ReversingLabs TitaniumCloud v2
This Integration is part of the ReversingLabs TitaniumCloud Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
ReversingLabs TitaniumCloud provides threat analysis data from various ReversingLabs cloud services.
Configure ReversingLabs TitaniumCloud v2 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for ReversingLabs TitaniumCloud v2.
Click Add instance to create and configure a new integration instance.
Parameter Required ReversingLabs TitaniumCloud URL True Credentials True Password True Reliability False Verify certificates False HTTP proxy address with the protocol and port number. False HTTP proxy username False HTTP proxy password False HTTPS proxy address with the protocol and port number. False HTTPS proxy username False HTTPS proxy password False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
reversinglabs-titaniumcloud-file-reputation#
Retrieve File Reputation data from TitaniumCloud
Base Command#
reversinglabs-titaniumcloud-file-reputation
Input#
Argument Name | Description | Required |
---|---|---|
hash | File hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
File.MD5 | Unknown | Bad hash found |
File.SHA1 | Unknown | Bad hash SHA1 |
File.SHA256 | Unknown | Bad hash SHA256 |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.file_reputation | Unknown |
Command example#
!reversinglabs-titaniumcloud-file-reputation hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Context Example#
Human Readable Output#
ReversingLabs File Reputation for hash 21841b32c6165b27dddbd4d6eb3a672defe54271#
Classification: MALICIOUS Classification reason: antivirus First seen: 2015-05-30T22:04:00 Last seen: 2023-06-06T16:16:58 AV scanner hits / total number of scanners: 32 / 34 AV scanner hit percentage: 94.11764526367188% MD5 hash: 3133c2231fcee5d6b0b4c988a5201da1 SHA-1 hash: 21841b32c6165b27dddbd4d6eb3a672defe54271 SHA-256 hash: 2f6edf41016e97c58f9de01aa4cc66c9c7fe7dae23fe72e50a69cbd221f55346 Threat name: Win32.Ransomware.Tox Threat level: 5
reversinglabs-titaniumcloud-av-scanners#
Retrieve AV Scanner data from TitaniumCloud.
Base Command#
reversinglabs-titaniumcloud-av-scanners
Input#
Argument Name | Description | Required |
---|---|---|
hash | File hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
File.MD5 | Unknown | Bad hash found |
File.SHA1 | Unknown | Bad hash SHA1 |
File.SHA256 | Unknown | Bad hash SHA256 |
ReversingLabs.av_scanners | Unknown |
Command example#
!reversinglabs-titaniumcloud-av-scanners hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Context Example#
Human Readable Output#
ReversingLabs AV Scan results for hash 21841b32c6165b27dddbd4d6eb3a672defe54271#
First scanned on: 2015-05-30T22:04:00 First seen on: 2015-05-30T22:04:00 Last scanned on: 2023-06-06T16:15:00 Last seen on: 2023-06-06T16:15:00 Sample size: 636416 bytes Sample type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed MD5 hash: 3133c2231fcee5d6b0b4c988a5201da1 SHA-1 hash: 21841b32c6165b27dddbd4d6eb3a672defe54271 SHA-256 hash: 2f6edf41016e97c58f9de01aa4cc66c9c7fe7dae23fe72e50a69cbd221f55346 SHA-512 hash: 205ece960784bff6fdbd0d5a1ebad4fddeab6751728d5be2e0b5d91742d520df0c5d04fd3b9e67372c35cb0859d794b7d22ea78786669a4bd5725e814548143f SHA-384 hash: e0b7bf0ad928500ee1dc06f8cbe035e663eaf546bb4b5217706706ba12c50ab6a24e1e858dae9a5ce0f7673bdb5621be RIPEMD-160 hash: d26f686b6af13b9073f77a1ba5a7b610934dc625 Scanner count: 37 Scanner match: 32
Latest scan results#
result scanner [TROJAN] Trojan/Win32.Toxic.R150440 scanner1 detected scanner2 Win32:Malware-gen scanner3 DeepScan:Generic.Ransom.WCryG.5BC9065C scanner4 trojan scanner5 PUA.Win.Packer.UpxProtector-1 scanner6 win/malicious_confidence_100 scanner7 malware.confidence_100 scanner8 Trojan.Encoder.1155 scanner9 malicious (moderate confidence) scanner10 Detected scanner11 W32/ToxKrypt.A!tr scanner12 DeepScan:Generic.Ransom.WCryG.5BC9065C scanner13 Trojan.Win32.Filecoder scanner14 Trojan (0055e3ef1) scanner15 Generic.Malware/Suspicious scanner16 Ransom-Tox!11B48E409D96 (trojan) scanner17 Ransom-Tox!11B48E409D96 (trojan) scanner18 Artemis!3133C2231FCE (trojan) scanner19 Ransom:Win32/Tocrypt.B scanner20 Ransom:Win32/Tocrypt.B scanner21 Trj/Genetic.gen scanner22 Trj/Genetic.gen scanner23 scanner24 Ransom.Tocrypt!8.53B6 scanner25 Malware.Undefined!8.C scanner26 DFI - Suspicious PE scanner27 scanner28 Mal/Generic-R scanner29 Trojan.Gen.2 scanner30 Trojan.Gen.2 scanner31 TROJ_CRYPTOX.T scanner32 TROJ_CRYPTOX.T scanner33 SScope.Malware-Cryptor.Toxic scanner34
reversinglabs-titaniumcloud-file-analysis#
Retrieve File Analysis by hash data from TitaniumCloud.
