ReversingLabs A1000 v2
This Integration is part of the ReversingLabs A1000 Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
ReversingLabs A1000 advanced Malware Analysis Platform.
Configure ReversingLabs A1000 v2 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for ReversingLabs A1000 v2.
Click Add instance to create and configure a new integration instance.
Parameter Required ReversingLabs A1000 instance URL True API Token True Verify host certificates False Reliability False Wait time between report fetching retries (seconds). Deafult is 2 seconds. False Number of report fetching retries. Default is 30. False HTTP proxy address with the protocol and port number. False HTTP proxy username False HTTP proxy password False HTTPS proxy address with the protocol and port number. False HTTPS proxy username False HTTPS proxy password False
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
reversinglabs-a1000-get-results#
Retrieve sample analysis results
Base Command#
reversinglabs-a1000-get-results
Input#
Argument Name | Description | Required |
---|---|---|
hash | file hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The Entry ID. |
File.Info | String | Information about the file. |
File.Type | String | The type of the file. |
File.MD5 | String | MD5 hash of the file. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.a1000_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-get-results hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
Context Example#
Human Readable Output#
ReversingLabs A1000 results for: a94775deb818a4d68635eeed3d16abc7f7b8bdd6#
Type: Binary/Archive
Size: 607237 bytes
MD5: a322205db6c3b1c451725b84f1d010cc
SHA1: a94775deb818a4d68635eeed3d16abc7f7b8bdd6
SHA256: d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2
SHA512: d1fd72d5a52d75f23836016772e8895d901fa5a1cb1f9b25ba455db6cccbd97e9daf43fde4f8bb77b43c0b5c4937405d51dece20cda7fa7db7600715c7769554
ID: 3065
Malware status: malicious
Local first seen: 2022-12-19T11:39:10.929115Z
Local last seen: 2022-12-20T17:37:24.670052Z
First seen: 2022-12-19T11:39:11Z
Last seen: 2022-12-20T17:37:29Z
DBot score: 3
Risk score: 10
Threat name: Win32.Trojan.Delf
Category: archive
Classification origin: {'sha1': 'aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad', 'sha256': '43d51f009bf94707556031b9688e84bb85df2c59854fba8fcb90be6c0d19e1d1', 'sha512': '8a1c9512fa167b938ea31c047a48dd6ec36d9b22443bc4ee6b97a116e16ff33427645ac76349f531cd9a672b4fffc3c4c92d1c82d2a71241915c1499336fd221', 'md5': '8521e64c683e47c1db64d80577513016', 'imphash': 'c57e34b759dff2e57f71960b2fdb93da'}
Classification reason: antivirus
Aliases: aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad.rl.zip
Extracted file count: 85
Identification name: ZIP
Identification version: Generic
reversinglabs-a1000-upload-sample#
Upload sample to A1000 for analysis
Base Command#
reversinglabs-a1000-upload-sample
Input#
Argument Name | Description | Required |
---|---|---|
entryId | The file entry to upload. | Required |
comment | A comment to add to the file. | Optional |
tags | List of tags for the file. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_upload_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-upload-sample entryId="7469@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag"
Context Example#
Human Readable Output#
ReversingLabs A1000 upload sample#
Message: Done. ID: 150 SHA1: 0000a0a549be5b7a95b782d31f73d8f608c4a440 Created: 2023-06-06T16:40:33.541071Z
reversinglabs-a1000-upload-sample-and-get-results#
Upload sample to A1000 and retrieve analysis results
Base Command#
reversinglabs-a1000-upload-sample-and-get-results
Input#
Argument Name | Description | Required |
---|---|---|
entryId | The file entry to upload. | Required |
comment | A comment to add to the file. | Optional |
tags | List of tags for the file. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The Entry ID. |
File.Info | String | Information about the file. |
File.Type | String | The type of the file. |
File.MD5 | String | MD5 hash of the file. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.a1000_report | Unknown | A1000 report |
Command example#
!reversinglabs-a1000-upload-sample-and-get-results entryId="7469@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag"
Context Example#
Human Readable Output#
ReversingLabs A1000 results for: 0000a0a549be5b7a95b782d31f73d8f608c4a440#
Type: PE/Exe Size: 385774 bytes MD5: 96d17cad51f2b7c817481e5a724c9b3f SHA1: 0000a0a549be5b7a95b782d31f73d8f608c4a440 SHA256: 0b40fb0cef3b557a34a3d7a9cd75d5180099205ccdceb8a73e1dfe73dbd282fd SHA512: 4546796ffd5075fc317549f6522df808f03d0d9e97398243259ed3d1bfb0b108083a2200fff49e4de25c5521eaef751d420763c089327b384feea27dc36d316a ID: 5722 Malware status: malicious Local first seen: 2023-06-06T16:40:34.604510Z Local last seen: 2023-06-06T16:40:34.604510Z First seen: 2014-02-10T18:16:00Z Last seen: 2023-03-06T12:17:51Z DBot score: 3 Risk score: 9 Threat name: Win32.Browser.StartPage Category: application Classification origin: None Classification reason: antivirus Aliases: 0000a0a549be5b7a95b782d31f73d8f608c4a440 Extracted file count: 6 Identification name: NSIS Identification version: Generic
