VirusTotal
VirusTotal_DownloadSample
Details
Author |
LDO-CERT |
Version |
3.1 |
License |
AGPL-V3 |
Requires Registration |
Yes |
Requires Subscription |
Yes |
Free Subscription Available |
No |
DataType Supported |
hash |
Service Homepage |
Description
Use VirusTotal to download the original file for an hash.
Configuration
Name |
Description |
key |
API private key for Virustotal |
VirusTotal_GetReport
Details
Author |
CERT-BDF, StrangeBee |
Version |
3.1 |
License |
AGPL-V3 |
Requires Registration |
Yes |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
file, hash, domain, fqdn, ip, url |
Service Homepage |
Description
Get the latest VirusTotal report for a file, hash, domain or an IP address.
Configuration
Name |
Description |
key |
API key for Virustotal |
polling_interval |
Define time interval between two requests attempts for the report |
rescan_hash_older_than_days |
Rescan hash observable if report is older than selected days |
highlighted_antivirus |
Add taxonomy if selected AV don’t recognize observable |
download_sample |
Download automatically sample as observable when looking for hash |
download_sample_if_highlighted |
Download automatically sample as observable if highlighted antivirus didn’t recognize |
VirusTotal_Rescan
Details
Author |
CERT-LDO |
Version |
3.1 |
License |
AGPL-V3 |
Requires Registration |
Yes |
Requires Subscription |
Yes |
Free Subscription Available |
No |
DataType Supported |
hash |
Service Homepage |
Description
Use VirusTotal to run new analysis on hash.
Configuration
Name |
Description |
key |
API key for Virustotal |
polling_interval |
Define time interval between two requests attempts for the report |
highlighted_antivirus |
Add taxonomy if selected AV don’t recognize observable |
download_sample |
Download automatically sample as observable when looking for hash |
download_sample_if_highlighted |
Download automatically sample as observable if highlighted antivirus didn’t recognize |
VirusTotal_Scan
Details
Author |
CERT-BDF, StrangeBee |
Version |
3.1 |
License |
AGPL-V3 |
Requires Registration |
Yes |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
file, url |
Service Homepage |
Description
Use VirusTotal to scan a file or URL.
Configuration
Name |
Description |
key |
API key for Virustotal |
polling_interval |
Define time interval between two requests attempts for the report |
highlighted_antivirus |
Add taxonomy if selected AV don’t recognize observable |
Additional details from the README file:
This analyzer let you run Virustotal services on several datatypes:
file
hash
domain
fqdn
ip
url
The program uses VirusTotal API v3.
Major improvements have been added with _VirusTotal_GetReport_ flavor. Now, with the classical scan results, the report can display:
A Summary: with qualitative informnation about the detection
Crowdsourced YARA results with known Yara rules to detect the threat
Contacted IP addresses, domains and URLs if any
Crowdsourced IDS results with known IDS rules to detect the threat
Sandbox verdict if any
Extracted Observables
Moreover, these domains, IP addresses, URLs as well as detection YARA and IDS rules reported are added to the extracted Observables, ready to be imported and actioned in TheHive.
