ReversingLabs TitaniumScale
This Integration is part of the ReversingLabs TitaniumScale Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Overview#
This integration supports using ReversingLabs Advanced File Analysis to 'detonate file' on the TitaniumScale Advanced Malware Analysis Appliance.
The ReversingLabs TitaniumScale Appliance is powered by TitaniumCore, the malware analysis engine that performs automated static analysis using the Active File Decomposition technology.
TitaniumCore unpacks and recursively analyzes files without executing them, and extracts internal threat indicators to classify files and determine their threat level. TitaniumCore is capable of identifying thousands of file format families. It recursively unpacks hundreds of file format families, and fully repairs extracted files to enable further analysis.
Prerequisites#
You need to obtain the following:
- TitaniumScale instance
- TitaniumScale API Token
Configure ReversingLabs TitaniumScale on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Reversinglabs TitaniumScale.
Click Add instance to create and configure a new integration instance.
Parameter Required ReversingLabs TitaniumScale instance URL True API Token True Verify host certificates True (default: False) Reliability True (default: C - Fairly reliable) Wait time between report fetching retries (seconds) True (default: 2) Number of report fetching retries True (default: 30) Click Test to validate connection.
Commands#
You can execute these commands from the XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. For all commands, full report is saved as a part of the context and also returned as a downloadable file.
- reversinglabs-titaniumscale-upload-sample-and-get-results
- reversinglabs-titaniumscale-upload-sample
- reversinglabs-titaniumscale-get-results
reversinglabs-titaniumscale-upload-sample-and-get-results#
Upload sample to TitaniumScale instance and retrieve the analysis report.
Input#
| Argument Name | Description | Required |
|---|---|---|
| entryId | Entry ID of the sample to be uploaded | True |
Command Example#
!reversinglabs-titaniumscale-upload-sample-and-get-results entryId="3156@1651bd83-3242-43e4-8084-26de8937ca81"
Human Readable Output:#
Context Output#
| Path | Description |
|---|---|
| File | File indicator |
| DBotScore | Score |
| ReversingLabs.tc_report | Full report in JSON |
Context Example:
{
"Type": 1,
"ContentsFormat": "json",
"Contents": {
"tc_report": [
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.18799192412328,
"file_type": "PE+",
"file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"hashes": [
{
"name": "imphash",
"value": "71f37f91c14c4729e462a32b6b2ae9d4"
},
{
"name": "md5",
"value": "b44251a2f532cc8835f6ad164491ebae"
},
{
"name": "rha0",
"value": "e268f6a56d568c8b466dbb1f5671401a6898135e"
},
{
"name": "sha1",
"value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5"
},
{
"name": "sha256",
"value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f"
}
],
"file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"size": 1653234
}
},
"indicators": [
{
"priority": 6,
"category": 10,
"description": "Executes a file."
},
{
"priority": 5,
"category": 0,
"description": "Contains IP addresses."
},
{
"priority": 5,
"category": 11,
"description": "Tampers with user/account privileges."
},
{
"priority": 5,
"category": 22,
"description": "Writes to files in Windows system directories."
},
{
"priority": 4,
"category": 22,
"description": "Creates/opens files in Windows system directories."
},
{
"priority": 4,
"category": 13,
"description": "Enumerates system information."
},
{
"priority": 4,
"category": 4,
"description": "Possibly does process injection."
},
{
"priority": 4,
"category": 22,
"description": "Reads from files in Windows system directories."
},
{
"priority": 4,
"category": 11,
"description": "Requests permission required to lock physical pages in memory."
},
{
"priority": 3,
"category": 7,
"description": "Detects/enumerates process modules."
},
{
"priority": 3,
"category": 10,
"description": "Terminates a process/thread."
},
{
"priority": 3,
"category": 1,
"description": "Uses anti-debugging methods."
},
{
"priority": 3,
"category": 22,
"description": "Writes to files."
},
{
"priority": 2,
"category": 13,
"description": "Enumerates system variables."