ReversingLabs threat indicators#
category description id priority reasons relevance 22 Deletes files in Windows system directories. 101 7 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: DeleteFileA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetSystemDirectoryA'}0 11 Requests permission required to shut down a system. 990 7 {'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: AdjustTokenPrivileges'},
{'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: SeShutdownPrivilege'}0 10 Contains lzma compressed PE file. 1052 7 {'propagated': False, 'category': 'Pattern Match', 'description': 'Found a pattern [3c 2d 57 47 be 2d be 94 bd 8b dc 6f 25 97 af 50 f1 d2 5b 85 52 e1 d4 7c 3d 4c 75 4d a7 1f 1b 73 ed eb 01 c5 71 2f 70 5f b4 25 6f 1e a3 c5 c8 f1 1b bd] that ends at offset 138465'} 0 10 Executes a file. 21 6 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateProcessA'} 0 22 Writes to files in Windows system directories. 99 5 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateFileA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetSystemDirectoryA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: WriteFile'}0 11 Tampers with user/account privileges. 329 5 {'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: AdjustTokenPrivileges'} 0 12 Checks operating system version. 930 5 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetVersion'} 0 22 Creates temporary files. 969 5 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetTempFileNameA'} 0 6 Contains a reference to ActiveX GUID with the Kill-Bit flag set. 1086 5 {'propagated': False, 'category': 'Pattern Match', 'description': 'Found a pattern [65 72 5c 51 75 69 63 6b 20 4c 61 75 6e 63 68 00 00 00 ee 14 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 01 14 02 00 00 00 00 00 c0 00 00 00 00 00 00 46] that ends at offset 25492'} 0 22 Deletes files. 5 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: DeleteFileA'} 0 9 Accesses/modifies registry. 7 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: RegDeleteValueA'},
{'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: RegDeleteKeyExA'}0 22 Creates/opens files in Windows system directories. 95 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateFileA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetSystemDirectoryA'}0 22 Reads from files in Windows system directories. 97 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateFileA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetSystemDirectoryA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: ReadFile'}0 10 Tampers with system shutdown. 117 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: ExitWindowsEx'} 0 13 Enumerates system information. 149 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetSystemDirectoryA'} 0 0 Contains URLs. 310 4 {'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: http://ailiao.liaoban.com/'},
{'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: http://nsis.sf.net/'},
{'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: open http://ailiao.liaoban.com/'}0 22 Modifies file/directory attributes. 384 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: SetFileAttributesA'} 0 22 Copies, moves, renames, or deletes a file system object. 965 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: SHFileOperationA'} 0 12 Reads paths to special directories on Windows. 966 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: SHGetSpecialFolderLocation'} 0 12 Reads paths to system directories on Windows. 967 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetSystemDirectoryA'} 0 12 Reads path to temporary file location on Windows. 968 4 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetTempPathA'} 0 11 Enumerates user/account privilege information. 1215 4 {'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: LookupPrivilegeValueA'} 0 22 Writes to files. 3 3 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateFileA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: WriteFile'}0 1 Uses anti-debugging methods. 9 3 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetTickCount'} 0 7 Detects/enumerates process modules. 81 3 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetModuleFileNameA'} 0 22 Removes a directory. 340 3 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: RemoveDirectoryA'} 0 7 Tampers with keyboard/mouse status. 381 3 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: EnableWindow'} 0 22 Copies a file. 1031 3 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CopyFileA'} 0 22 Reads from files. 1 2 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateFileA'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: ReadFile'}0 10 Might load additional DLLs and APIs. 69 2 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetProcAddress'},
