Skip to main content

VirusTotal (API v3)

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This integration analyzes suspicious hashes, URLs, domains, and IP addresses. The integration was integrated and tested with version v3 API of VirusTotal.

Configure VirusTotal (API v3) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for VirusTotal (API v3).

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeySee Acquiring your API keyTrue
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
    Source ReliabilityReliability of the source providing the intelligence data
    Premium SubscriptionWhether to use premium subscription. (For advanced reputation analyze. See Premium analysis - Relationship Files Threshold)False
    File Threshold. Minimum number of positive results from VT scanners to consider the file malicious.See Indicator Thresholds.False
    IP Threshold. Minimum number of positive results from VT scanners to consider the IP malicious.See Indicator Thresholds.False
    URL Threshold. Minimum number of positive results from VT scanners to consider the URL malicious.See Indicator Thresholds.False
    Domain Threshold. Minimum number of positive results from VT scanners to consider the domain malicious.See Indicator Thresholds.False
    Preferred Vendors List. CSV list of vendors who are considered more trustworthy.See Indicator Thresholds.False
    Preferred Vendor Threshold. The minimum number of highly trusted vendors required to consider a domain, IP address, URL, or file as malicious.See Indicator Thresholds.False
    Enable score analyzing by Crowdsourced Yara Rules, Sigma, and IDSSee Rules Threshold.False
    Crowdsourced Yara Rules ThresholdSee Rules Threshold.False
    Sigma and Intrusion Detection Rules ThresholdSee Rules Threshold.False
    Domain Popularity Ranking ThresholdSee Rules Threshold.False
    Premium Subscription Only: Relationship Files ThresholdSee Premium analysis - Relationship Files ThresholdFalse
  4. Click Test to validate the URLs, token, and connection.

Acquiring your API key#

Your API key can be found in your VirusTotal account user menu:

Your API key carries all your privileges, so keep it secure and don't share it with anyone.

DBot Score / Reputation scores#

The following information describes DBot Score which is new for this version.

Indicator Thresholds#

Configure the default threshold for each indicator type in the instance settings. You can also specify the threshold as an argument when running relevant commands.

  • Indicators with positive results from preferred vendors equal to or higher than the threshold will be considered malicious.
  • Indicators with positive results equal to or higher than the threshold will be considered malicious.
  • Indicators with positive results equal to or higher than half of the threshold value, and lower than the threshold, will be considered suspicious.

Rules Threshold#

If the YARA rules analysis threshold is enabled:

  • Indicators with positive results, the number of found YARA rules results, Sigma analysis, or IDS equal to or higher than the threshold, will be considered suspicious.
  • If both the the basic analysis and the rules analysis is suspicious, the indicator will be considered as malicious. If the indicator was found to be suspicious only by the rules thresholds, the indicator will be considered suspicious.

Premium analysis - Relationship Files Threshold#

If the organization is using the premium subscription of VirusTotal, you can use the premium API analysis. The premium API analysis will check 3 file relationships of each indicator (domain, url, and ip).

  • If the relationship is found to be malicious, the indicator will be considered malicious.
  • If the relationship is found to be suspicious and the basic score is suspicious, the indicator will be considered malicious.
  • If the relationship is found to be suspicious, the indicator will be considered suspicious.

The premium API analysis can call up to 4 API calls per indicator. If you want to decrease the use of the API quota, you can disable it.

Changes from VirusTotal integration#

The following lists the changes in this version according to the commands from the VirusTotal integration.

Reputation commands (ip, url, domain, and file)#

  • Removed output paths: Due to changes in VirusTotal API, the following output paths are no longer supported:

    • IP.VirusTotal

    • Domain.VirusTotal

    • URL.VirusTotal

    • File.VirusTotal

      Instead, you can use the following output paths that return concrete indicator reputations.

    • VirusTotal.Domain

    • VirusTotal.IP

  • Added output paths: For each command, outputs will appear under the following output paths:

    • VirusTotal.IP
    • VirusTotal.Domain
    • VirusTotal.File
    • VirusTotal.URL
  • The following commands will no longer analyze the file/url sent to it, but will get the information stored in VirusTotal.