},
{
"priority": 2,
"category": 10,
"description": "Might load additional DLLs and APIs."
},
{
"priority": 2,
"category": 12,
"description": "Monitors directory changes."
},
{
"priority": 2,
"category": 22,
"description": "Reads from files."
},
{
"priority": 2,
"category": 10,
"description": "Uses pipes for interprocess communication."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to ntdll.dll which is NT Layer DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to powrprof.dll which is Power Profile Helper DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to psapi.dll which is Process Status Helper."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to document file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to source code file extensions."
},
{
"priority": 1,
"category": 22,
"description": "Creates/Opens a file."
}
],
"interesting_strings": [
{
"category": "http",
"values": [
"donate.v2.xmrig.com"
]
},
{
"category": "ipv4",
"values": [
"0.0.0.0",
"127.0.0.1",
"3.120.209.58:8080"
]
},
{
"category": "mailto",
"values": [
"pP0P@0.0.0.0"
]
}
],
"classification": {
"propagation_source": {
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
"propagated": true,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
},
{
"result": "Win64.Coinminer.Malxmr",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 4
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 827063294
}
}
},
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.60580452906475,
"file_type": "PE",
"file_name": "0",
"hashes": [
{
"name": "md5",
"value": "8b84009488f7254a2be3c4409bcf286a"
},
{
"name": "rha0",
"value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511"
},
{
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
{
"name": "sha256",
"value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0",
"size": 620530
}
},
"indicators": [
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
}
],
"classification": {
"propagated": false,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 0
}
}
},
{
"info": {
"file": {
"file_subtype": "XML",
"entropy": 4.9116145157351045,
"file_type": "Text",
"file_name": "1",
"hashes": [
{
"name": "md5",
"value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61"
},
{
"name": "rha0",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha1",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha256",
"value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1",
"size": 381
}
},
"classification": {
"propagated": false,
"scan_results": [
{
"type": "cloud",
"name": "TitaniumCloud",
"classification": 1,
"factor": 0
}
],
"classification": 1,
"factor": 0
}
}
]
},
"HumanReadable": "## ReversingLabs TitaniumScale get report\n\n **Type:** PE+/Exe\n **Size:** 1653234 bytes \n\n **IMPHASH:** 71f37f91c14c4729e462a32b6b2ae9d4\n **MD5:** b44251a2f532cc8835f6ad164491ebae\n **RHA0:** e268f6a56d568c8b466dbb1f5671401a6898135e\n **SHA1:** 277d75e0593937034e12ed185c91b6bb9bbdc3c5\n **SHA256:** 4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f\n\n **Status:** malicious\n **TitaniumCloud:** Win32.Trojan.Graftor\n **DBot score:** 3\n",
"EntryContext": {
"File(val.MD5 && val.MD5 == obj.MD5 || val.SHA1 && val.SHA1 == obj.SHA1 || val.SHA256 && val.SHA256 == obj.SHA256 || val.SHA512 && val.SHA512 == obj.SHA512 || val.CRC32 && val.CRC32 == obj.CRC32 || val.CTPH && val.CTPH == obj.CTPH || val.SSDeep && val.SSDeep == obj.SSDeep)": [
{
"MD5": "b44251a2f532cc8835f6ad164491ebae",
"SHA1": "277d75e0593937034e12ed185c91b6bb9bbdc3c5",
"SHA256": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f",
"Malicious": {
"Vendor": "ReversingLabs TitaniumScale",
"Description": "\n **TitaniumCloud:** Win32.Trojan.Graftor"
}
}
],
"DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor == obj.Vendor && val.Type == obj.Type)": [
{
"Indicator": "277d75e0593937034e12ed185c91b6bb9bbdc3c5",
"Type": "file",
"Vendor": "ReversingLabs TitaniumScale",
"Score": 3
}
],
"ReversingLabs": {
"tc_report": [
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.18799192412328,
"file_type": "PE+",
"file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"hashes": [
{
"name": "imphash",
"value": "71f37f91c14c4729e462a32b6b2ae9d4"
},
{
"name": "md5",
"value": "b44251a2f532cc8835f6ad164491ebae"
},
{
"name": "rha0",
"value": "e268f6a56d568c8b466dbb1f5671401a6898135e"
},
{
"name": "sha1",
"value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5"
},
{
"name": "sha256",
"value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f"
}
],
"file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"size": 1653234
}
},
"indicators": [
{
"priority": 6,
"category": 10,
"description": "Executes a file."