Base Command#
reversinglabs-titaniumcloud-file-analysis
Input#
Argument Name | Description | Required |
---|---|---|
hash | File hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
File.MD5 | Unknown | Bad hash found |
File.SHA1 | Unknown | Bad hash SHA1 |
File.SHA256 | Unknown | Bad hash SHA256 |
ReversingLabs.file_analysis | Unknown |
Command example#
!reversinglabs-titaniumcloud-file-analysis hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Context Example#
Human Readable Output#
ReversingLabs File Analysis results for hash 21841b32c6165b27dddbd4d6eb3a672defe54271#
File type: PE File subtype: Exe Sample type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed Sample size: 636416 bytes Extended description: This file (SHA1: 21841b32c6165b27dddbd4d6eb3a672defe54271) is a 32-bit portable executable application. Additionally, it was identified as UPX 0.60-3.x executable packer, and unpacking was successful. The application uses the Windows graphical user interface (GUI) subsystem, while the language used is English from United States. Cryptography related data was found in the file. This application has access to networking and running processes and has cryptography and security related capabilities. There is one extracted file. First seen: 2015-05-30T22:04:00 Last seen: 2023-06-06T16:15:00 MD5 hash: 3133c2231fcee5d6b0b4c988a5201da1 SHA-1 hash: 21841b32c6165b27dddbd4d6eb3a672defe54271 SHA-256 hash: 2f6edf41016e97c58f9de01aa4cc66c9c7fe7dae23fe72e50a69cbd221f55346 SHA-384 hash: e0b7bf0ad928500ee1dc06f8cbe035e663eaf546bb4b5217706706ba12c50ab6a24e1e858dae9a5ce0f7673bdb5621be SHA-512 hash: 205ece960784bff6fdbd0d5a1ebad4fddeab6751728d5be2e0b5d91742d520df0c5d04fd3b9e67372c35cb0859d794b7d22ea78786669a4bd5725e814548143f SSDEEP hash: 12288:UxvYm8UX7FkiYiHSbhy783clwXqaAQWzRTChYl:+vY0LFrYi0s7w6a/Wzl RIPEMD-160 hash: d26f686b6af13b9073f77a1ba5a7b610934dc625
reversinglabs-titaniumcloud-rha1-functional-similarity#
Retrieve a list of functionally similar hashes to the provided one.
Base Command#
reversinglabs-titaniumcloud-rha1-functional-similarity
Input#
Argument Name | Description | Required |
---|---|---|
hash | File hash. | Required |
result_limit | Maximum number of results to be returned. Default is 5000. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.functional_similarity | Unknown |
Command example#
!reversinglabs-titaniumcloud-rha1-functional-similarity hash=21841b32c6165b27dddbd4d6eb3a672defe54271 result_limit=2
Context Example#
Human Readable Output#
Full report is returned in a downloadable file
reversinglabs-titaniumcloud-rha1-analytics#
Retrieve the number of hashes functionally similar to the provided one grouped by classification.