    • VirusTotal.Domain
    • VirusTotal.IP

    To analyze (detonate) the indicator, you can use the following playbooks:

    • Detonate File - VirusTotal (API v3)
    • Detonate URL - VirusTotal (API v3)
  • Each reputation command will use at least 1 API call. For advanced reputation commands, use the Premium API flag.

  • For each reputation command there is the new extended_data argument . When set to "true", the results returned by the commands will contain
    additional information as last_analysis_results which contains the service name and its specific analysis.

Comments#

In VirusTotal (API v3) you can now add comments to all indicator types (IP, Domain, File and URL) so each command now has the resource_type argument. If supplied, the command will use the resource type to add a comment. If not, the command will determine if the given input is a hash or a URL. This arguments is available in the following commands:

  • vt-comments-get
  • vt-comments-add

vt-comments-get#

  • Added the resource_type argument. If not supplied, will try to determine if the resource argument is a hash or a URL.
  • Added the limit argument. Gets the latest comments within the given limit.
  • New output path: VirusTotal.Comments.

Detonation (scan) Commands#

Removed the vtLink output from all commands as it does no longer return from the API. To easily use the scan commands we suggest using the following playbooks:

  • Detonate File - VirusTotal (API v3)
  • Detonate URL - VirusTotal (API v3)

Use the vt-analysis-get command to get the report from the scans.

file#


Checks the file reputation of the specified hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileHash of the file to query. Supports MD5, SHA1, and SHA256.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
File.MD5StringBad MD5 hash.
File.SHA1StringBad SHA1 hash.
File.SHA256StringBad SHA256 hash.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.
File.Malicious.DetectionsNumberFor malicious files, the total number of detections.
File.Malicious.TotalEnginesNumberFor malicious files, the total number of engines that checked the file hash.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the DBot score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.File.attributes.type_descriptionStringDescription of the type of the file.
VirusTotal.File.attributes.tlshStringThe locality-sensitive hashing.
VirusTotal.File.attributes.exiftool.MIMETypeStringMIME type of the file.
VirusTotal.File.attributes.namesStringNames of the file.
VirusTotal.File.attributes.javascript_info.tagsStringTags of the JavaScript.
VirusTotal.File.attributes.exiftool.FileTypeStringThe file type.
VirusTotal.File.attributes.exiftool.WordCountStringTotal number of words in the file.
VirusTotal.File.attributes.exiftool.LineCountStringTotal number of lines in file.
VirusTotal.File.attributes.crowdsourced_ids_stats.infoNumberNumber of IDS that marked the file as "info".
VirusTotal.File.attributes.crowdsourced_ids_stats.highNumberNumber of IDS that marked the file as "high".
VirusTotal.File.attributes.crowdsourced_ids_stats.mediumNumberNumber of IDS that marked the file as "medium".
VirusTotal.File.attributes.crowdsourced_ids_stats.lowNumberNumber of IDS that marked the file as "low".
VirusTotal.File.attributes.sigma_analysis_stats.criticalNumberNumber of Sigma analysis that marked the file as "critical".
VirusTotal.File.attributes.sigma_analysis_stats.highNumberNumber of Sigma analysis that marked the file as "high".
VirusTotal.File.attributes.sigma_analysis_stats.mediumNumberNumber of Sigma analysis that marked the file as "medium".
VirusTotal.File.attributes.sigma_analysis_stats.lowNumberNumber of Sigma analysis that marked the file as "low".
VirusTotal.File.attributes.exiftool.MIMEEncodingStringThe MIME encoding.
VirusTotal.File.attributes.exiftool.FileTypeExtensionStringThe file type extension.
VirusTotal.File.attributes.exiftool.NewlinesStringNumber of newlines signs.
VirusTotal.File.attributes.trid.file_typeStringThe TrID file type.
VirusTotal.File.attributes.trid.probabilityNumberThe TrID probability.
VirusTotal.File.attributes.crowdsourced_yara_results.descriptionStringDescription of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.sourceStringSource of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.authorStringAuthor of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_nameStringRule set name of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.rule_nameStringName of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_idStringID of the YARA rule.
VirusTotal.File.attributes.namesStringName of the file.
VirusTotal.File.attributes.last_modification_dateNumberThe last modification date in epoch format.
VirusTotal.File.attributes.type_tagStringTag of the type.
VirusTotal.File.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.File.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.File.attributes.sizeNumberSize of the file.
VirusTotal.File.attributes.popular_threat_classification.suggested_threat_labelStringSuggested thread label.
VirusTotal.File.attributes.popular_threat_classification.popular_threat_nameNumberThe popular thread name.
VirusTotal.File.attributes.times_submittedNumberNumber of times the file was submitted.
VirusTotal.File.attributes.last_submission_dateNumberLast submission date in epoch format.
VirusTotal.File.attributes.downloadableBooleanWhether the file is downloadable.
VirusTotal.File.attributes.sha256StringSHA-256 hash of the file.
VirusTotal.File.attributes.type_extensionStringExtension of the type.
VirusTotal.File.attributes.tagsStringFile tags.
VirusTotal.File.attributes.last_analysis_dateNumberLast analysis date in epoch format.
VirusTotal.File.attributes.unique_sourcesNumberUnique sources.
VirusTotal.File.attributes.first_submission_dateNumberFirst submission date in epoch format.
VirusTotal.File.attributes.ssdeepStringSSDeep hash of the file.
VirusTotal.File.attributes.md5StringMD5 hash of the file.
VirusTotal.File.attributes.sha1StringSHA-1 hash of the file.
VirusTotal.File.attributes.magicStringIdentification of file by the magic number.
VirusTotal.File.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the indicator to be harmless.
VirusTotal.File.attributes.last_analysis_stats.type-unsupportedNumberThe number of engines that found the indicator to be of type unsupported.
VirusTotal.File.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.File.attributes.last_analysis_stats.confirmed-timeoutNumberThe number of engines that confirmed the timeout of the indicator.
VirusTotal.File.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.File.attributes.last_analysis_stats.failureNumberThe number of failed analysis engines.
VirusTotal.File.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.File.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.File.attributes.meaningful_nameStringMeaningful name of the file.
VirusTotal.File.attributes.reputationNumberThe reputation of the file.
VirusTotal.File.typeStringType of the indicator (file).
VirusTotal.File.idStringType ID of the indicator.
VirusTotal.File.links.selfStringLink to the response.