},
{
"priority": 5,
"category": 0,
"description": "Contains IP addresses."
},
{
"priority": 5,
"category": 11,
"description": "Tampers with user/account privileges."
},
{
"priority": 5,
"category": 22,
"description": "Writes to files in Windows system directories."
},
{
"priority": 4,
"category": 22,
"description": "Creates/opens files in Windows system directories."
},
{
"priority": 4,
"category": 13,
"description": "Enumerates system information."
},
{
"priority": 4,
"category": 4,
"description": "Possibly does process injection."
},
{
"priority": 4,
"category": 22,
"description": "Reads from files in Windows system directories."
},
{
"priority": 4,
"category": 11,
"description": "Requests permission required to lock physical pages in memory."
},
{
"priority": 3,
"category": 7,
"description": "Detects/enumerates process modules."
},
{
"priority": 3,
"category": 10,
"description": "Terminates a process/thread."
},
{
"priority": 3,
"category": 1,
"description": "Uses anti-debugging methods."
},
{
"priority": 3,
"category": 22,
"description": "Writes to files."
},
{
"priority": 2,
"category": 13,
"description": "Enumerates system variables."
},
{
"priority": 2,
"category": 10,
"description": "Might load additional DLLs and APIs."
},
{
"priority": 2,
"category": 12,
"description": "Monitors directory changes."
},
{
"priority": 2,
"category": 22,
"description": "Reads from files."
},
{
"priority": 2,
"category": 10,
"description": "Uses pipes for interprocess communication."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to ntdll.dll which is NT Layer DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to powrprof.dll which is Power Profile Helper DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to psapi.dll which is Process Status Helper."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to document file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to source code file extensions."
},
{
"priority": 1,
"category": 22,
"description": "Creates/Opens a file."
}
],
"interesting_strings": [
{
"category": "http",
"values": [
"donate.v2.xmrig.com"
]
},
{
"category": "ipv4",
"values": [
"0.0.0.0",
"127.0.0.1",
"3.120.209.58:8080"
]
},
{
"category": "mailto",
"values": [
"pP0P@0.0.0.0"
]
}
],
"classification": {
"propagation_source": {
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
"propagated": true,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
},
{
"result": "Win64.Coinminer.Malxmr",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 4
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 827063294
}
}
},
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.60580452906475,
"file_type": "PE",
"file_name": "0",
"hashes": [
{
"name": "md5",
"value": "8b84009488f7254a2be3c4409bcf286a"
},
{
"name": "rha0",
"value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511"
},
{
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
{
"name": "sha256",
"value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0",
"size": 620530
}
},
"indicators": [
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
}
],
"classification": {
"propagated": false,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 0
}
}
},
{
"info": {
"file": {
"file_subtype": "XML",
"entropy": 4.9116145157351045,
"file_type": "Text",
"file_name": "1",
"hashes": [
{
"name": "md5",
"value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61"
},
{
"name": "rha0",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha1",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha256",
"value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1",
"size": 381
}
},
"classification": {
"propagated": false,
"scan_results": [
{
"type": "cloud",
"name": "TitaniumCloud",
"classification": 1,
"factor": 0
}
],
"classification": 1,
"factor": 0
}
}
]
}
},
"IndicatorTimeline": [],
"IgnoreAutoExtract": false,
"Note": false,
"Relationships": []
}
reversinglabs-titaniumscale-upload-sample#
Upload sample to TitaniumScale instance for analysis. Returns the taskUrl which can be later used to retrieve the report.