Base Command#
reversinglabs-titaniumcloud-rha1-analytics
Input#
Argument Name | Description | Required |
---|---|---|
hash | File hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
File.SHA1 | Unknown | File SHA1 |
File.SHA256 | Unknown | File SHA256 |
File.MD5 | Unknown | File MD5 |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.rha1_analytics | Unknown |
Command example#
!reversinglabs-titaniumcloud-rha1-analytics hash=21841b32c6165b27dddbd4d6eb3a672defe54271
Context Example#
Human Readable Output#
ReversingLabs RHA1 Analytics results for hash 21841b32c6165b27dddbd4d6eb3a672defe54271#
Sample counters#
KNOWN: 0 MALICIOUS: 144 SUSPICIOUS: 0 TOTAL: 144
Sample metadata#
Classification: MALICIOUS MD5 hash: 3133c2231fcee5d6b0b4c988a5201da1 SHA-256 hash: 2f6edf41016e97c58f9de01aa4cc66c9c7fe7dae23fe72e50a69cbd221f55346 First seen: 2015-05-30T22:04:00 Last seen: 2023-06-06T16:16:58.328000 Sample available: True Sample size: 636416 bytes Sample type: PE/Exe/UPX Threat name: Win32.Ransomware.Tox Threat level: 5
reversinglabs-titaniumcloud-uri-statistics#
Retrieve the number of MALICIOUS, SUSPICIOUS and KNOWN files associated with a specific URI.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command#
reversinglabs-titaniumcloud-uri-statistics
Input#
Argument Name | Description | Required |
---|---|---|
uri | URI string. | Required |
Context Output#
Path | Type | Description |
---|---|---|
IP.Address | Unknown | IP address |
Domain.Name | Unknown | Domain name |
URL.Data | Unknown | The URL |
Email.To | Unknown | Destination email address |
ReversingLabs.uri_statistics | Unknown |
Command example#
!reversinglabs-titaniumcloud-uri-statistics uri=127.0.0.1
Context Example#
Human Readable Output#
ReversingLabs URI Statistics results for URI 127.0.0.1#
Sample counters#
KNOWN: 48600 MALICIOUS: 163967 SUSPICIOUS: 602 SHA-1 hash: 4b84b15bff6ee5796152495a230e45e3d7e947d9 URI type: ipv4 IPv4: 127.0.0.1
reversinglabs-titaniumcloud-uri-index#
Retrieve a list of all available file hashes associated with a given URI.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command#
reversinglabs-titaniumcloud-uri-index
Input#
Argument Name | Description | Required |
---|---|---|
uri | URI string. | Required |
result_limit | Maximum number of results to be returned. Default is 5000. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.uri_index | Unknown |
Command example#
!reversinglabs-titaniumcloud-uri-index uri=8.8.4.4 result_limit=2
Context Example#
Human Readable Output#
Full report is returned in a downloadable file
reversinglabs-titaniumcloud-advanced-search#
Search for hashes using multi-part search criteria.
Base Command#
reversinglabs-titaniumcloud-advanced-search
Input#
Argument Name | Description | Required |
---|---|---|
query | Query string. | Required |
result_limit | Maximum number of results to be returned. Default is 5000. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.advanced_search | Unknown |
Command example#
!reversinglabs-titaniumcloud-advanced-search query="av-count:5 available:TRUE" result_limit="2"
Context Example#
Human Readable Output#
Full report is returned in a downloadable file
reversinglabs-titaniumcloud-expression-search#
Search provides samples first seen on a particular date, filtered by search criteria.
Base Command#
reversinglabs-titaniumcloud-expression-search
Input#
Argument Name | Description | Required |
---|---|---|
query | Query string. | Required |
date | Search date. | Optional |
result_limit | Maximum number of results to be returned Default is 5000. Default is 5000. | Optional |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.expression_search | Unknown |
Command example#
!reversinglabs-titaniumcloud-expression-search query="threat_level>=3 status=malicious malware_family=CVE-2017-11882" result_limit="2"
Context Example#
Human Readable Output#
Full report is returned in a downloadable file
reversinglabs-titaniumcloud-file-download#
Download files associated with a SHA1, MD5 or SHA256 hash.
Base Command#
reversinglabs-titaniumcloud-file-download
Input#
Argument Name | Description | Required |
---|---|---|
hash | File hash. | Required |
Context Output#
There is no context output for this command.
Command example#
!reversinglabs-titaniumcloud-file-download hash="21841b32c6165b27dddbd4d6eb3a672defe54271"
Context Example#
Human Readable Output#
Requested sample is available for download under the name 21841b32c6165b27dddbd4d6eb3a672defe54271
reversinglabs-titaniumcloud-file-upload#
Upload a file using a byte stream with a SHA1 hash of the file provided in the request.
Base Command#
reversinglabs-titaniumcloud-file-upload
Input#
Argument Name | Description | Required |
---|---|---|
entryId | File entry ID. | Required |
Context Output#
There is no context output for this command.
reversinglabs-titaniumcloud-url-report#
Return a URL analysis report.