{'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: LoadLibraryA'}0 12 Enumerates files. 119 2 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: FindFirstFileA'} 0 13 Enumerates system variables. 151 2 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: ExpandEnvironmentStringsA'} 0 22 Creates a directory. 338 2 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateDirectoryA'} 0 22 Renames files. 920 2 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: MoveFileA'} 0 22 Creates/Opens a file. 0 1 {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: CreateFileA'} 0 12 Contains references to executable file extensions. 313 1 {'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: $PLUGINSDIR\SkinBtn.dll'} 0 12 Contains references to source code file extensions. 314 1 {'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: http://ailiao.liaoban.com/xszd/index.html'},
{'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: open http://ailiao.liaoban.com/xszd/index.html'}0 12 Contains references to image file extensions. 315 1 {'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: /IMGID=$PLUGINSDIR\checkbox1.bmp'},
{'propagated': False, 'category': 'Strings', 'description': 'Contains the following string: /IMGID=$PLUGINSDIR\checkbox2.bmp'}0 18 Accesses clipboard. 328 1 {'propagated': False, 'category': 'Capability Match', 'description': 'Matched the following application capabilities: Clipboard'} 0
reversinglabs-a1000-delete-sample#
Delete an uploaded sample from A1000
Base Command#
reversinglabs-a1000-delete-sample
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash to delete. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_delete_report | Unknown | A1000 file delete report |
Command example#
!reversinglabs-a1000-delete-sample hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06"
Context Example#
Human Readable Output#
ReversingLabs A1000 delete sample#
Message: Sample deleted successfully. MD5: a984de0ce47a8d5337ef569c812b57d0 SHA1: 0000a0a381d31e0dafcaa22343d2d7e40ff76e06 SHA256: b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3
reversinglabs-a1000-list-extracted-files#
List files extracted from a sample.
Base Command#
reversinglabs-a1000-list-extracted-files
Input#
Argument Name | Description | Required |
---|---|---|
hash | The sample hash. | Required |
max_results | Maximum number of results to return. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_list_extracted_report | Unknown | A1000 list extracted files report. |
Command example#
!reversinglabs-a1000-list-extracted-files hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6" max_results="2"
Context Example#
Human Readable Output#
Extracted files#
SHA1 Name Path Info Size Local First Seen Local Last Seen Malware Status Risk Score Identification Name Identification Version Type Display aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad.rl aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad.rl PE/Exe 1432064 2022-10-27T11:03:31.473395Z 2023-08-10T00:15:32.849362Z malicious 10 PE/Exe 1489f923c4dca729178b3e3233458550d8dddf29 1 binary_layer/resource/1 Text/None 2 2022-10-27T11:03:31.473395Z 2023-08-10T00:15:32.849362Z malicious 10 Text/None
reversinglabs-a1000-download-sample#
Download sample from A1000
Base Command#
reversinglabs-a1000-download-sample
Input#
Argument Name | Description | Required |
---|---|---|
hash | Sample hash to download. | Required |
Context Output#
There is no context output for this command.
Command example#
!reversinglabs-a1000-download-sample hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
Context Example#
Human Readable Output#
ReversingLabs A1000 download sample#
Requested sample is available for download under the name a94775deb818a4d68635eeed3d16abc7f7b8bdd6
reversinglabs-a1000-reanalyze#
Re-analyze sample on A1000
Base Command#
reversinglabs-a1000-reanalyze
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of an already uploaded sample. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_reanalyze_report | Unknown | Get extracted files report |
Command example#
!reversinglabs-a1000-reanalyze hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
Context Example#
Human Readable Output#
ReversingLabs A1000 re-analyze sample#
Message: Sample is queued for analysis. MD5: a322205db6c3b1c451725b84f1d010cc SHA1: a94775deb818a4d68635eeed3d16abc7f7b8bdd6 SHA256: d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2
reversinglabs-a1000-download-extracted-files#
Download samples obtained through the unpacking process
Base Command#
reversinglabs-a1000-download-extracted-files
Input#
Argument Name | Description | Required |
---|---|---|
hash | The sample hash we want unpacked samples for. | Required |
Context Output#
There is no context output for this command.