Command Example#

!file file=6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e

Context Example#

{
"DBotScore": {
"Indicator": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"Reliability": "A - Completely reliable",
"Score": 2,
"Type": "file",
"Vendor": "VirusTotal"
},
"File": {
"Extension": "txt",
"MD5": "bea65efcc00169dec4f7e2ed612e041f",
"SHA1": "24a0006bc375afc0987493f743ebc422ded9d561",
"SHA256": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"SSDeep": "3:AIO9AJraNvsgzsVqSwHqiUZ:AeJuOgzskwZ",
"Size": 103,
"Tags": [
"text"
],
"Type": "text/plain"
},
"VirusTotal": {
"File": {
"attributes": {
"capabilities_tags": [],
"crowdsourced_yara_results": [
{
"author": "Marc Rivero | McAfee ATR Team",
"description": "Rule to detect the EICAR pattern",
"rule_name": "malw_eicar",
"ruleset_id": "0019ab4291",
"ruleset_name": "MALW_Eicar",
"source": "https://github.com/advanced-threat-research/Yara-Rules"
}
],
"downloadable": true,
"exiftool": {
"FileType": "TXT",
"FileTypeExtension": "txt",
"LineCount": "1",
"MIMEEncoding": "us-ascii",
"MIMEType": "text/plain",
"Newlines": "(none)",
"WordCount": "7"
},
"first_submission_date": 1613356237,
"last_analysis_date": 1617088893,
"last_analysis_stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 7,
"suspicious": 0,
"timeout": 1,
"type-unsupported": 16,
"undetected": 50
},
"last_modification_date": 1617088964,
"last_submission_date": 1613356237,
"magic": "ASCII text, with no line terminators",
"md5": "bea65efcc00169dec4f7e2ed612e041f",
"meaningful_name": "brokencert.exe",
"names": [
"brokencert.exe"
],
"popular_threat_classification": {
"popular_threat_name": [
[
"eicar",
7
]
],
"suggested_threat_label": "eicar/test"
},
"reputation": 0,
"sha1": "24a0006bc375afc0987493f743ebc422ded9d561",
"sha256": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"size": 103,
"ssdeep": "3:AIO9AJraNvsgzsVqSwHqiUZ:AeJuOgzskwZ",
"tags": [
"text"
],
"times_submitted": 1,
"tlsh": "T1AEB01208274FFB1ED10738340431F8F14428434D1CD4697414911174887614512D8354",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"type_description": "Text",
"type_extension": "txt",
"type_tag": "text",
"unique_sources": 1
},
"id": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"links": {
"self": "https://www.virustotal.com/api/v3/files/6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e"
},
"type": "file"
}
}
}