Input#
| Argument Name | Description | Required |
|---|---|---|
| entryId | entryId of the sample to upload | True |
Command Example#
!reversinglabs-titaniumscale-upload-sample entryId="3156@1651bd83-3242-43e4-8084-26de8937ca81"
Human Readable Output:#
Context Output#
| Path | Description |
|---|---|
| ReversingLabs.tc_task_url | URL to retrieve the report from |
Context Example:
{
"Type": 1,
"ContentsFormat": "json",
"Contents": {
"tc_task_url": "https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15795"
},
"HumanReadable": "## ReversingLabs TitaniumScale file upload\n **Titanium Scale task URL**: https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15795",
"EntryContext": {
"ReversingLabs": {
"tc_task_url": "https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15795"
}
},
"IndicatorTimeline": [],
"IgnoreAutoExtract": false,
"Note": false,
"Relationships": []
}
reversinglabs-titaniumscale-get-results#
Retrieve analysis report from TitaniumScale instance by taskUrl.
Input#
| Argument Name | Description | Required |
|---|---|---|
| taskUrl | URL to fetch the report from | True |
Command Example#
!reversinglabs-titaniumscale-get-results taskUrl="https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15794"
Human Readable Output:#
Context Output#
| Path | Description |
|---|---|
| File | File indicator |
| DBotScore | Score |
| ReversingLabs.tc_report | Full report in JSON |
Context Example:
{
"Type": 1,
"ContentsFormat": "json",
"Contents": {
"tc_report": [
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.18799192412328,
"file_type": "PE+",
"file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"hashes": [
{
"name": "imphash",
"value": "71f37f91c14c4729e462a32b6b2ae9d4"
},
{
"name": "md5",
"value": "b44251a2f532cc8835f6ad164491ebae"
},
{
"name": "rha0",
"value": "e268f6a56d568c8b466dbb1f5671401a6898135e"
},
{
"name": "sha1",
"value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5"
},
{
"name": "sha256",
"value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f"
}
],
"file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"size": 1653234
}
},
"indicators": [
{
"priority": 6,
"category": 10,
"description": "Executes a file."
},
{
"priority": 5,
"category": 0,
"description": "Contains IP addresses."
},
{
"priority": 5,
"category": 11,
"description": "Tampers with user/account privileges."
},
{
"priority": 5,
"category": 22,
"description": "Writes to files in Windows system directories."
},
{
"priority": 4,
"category": 22,
"description": "Creates/opens files in Windows system directories."
},
{
"priority": 4,
"category": 13,
"description": "Enumerates system information."
},
{
"priority": 4,
"category": 4,
"description": "Possibly does process injection."
},
{
"priority": 4,
"category": 22,
"description": "Reads from files in Windows system directories."
},
{
"priority": 4,
"category": 11,
"description": "Requests permission required to lock physical pages in memory."
},
{
"priority": 3,
"category": 7,
"description": "Detects/enumerates process modules."
},
{
"priority": 3,
"category": 10,
"description": "Terminates a process/thread."
},
{
"priority": 3,
"category": 1,
"description": "Uses anti-debugging methods."
},
{
"priority": 3,
"category": 22,
"description": "Writes to files."
},
{
"priority": 2,
"category": 13,
"description": "Enumerates system variables."
},
{
"priority": 2,
"category": 10,
"description": "Might load additional DLLs and APIs."
},
{
"priority": 2,
"category": 12,
"description": "Monitors directory changes."
},
{
"priority": 2,
"category": 22,
"description": "Reads from files."
},
{
"priority": 2,
"category": 10,
"description": "Uses pipes for interprocess communication."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to ntdll.dll which is NT Layer DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to powrprof.dll which is Power Profile Helper DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to psapi.dll which is Process Status Helper."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to document file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to source code file extensions."
},
{
"priority": 1,
"category": 22,
"description": "Creates/Opens a file."