Command example#
!reversinglabs-a1000-download-extracted-files hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6"
Context Example#
Human Readable Output#
ReversingLabs A1000 download extraced files#
Extracted files are available for download under the name a94775deb818a4d68635eeed3d16abc7f7b8bdd6.zip
reversinglabs-a1000-get-classification#
Retrieve classification report for a sample
Base Command#
reversinglabs-a1000-get-classification
Input#
Argument Name | Description | Required |
---|---|---|
hash | The hash of a desired sample. | Required |
localOnly | Return only local classification data for the sample, without falling back to querying TitaniumCloud. Default is False. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The Entry ID. |
File.Info | String | Information about the file. |
File.Type | String | The type of the file. |
File.MD5 | String | MD5 hash of the file. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.a1000_classification_report | Unknown | A1000 classification report |
Command example#
!reversinglabs-a1000-get-classification hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6" localOnly="False"
Context Example#
Human Readable Output#
ReversingLabs A1000 get classification for sha1: a94775deb818a4d68635eeed3d16abc7f7b8bdd6#
Classification: malicious Riskscore: 10 First seen: 2022-12-19T11:39:11Z Last seen: 2023-06-06T16:02:03Z Classification result: Win32.Trojan.Delf Classification reason: Antivirus Classification origin: {'sha1': 'aeb8cb59f158ca853a41c55ca3cfa14c0bf1baad', 'sha256': '43d51f009bf94707556031b9688e84bb85df2c59854fba8fcb90be6c0d19e1d1', 'sha512': '8a1c9512fa167b938ea31c047a48dd6ec36d9b22443bc4ee6b97a116e16ff33427645ac76349f531cd9a672b4fffc3c4c92d1c82d2a71241915c1499336fd221', 'md5': '8521e64c683e47c1db64d80577513016', 'imphash': 'c57e34b759dff2e57f71960b2fdb93da'} Cloud last lookup: 2023-06-06T16:05:02Z Data source: LOCAL Sha1: a94775deb818a4d68635eeed3d16abc7f7b8bdd6 Sha256: d3d8091a287c8aee0ee5c54838540e714f22eef7cbeb65eb2b6af42116f5d5f2 Md5: a322205db6c3b1c451725b84f1d010cc Av scanners: {'scanner_count': 32, 'scanner_match': 0, 'scanner_percent': 0.0, 'vendor_count': 21, 'vendor_match': 0, 'vendor_percent': 0.0, 'antivirus': {'vendor_match': 0, 'scanner_match': 0, 'vendor_count': 21, 'scanner_count': 32}}
reversinglabs-a1000-advanced-search#
Search for hashes on A1000 using multi-part search criteria.
Base Command#
reversinglabs-a1000-advanced-search
Input#
Argument Name | Description | Required |
---|---|---|
query | Advanced search query. | Required |
ticloud | Show only cloud results. If omitted, the response will show only local results. Possible values are: true, false. Default is false. | Optional |
result_limit | Maximum number of results. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_advanced_search_report | Unknown | A1000 classification report |
Command example#
!reversinglabs-a1000-advanced-search query="av-count:5 available:TRUE" ticloud="False" result_limit=2
Context Example#
Human Readable Output#
Reversinglabs A1000 advanced Search#
Full report is returned in a downloadable file
reversinglabs-a1000-url-report#
Get a report for the submitted URL.
Base Command#
reversinglabs-a1000-url-report
Input#
Argument Name | Description | Required |
---|---|---|
url | URL string. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_url_report | Unknown | A1000 URL report |
Command example#
!reversinglabs-a1000-url-report url="http://akiwinds.duckdns.org/chats/fre.php"
Context Example#
Human Readable Output#
ReversingLabs A1000 URL Report for http://akiwinds.duckdns.org/chats/fre.php#
Classification: malicious
Third party reputation statistics#
Total: 20 Malicious: 1 Clean: 0 Undetected: 19
Analysis statistics#
Unknown: None Suspicious: None Malicious: None Goodware: None Total: None
First analysis: None Analysis count: None
Third party reputation sources#
Sources#
detection source update_time undetected phishing_database 2023-06-06T10:57:14 undetected cyren 2023-06-06T13:09:05 undetected cyradar 2023-06-06T07:37:28 undetected netstar 2023-06-06T11:25:58 undetected malsilo 2023-06-06T11:06:03 undetected mute 2023-06-06T13:39:52 malicious adminus_labs 2023-06-06T14:33:53 undetected apwg 2023-06-06T13:21:19 undetected 0xSI_f33d 2023-06-06T05:21:10 undetected threatfox_abuse_ch 2023-06-06T07:20:33 undetected alphamountain 2023-06-06T13:52:05 undetected phishstats 2023-06-06T04:12:33 undetected comodo_valkyrie 2023-06-06T14:40:10 undetected alien_vault 2023-06-06T00:34:26 undetected osint 2023-06-06T00:30:41 undetected openphish 2023-06-05T17:01:38 undetected mrg 2023-06-06T13:44:31 undetected phishtank 2023-06-06T10:31:21 undetected crdf 2023-06-06T11:30:27 undetected urlhaus 2023-06-06T09:24:38 Last analysis#
No entries.
