "process_id": "2988", "name": "%windir%\system32\wbem\wmiprvse.exe" }, { "process_id": "2676", "name": "%SAMPLEPATH%" } ], "sandbox_name": "C2AE", "has_html_report": false, "processes_terminated": [ "%windir%\System32\svchost.exe -k WerSvcGroup", "wmiadap.exe /F /T /R" ], "behash": "7eb58e30b74038daa9b31b5d9df78cf2", "has_evtx": false, "last_modification_date": 1669495931, "has_memdump": false }, "type": "file_behaviour", "id": "hash", "links": { "self": "https://www.virustotal.com/api/v3/file_behaviours/{hash}}" } }, ], "links": { "self": "https://www.virustotal.com/api/v3/files/{hash}/behaviours?limit=10" } }

Release Notes

  • v4.1.1 - Added 2 new actionsFile Behavior Reports and Summarise File Behavior Reports.

  • v4.0.0 - Updated architecture to support IO via filesystem