}
],
"interesting_strings": [
{
"category": "http",
"values": [
"donate.v2.xmrig.com"
]
},
{
"category": "ipv4",
"values": [
"0.0.0.0",
"127.0.0.1",
"3.120.209.58:8080"
]
},
{
"category": "mailto",
"values": [
"pP0P@0.0.0.0"
]
}
],
"classification": {
"propagation_source": {
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
"propagated": true,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
},
{
"result": "Win64.Coinminer.Malxmr",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 4
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 827063294
}
}
},
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.60580452906475,
"file_type": "PE",
"file_name": "0",
"hashes": [
{
"name": "md5",
"value": "8b84009488f7254a2be3c4409bcf286a"
},
{
"name": "rha0",
"value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511"
},
{
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
{
"name": "sha256",
"value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0",
"size": 620530
}
},
"indicators": [
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
}
],
"classification": {
"propagated": false,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 0
}
}
},
{
"info": {
"file": {
"file_subtype": "XML",
"entropy": 4.9116145157351045,
"file_type": "Text",
"file_name": "1",
"hashes": [
{
"name": "md5",
"value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61"
},
{
"name": "rha0",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha1",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha256",
"value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1",
"size": 381
}
},
"classification": {
"propagated": false,
"scan_results": [
{
"type": "cloud",
"name": "TitaniumCloud",
"classification": 1,
"factor": 0
}
],
"classification": 1,
"factor": 0
}
}
]
},
"HumanReadable": "## ReversingLabs TitaniumScale get report\n\n **Type:** PE+/Exe\n **Size:** 1653234 bytes \n\n **IMPHASH:** 71f37f91c14c4729e462a32b6b2ae9d4\n **MD5:** b44251a2f532cc8835f6ad164491ebae\n **RHA0:** e268f6a56d568c8b466dbb1f5671401a6898135e\n **SHA1:** 277d75e0593937034e12ed185c91b6bb9bbdc3c5\n **SHA256:** 4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f\n\n **Status:** malicious\n **TitaniumCloud:** Win32.Trojan.Graftor\n **DBot score:** 3\n",
"EntryContext": {
"File(val.MD5 && val.MD5 == obj.MD5 || val.SHA1 && val.SHA1 == obj.SHA1 || val.SHA256 && val.SHA256 == obj.SHA256 || val.SHA512 && val.SHA512 == obj.SHA512 || val.CRC32 && val.CRC32 == obj.CRC32 || val.CTPH && val.CTPH == obj.CTPH || val.SSDeep && val.SSDeep == obj.SSDeep)": [
{
"MD5": "b44251a2f532cc8835f6ad164491ebae",
"SHA1": "277d75e0593937034e12ed185c91b6bb9bbdc3c5",
"SHA256": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f",
"Malicious": {
"Vendor": "ReversingLabs TitaniumScale",
"Description": "\n **TitaniumCloud:** Win32.Trojan.Graftor"
}
}
],
"DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor == obj.Vendor && val.Type == obj.Type)": [
{
"Indicator": "277d75e0593937034e12ed185c91b6bb9bbdc3c5",
"Type": "file",
"Vendor": "ReversingLabs TitaniumScale",
"Score": 3
}
],
"ReversingLabs": {
"tc_report": [
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.18799192412328,
"file_type": "PE+",
"file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"hashes": [
{
"name": "imphash",
"value": "71f37f91c14c4729e462a32b6b2ae9d4"
},
{
"name": "md5",
"value": "b44251a2f532cc8835f6ad164491ebae"
},
{
"name": "rha0",
"value": "e268f6a56d568c8b466dbb1f5671401a6898135e"
},
{
"name": "sha1",
"value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5"
},
{
"name": "sha256",
"value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f"
}
],
"file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81",
"size": 1653234
}
},
"indicators": [
{
"priority": 6,
"category": 10,
"description": "Executes a file."
},
{
"priority": 5,
"category": 0,
"description": "Contains IP addresses."