Base Command#
reversinglabs-titaniumcloud-url-report
Input#
Argument Name | Description | Required |
---|---|---|
url | URL string. | Required |
Context Output#
Path | Type | Description |
---|---|---|
URL.Data | Unknown | The URL |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.url_report | Unknown |
Command example#
!reversinglabs-titaniumcloud-url-report url="http://classicairjordanshoes.com/classic-air-jordan-9-c-7.html?zenid=egbmmbi039iqms5ho5dt2qnunm0mettt"
Context Example#
Human Readable Output#
ReversingLabs URL Threat Intelligence report for URL http://classicairjordanshoes.com/classic-air-jordan-9-c-7.html?zenid=egbmmbi039iqms5ho5dt2qnunm0mettt#
Requested URL: http://classicairjordanshoes.com/classic-air-jordan-9-c-7.html?zenid=egbmmbi039iqms5ho5dt2qnunm0mettt Classification: MALICIOUS First analysis: 2023-05-09T01:42:13 Analysis count: 3
Last analysis#
Analysis ID: 16844028829801b5 Analysis time: 2023-05-18T09:40:39 Final URL: None Availability status: online Domain: classicairjordanshoes.com Serving IP Address: 37.72.184.59
Statistics#
KNOWN: 0 SUSPICIOUS: 0 MALICIOUS: 3 UNKNOWN: 0 TOTAL: 3
Analysis history#
analysis_id analysis_time availability_status domain http_response_code serving_ip_address 168359658951508c 2023-05-09T01:42:13 online classicairjordanshoes.com 200 37.72.184.59 16841931093501b5 2023-05-15T23:24:35 online classicairjordanshoes.com 200 37.72.184.59 16844028829801b5 2023-05-18T09:40:39 online classicairjordanshoes.com 200 37.72.184.59 Third party statistics#
TOTAL: 20 MALICIOUS: 0 CLEAN: 0 UNDETECTED: 20
Third party sources#
detection source update_time undetected phishing_database 2023-06-06T15:08:12 undetected cyren 2023-06-07T05:08:53 undetected cyradar 2023-06-07T06:59:53 undetected netstar 2023-06-07T12:51:41 undetected malsilo 2023-06-07T11:07:56 undetected mute 2023-06-07T09:39:35 undetected adminus_labs 2023-06-07T13:02:50 undetected apwg 2023-06-07T01:21:26 undetected 0xSI_f33d 2023-06-07T05:21:24 undetected threatfox_abuse_ch 2023-06-07T07:20:28 undetected alphamountain 2023-06-07T12:47:18 undetected phishstats 2023-06-07T04:15:13 undetected comodo_valkyrie 2023-06-06T14:40:10 undetected alien_vault 2023-06-07T00:37:00 undetected osint 2023-06-07T00:30:40 undetected openphish 2023-06-07T09:50:56 undetected mrg 2023-06-07T12:56:18 undetected phishtank 2023-06-07T10:35:22 undetected crdf 2023-06-07T12:44:52 undetected urlhaus 2023-06-07T09:59:17
reversinglabs-titaniumcloud-analyze-url#
Analyze a given URL.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command#
reversinglabs-titaniumcloud-analyze-url
Input#
Argument Name | Description | Required |
---|---|---|
url | URL string. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.analyze_url | Unknown |
Command example#
!reversinglabs-titaniumcloud-analyze-url url="http://34.150.1.150/hBQ"
Context Example#
Human Readable Output#
ReversingLabs Analyze URL response for URL http://34.150.1.150/hBQ#
Status: started Analysis ID: 1686150309665089 Requested URL: http://34.150.1.150/hBQ
reversinglabs-titaniumcloud-submit-for-dynamic-analysis#
Submit an existing sample for dynamic analysis.
Base Command#
reversinglabs-titaniumcloud-submit-for-dynamic-analysis
Input#
Argument Name | Description | Required |
---|---|---|
sha1 | Sample SHA-1 hash. | Required |
platform | Desired platform; See the API documentation for possible values. | Required |
Context Output#
Path | Type | Description |
---|---|---|
ReversingLabs.detonate_sample_dynamic | Unknown |
Command example#
!reversinglabs-titaniumcloud-submit-for-dynamic-analysis sha1=21841b32c6165b27dddbd4d6eb3a672defe54271 platform=windows10
Context Example#
Human Readable Output#
ReversingLabs submit sample 21841b32c6165b27dddbd4d6eb3a672defe54271 for Dynamic Analysis#
Status: started Requested hash: 21841b32c6165b27dddbd4d6eb3a672defe54271 Analysis ID: bd4819f0-0327-4579-b72e-08ebfeeae49a
reversinglabs-titaniumcloud-get-dynamic-analysis-results#
Retrieve dynamic analysis results.
Base Command#
reversinglabs-titaniumcloud-get-dynamic-analysis-results
Input#
Argument Name | Description | Required |
---|---|---|
sha1 | Sample SHA-1 hash. | Required |
Context Output#
Path | Type | Description |
---|---|---|
File.MD5 | String | MD5 hash. |
File.SHA1 | String | SHA1 hash. |
File.SHA256 | String | SHA256 hash. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
ReversingLabs.dynamic_analysis_results | Unknown | The dynamic analysis results. |
Command example#
!reversinglabs-titaniumcloud-get-dynamic-analysis-results sha1=21841b32c6165b27dddbd4d6eb3a672defe54271