Analysis history#
No entries.
reversinglabs-a1000-domain-report#
Get a report for the submitted domain.
Base Command#
reversinglabs-a1000-domain-report
Input#
Argument Name | Description | Required |
---|---|---|
domain | Domain string. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_domain_report | Unknown | A1000 domain report |
Command example#
!reversinglabs-a1000-domain-report domain="ink-scape.online"
Context Example#
Human Readable Output#
ReversingLabs A1000 Domain Report for ink-scape.online#
Modified time: 2023-06-06T13:52:05
Top threats#
files_count risk_score threat_name 1 10 Win64.Trojan.Casdet 1 10 ByteCode-MSIL.Backdoor.DCRat 1 10 ByteCode-MSIL.Infostealer.RedLine 1 10 Win32.Trojan.Fragtor Third party reputation statistics#
Malicious: 1 Undetected: 12 Clean: 0 Total: 13
Downloaded files statistics#
Unknown: 0 Suspicious: 0 Malicious: 4 Goodware: 0 Total: 4
Last DNS records time: 2023-05-11T17:46:01
Last DNS records#
provider type value ReversingLabs A 37.140.192.210 Third party reputation sources#
detection source update_time undetected phishing_database 2023-06-06T01:26:52 undetected 0xSI_f33d 2023-06-06T05:21:10 undetected cyradar 2023-06-06T07:37:28 undetected adminus_labs 2023-06-06T13:48:57 undetected apwg 2023-06-06T05:48:47 malicious netstar 2023-06-06T11:25:58 undetected threatfox_abuse_ch 2023-06-06T07:20:33 undetected botvrij 2023-06-06T01:26:07 undetected alphamountain 2023-06-06T13:52:05 undetected comodo_valkyrie 2023-06-06T04:52:55 undetected web_security_guard 2022-01-21T06:56:15 undetected osint 2023-06-06T00:30:41 undetected crdf 2023-06-06T11:30:27
reversinglabs-a1000-ip-address-report#
Get a report for the submitted IP address.
Base Command#
reversinglabs-a1000-ip-address-report
Input#
Argument Name | Description | Required |
---|---|---|
ip_address | IP address string. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_ip_address_report | Unknown | A1000 IP address report |
Command example#
!reversinglabs-a1000-ip-address-report ip_address="105.101.110.37"
Context Example#
Human Readable Output#
ReversingLabs A1000 IP Address Report for 105.101.110.37#
Modified time: 2023-06-06T14:00:43
Top threats#
No entries.
Third party reputation statistics#
Malicious: 2 Undetected: 5 Clean: 0 Total: 7
Downloaded files statistics#
Unknown: 0 Suspicious: 0 Malicious: 0 Goodware: 0 Total: 0
Third party reputation sources#
category detect_time detection source update_time undetected alphamountain 2023-06-06T13:52:05 undetected apwg 2023-06-06T08:24:03 command_and_control 2023-05-15T15:20:23 malicious threatfox_abuse_ch 2023-06-06T07:20:33 undetected adminus_labs 2023-06-06T14:00:43 undetected osint 2023-06-06T00:30:41 undetected feodotracker 2023-06-06T04:27:58 2023-05-28T05:00:06 malicious crdf 2023-06-06T11:30:27
reversinglabs-a1000-ip-downloaded-files#
Get a list of files downloaded from an IP address.