},
{
"priority": 5,
"category": 11,
"description": "Tampers with user/account privileges."
},
{
"priority": 5,
"category": 22,
"description": "Writes to files in Windows system directories."
},
{
"priority": 4,
"category": 22,
"description": "Creates/opens files in Windows system directories."
},
{
"priority": 4,
"category": 13,
"description": "Enumerates system information."
},
{
"priority": 4,
"category": 4,
"description": "Possibly does process injection."
},
{
"priority": 4,
"category": 22,
"description": "Reads from files in Windows system directories."
},
{
"priority": 4,
"category": 11,
"description": "Requests permission required to lock physical pages in memory."
},
{
"priority": 3,
"category": 7,
"description": "Detects/enumerates process modules."
},
{
"priority": 3,
"category": 10,
"description": "Terminates a process/thread."
},
{
"priority": 3,
"category": 1,
"description": "Uses anti-debugging methods."
},
{
"priority": 3,
"category": 22,
"description": "Writes to files."
},
{
"priority": 2,
"category": 13,
"description": "Enumerates system variables."
},
{
"priority": 2,
"category": 10,
"description": "Might load additional DLLs and APIs."
},
{
"priority": 2,
"category": 12,
"description": "Monitors directory changes."
},
{
"priority": 2,
"category": 22,
"description": "Reads from files."
},
{
"priority": 2,
"category": 10,
"description": "Uses pipes for interprocess communication."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to ntdll.dll which is NT Layer DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to powrprof.dll which is Power Profile Helper DLL."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to psapi.dll which is Process Status Helper."
},
{
"priority": 1,
"category": 10,
"description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to document file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
},
{
"priority": 1,
"category": 12,
"description": "Contains references to source code file extensions."
},
{
"priority": 1,
"category": 22,
"description": "Creates/Opens a file."
}
],
"interesting_strings": [
{
"category": "http",
"values": [
"donate.v2.xmrig.com"
]
},
{
"category": "ipv4",
"values": [
"0.0.0.0",
"127.0.0.1",
"3.120.209.58:8080"
]
},
{
"category": "mailto",
"values": [
"pP0P@0.0.0.0"
]
}
],
"classification": {
"propagation_source": {
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
"propagated": true,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
},
{
"result": "Win64.Coinminer.Malxmr",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 4
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 827063294
}
}
},
{
"info": {
"file": {
"file_subtype": "Exe",
"entropy": 6.60580452906475,
"file_type": "PE",
"file_name": "0",
"hashes": [
{
"name": "md5",
"value": "8b84009488f7254a2be3c4409bcf286a"
},
{
"name": "rha0",
"value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511"
},
{
"name": "sha1",
"value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641"
},
{
"name": "sha256",
"value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0",
"size": 620530
}
},
"indicators": [
{
"priority": 1,
"category": 12,
"description": "Contains references to executable file extensions."
}
],
"classification": {
"propagated": false,
"scan_results": [
{
"result": "Win32.Trojan.Graftor",
"type": "cloud",
"name": "TitaniumCloud",
"classification": 3,
"factor": 5
}
],
"classification": 3,
"factor": 5
},
"metadata": {
"application": {
"capabilities": 0
}
}
},
{
"info": {
"file": {
"file_subtype": "XML",
"entropy": 4.9116145157351045,
"file_type": "Text",
"file_name": "1",
"hashes": [
{
"name": "md5",
"value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61"
},
{
"name": "rha0",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha1",
"value": "4260284ce14278c397aaf6f389c1609b0ab0ce51"
},
{
"name": "sha256",
"value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df"
}
],
"file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1",
"size": 381
}
},
"classification": {
"propagated": false,
"scan_results": [
{
"type": "cloud",
"name": "TitaniumCloud",
"classification": 1,
"factor": 0
}
],
"classification": 1,
"factor": 0
}
}
]
}
},
"IndicatorTimeline": [],
"IgnoreAutoExtract": false,
"Note": false,
"Relationships": []
}