Human Readable Output#

Results of file hash 6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e#

Sha1Sha256Md5MeaningfulNameTypeExtensionLast ModifiedReputationPositives
24a0006bc375afc0987493f743ebc422ded9d5616bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7ebea65efcc00169dec4f7e2ed612e041fbrokencert.exetxt2021-03-30 07:22:44Z07/74

url-scan#

  • New output path: VirusTotal.Submission
  • Preserved output: vtScanID
  • Removed output path: vtLink - The V3 API does not returns a link to the GUI anymore.

vt-file-scan-upload-url:#

  • New output path: VirusTotal.FileUploadURL
  • Preserved output: vtUploadURL

New Commands#

  • vt-search
  • vt-ip-passive-dns-data
  • vt-file-sandbox-report
  • vt-comments-get-by-id
  • vt-analysis-get

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
IP.AddressunknownBad IP address.
IP.ASNunknownBad IP ASN.
IP.Geo.CountryunknownBad IP country.
IP.Malicious.VendorunknownFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionunknownFor malicious IPs, the reason that the vendor made the decision.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the DBot score.
DBotScore.ScoreunknownThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.IP.attributes.regional_internet_registryStringRegional internet registry (RIR).
VirusTotal.IP.attributes.jarmStringJARM data.
VirusTotal.IP.attributes.networkStringNetwork data.
VirusTotal.IP.attributes.countryStringThe country where the IP is located.
VirusTotal.IP.attributes.as_ownerStringIP owner.
VirusTotal.IP.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the domain to be harmless.
VirusTotal.IP.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.IP.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.IP.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.IP.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.IP.attributes.asnNumberASN data.
VirusTotal.IP.attributes.whois_dateNumberDate of the last update of the whois record.
VirusTotal.IP.attributes.reputationNumberIP reputation.
VirusTotal.IP.attributes.last_modification_dateNumberLast modification date in epoch format.
VirusTotal.IP.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.IP.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.IP.attributes.continentStringThe continent where the IP is located.
VirusTotal.IP.attributes.whoisStringwhois data.
VirusTotal.IP.typeStringIndicator IP type.
VirusTotal.IP.idStringID of the IP.