Base Command#
reversinglabs-a1000-ip-downloaded-files
Input#
Argument Name | Description | Required |
---|---|---|
ip_address | IP address string. | Required |
extended_results | Return extended results. Default is True. | Optional |
classification | Return only results with this classification. | Optional |
page_size | Number of results per query page. Default is 500. | Optional |
max_results | Maximum number of returned results. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_ip_address_downloaded_files | Unknown | A1000 Files downloaded from IP address |
Command example#
!reversinglabs-a1000-ip-downloaded-files classification="MALICIOUS" page_size="2" max_results="2" ip_address="123.140.161.243" extended_results="true"
Context Example#
Human Readable Output#
ReversingLabs A1000 Files Downloaded From IP Address 123.140.161.243#
Files downloaded from IP address#
classification first_download first_seen last_download last_download_url last_seen malware_family malware_type md5 platform risk_score sample_available sample_size sample_type sha1 sha256 subplatform threat_name MALICIOUS 2022-11-02T07:38:05 2022-11-02T07:38:05 2022-11-02T07:38:05 http://uaery.top/dl/buildz.exe 2023-04-27T15:22:05 RedLine Trojan 1af44914e2340ab6da17a3a61609a2e4 Win32 10 true 840704 03359456add1d7c5eae291f8f50576e0a324cbbd 069027da6066f79736223dbc9fa99a42533cfbdf24f6e683f6e9d3934f009afa Win32.Trojan.RedLine MALICIOUS 2023-03-28T04:12:36 2023-03-28T04:12:36 2023-03-28T04:12:36 https://worldofcreatures.at/Launcher.exe 2023-04-29T15:38:56 TrickOrTreat Trojan aea58c2837e8dd1850d46198e9870c5e Win64 10 true 1179894205 PE+/Exe 1181efbb5f267554a4ca8ffe98434c83e456d6bb 33ba1893894e50bc960af51348b99e3064e98e533f255b255846b49ea5ed5421 Win64.Trojan.TrickOrTreat
reversinglabs-a1000-ip-domain-resolutions#
Get a list of IP-to-domain resolutions.
Base Command#
reversinglabs-a1000-ip-domain-resolutions
Input#
Argument Name | Description | Required |
---|---|---|
ip_address | IP address string. | Required |
page_size | Number of results per query page. Default is 500. | Optional |
max_results | Maximum number of returned results. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_ip_domain_resolutions | Unknown | A1000 IP-to-domain resolutions |
Command example#
!reversinglabs-a1000-ip-domain-resolutions ip_address="142.250.186.142" page_size="2" max_results="2"
Context Example#
Human Readable Output#
ReversingLabs A1000 IP-to-domain Resolutions for IP address 142.250.186.142#
IP-to-domain resolutions#
host_name last_resolution_time provider pl16304805.trustedcpmrevenue.com 2022-01-22T14:42:19 ReversingLabs pl16023914.revenuenetworkcpm.com 2022-02-15T13:54:37 ReversingLabs
reversinglabs-a1000-ip-urls#
Get a list of URLs hosted on the requested IP address.
Base Command#
reversinglabs-a1000-ip-urls
Input#
Argument Name | Description | Required |
---|---|---|
ip_address | IP address string. | Required |
page_size | Number of results per query page. Default is 500. | Optional |
max_results | Maximum number of returned results. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.a1000_ip_urls | Unknown | A1000 URL-s hosted on an IP address |
Command example#
!reversinglabs-a1000-ip-urls ip_address="142.250.186.142" page_size="2" max_results="2"
Context Example#
Human Readable Output#
ReversingLabs A1000 URL-s Hosted On IP Address 142.250.186.142#
URL-s hosted on the IP address#
url https://vam.simpleintactloop.com/?kw=25&s1=dfadc40091de4d20b5ae5178a3ed04cf&s2=25&s3=1812092 https://consent.youtube.com/m?continue=https://www.youtube.com/playlist?list=PLUdyEkajrVvQgvw3E7Ms4YAvqa8yze0mk&bsft_aaid=d3faaff4-8ea9-405d-9544-4da5a26dc24a&bsft_eid=9ee948cc-69cb-27ef-383f-8b42608edab0&bsft_clkid=a51526e6-0d0d-42ba-a5b2-4ffe739b39b3&bsft_uid=13d7aa07-4c09-453f-85ae-fbd4e975b709&bsft_mid=5b0f75fb-615d-401c-b15c-8e301bce51a0&bsft_txnid=a887540d-743a-4d12-ab6a-9e9a09073a67&bsft_mime_type=html&bsft_ek=2022-03-20T12%253A10%253A17Z&bsft_lx=7&bsft_tv=25&&list_code=MONMARW&email_id=000139679745&cbrd=1&gl=DE&hl=de&m=0&pc=yt&src=1&uxe=23983171