Command Example#

!ip ip=1.1.1.1

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Reliability": "A - Completely reliable",
"Score": 1,
"Type": "ip",
"Vendor": "VirusTotal"
},
"IP": {
"ASN": 13335,
"Address": "1.1.1.1",
"DetectionEngines": 82,
"Geo": {
"Country": "AU"
},
"PositiveDetections": 1
},
"VirusTotal": {
"IP": {
"attributes": {
"as_owner": "CLOUDFLARENET",
"asn": 13335,
"continent": "OC",
"country": "AU",
"jarm": "27d3ed3ed0003ed1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c",
"last_analysis_stats": {
"harmless": 73,
"malicious": 1,
"suspicious": 1,
"timeout": 0,
"undetected": 7
},
"last_https_certificate": {
"cert_signature": {
"signature": "3064023024c2cf6cbdf6aed1c9d51f4a742e3c3dd1c03edcd71bd394715bfea5861626820122d30a6efc98b5d2e2b9e5076977960230457b6f82a67db662c33185d5b5355d4f4c8488ac1a003d0c8440dcb0a7ca1c1327151e37f946c3aed9fdf9b9238b7f2a",
"signature_algorithm": "1.2.840.10045.4.3.3"
},
"extensions": {
"**exten**": "0481f200f00076002979bef09e393921f056739f63a577e5be577d9c600af8f9",
"CA": true,
"authority_key_identifier": {
"keyid": "0abc0829178ca5396d7a0ece33c72eb3edfbc37a"
},
"ca_information_access": {
"CA Issuers": "http://cacerts.example.com/exampleTLSHybridECCSHA3842020CA1.crt",
"OCSP": "http://ocsp.example.com"
},
"certificate_policies": [
"**policy**"
],
"crl_distribution_points": [
"http://crl3.example.com/exampleTLSHybridECCSHA3842020CA1.crl",
"http://crl4.example.com/exampleTLSHybridECCSHA3842020CA1.crl"
],
"extended_key_usage": [
"serverAuth",
"clientAuth"
],
"key_usage": [
"ff"
],
"subject_alternative_name": [
"cloudflare-dns.com",
"*.cloudflare-dns.com",
"one.one.one.one",
"\u0001\u0001\u0001\u0001",
"\u0001\u0001",
"\\xa2\\x9f$\\x01",
"\\xa2\\x9f.\\x01",
"&\u0006GG\u0011\u0011",
"&\u0006GG\u0010\u0001",
"GGd",
"GGd"
],
"subject_key_identifier": "e1b6fc06f9b98b05f4c1e2489b02b90bc1b53d79",
"tags": []
},
"issuer": {
"C": "US",
"CN": "example TLS Hybrid ECC SHA384 2020 CA1",
"O": "example Inc"
},
"public_key": {
"algorithm": "EC",
"ec": {
"oid": "secp256r1",
"pub": "0417ad1fe835af70d38d9c9e64fd471e5b970c0ad110a826321136664d1299c3e131bbf5216373dda5c1c1a0f06da4c45ee1c2dbdaf90d34801af7b9e03af2d574"
}
},
"serial_number": "5076f66d11b692256ccacd546ffec53",
"signature_algorithm": "1.2.840.10045.4.3.3",
"size": 1418,
"subject": {
"C": "US",
"CN": "cloudflare-dns.com",
"L": "San Francisco",
"O": "Cloudflare, Inc.",
"ST": "California"
},
"tags": [],
"thumbprint": "f1b38143b992645497cf452f8c1ac84249794282",
"thumbprint_sha256": "fb444eb8e68437bae06232b9f5091bccff62a768ca09e92eb5c9c2cf9d17c426",
"validity": {
"not_after": "2022-01-18 23:59:59",
"not_before": "2021-01-11 00:00:00"
},
"version": "V3"
},
"last_https_certificate_date": 1617041198,
"last_modification_date": 1617083545,
"network": "1.1.1.0/24",
"regional_internet_registry": "APNIC",
"reputation": 33,
"tags": [],
"total_votes": {
"harmless": 22,
"malicious": 6
},
"whois": "**whois string**",
"whois_date": 1615771527
},
"id": "1.1.1.1",
"links": {
"self": "https://www.virustotal.com/api/v3/ip_addresses/1.1.1.1"
},
"type": "ip_address"
}
}
}

Human Readable Output#

IP reputation of 1.1.1.1:#

IdNetworkCountryLastModifiedReputationPositives
1.1.1.11.1.1.0/24AU2021-03-30 05:52:25Z331/82

url#


Checks the reputation of a URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to check.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
URL.DataunknownBad URLs found.
URL.Malicious.VendorunknownFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionunknownFor malicious URLs, the reason that the vendor made the decision.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the DBot score.
DBotScore.ScoreunknownThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.URL.attributes.favicon.raw_md5StringThe MD5 hash of the URL.
VirusTotal.URL.attributes.favicon.dhashStringDifference hash.
VirusTotal.URL.attributes.last_modification_dateNumberLast modification date in epoch format.
VirusTotal.URL.attributes.times_submittedNumberThe number of times the url has been submitted.
VirusTotal.URL.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.URL.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.URL.attributes.threat_namesStringName of the threats found.
VirusTotal.URL.attributes.last_submission_dateNumberThe last submission date in epoch format.
VirusTotal.URL.attributes.last_http_response_content_lengthNumberThe last HTTPS response length.
VirusTotal.URL.attributes.last_http_response_headers.dateDateThe last response header date.
VirusTotal.URL.attributes.last_http_response_headers.x-sinkholeStringDNS sinkhole from last response.
VirusTotal.URL.attributes.last_http_response_headers.content-lengthStringThe content length of the last response.
VirusTotal.URL.attributes.last_http_response_headers.content-typeStringThe content type of the last response.
VirusTotal.URL.attributes.reputationNumberReputation of the indicator.
VirusTotal.URL.attributes.last_analysis_dateNumberThe date of the last analysis in epoch format.
VirusTotal.URL.attributes.has_contentBooleanWhether the url has content in it.
VirusTotal.URL.attributes.first_submission_dateNumberThe first submission date in epoch format.
VirusTotal.URL.attributes.last_http_response_content_sha256StringThe SHA-256 hash of the content of the last response.
VirusTotal.URL.attributes.last_http_response_codeNumberLast response status code.
VirusTotal.URL.attributes.last_final_urlStringLast final URL.
VirusTotal.URL.attributes.urlStringThe URL itself.
VirusTotal.URL.attributes.titleStringTitle of the page.
VirusTotal.URL.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the domain to be harmless.
VirusTotal.URL.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.URL.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.URL.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.URL.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.URL.attributes.outgoing_linksStringOutgoing links of the URL page.
VirusTotal.URL.typeStringType of the indicator (url).
VirusTotal.URL.idStringID of the indicator.
VirusTotal.URL.links.selfStringLink to the response.

Command Example#

!url url=https://example.com

Context Example#

{
"DBotScore": {
"Indicator": "https://example.com",
"Reliability": "A - Completely reliable",
"Score": 2,
"Type": "url",
"Vendor": "VirusTotal"
},
"URL": {
"Category": {
"Dr.Web": "known infection source",
"Forcepoint ThreatSeeker": "information technology",
"alphaMountain.ai": "Malicious",
"sophos": "malware callhome, command and control"
},
"Data": "https://example.com",
"DetectionEngines": 86,
"PositiveDetections": 8
},
"VirusTotal": {
"URL": {
"attributes": {
"categories": {
"Dr.Web": "known infection source"
},
"first_submission_date": 1554509044,
"has_content": false,
"html_meta": {},
"last_analysis_date": 1615900309,
"last_analysis_stats": {
"harmless": 71,
"malicious": 8,
"suspicious": 0,
"timeout": 0,
"undetected": 7
},
"last_final_url": "https://example.com/dashboard/",
"last_http_response_code": 200,
"last_http_response_content_length": 1671,
"last_http_response_content_sha256": "f2ddbc5b5468c2cd9c28ae820420d32c4f53d088e4a1cc31f661230e4893104a",
"last_http_response_headers": {
"content-length": "1671",
"content-type": "text/html; charset=utf-8",
"date": "Tue, 16 Mar 2021 13:16:50 GMT",
"x-sinkhole": "Malware"
},
"last_modification_date": 1615900620,
"last_submission_date": 1615900309,
"outgoing_links": [
"http://www.example.com",
"http://www.example.com"
],
"reputation": 0,
"tags": [],
"targeted_brand": {},
"threat_names": [
"C2/Generic-A"
],
"times_submitted": 5,
"title": "Welcome page",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trackers": {},
"url": "https://example.com/"
},
"id": "84eb1485254266e093683024b3bd172abde615fc6a37498707ca912964a108a9",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/84eb1485254266e093683024b3bd172abde615fc6a37498707ca912964a108a9"
},
"type": "url"
}
}
}

Human Readable Output#

URL data of "https://example.com"#

UrlTitleLastModifiedHasContentLastHttpResponseContentSha256PositivesReputation
https://example.comWelcome page2021-03-16 13:17:00Zfalsef2ddbc5b5468c2cd9c28ae820420d32c4f53d088e4a1cc31f661230e4893104a8/860

domain#


Checks the reputation of a domain.

Base Command#

domain\

Input#

Argument NameDescriptionRequired
domainDomain name to check.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Domain.NameunknownBad domain found.
Domain.Malicious.VendorunknownFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionunknownFor malicious domains, the reason that the vendor made the decision.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreunknownThe actual DBot score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.Domain.attributes.last_dns_records.typeStringThe type of the last DNS records.
VirusTotal.Domain.attributes.last_dns_records.valueStringThe value of the last DNS records.
VirusTotal.Domain.attributes.last_dns_records.ttlNumberThe time To live (ttl) of the last DNS records.
VirusTotal.Domain.attributes.jarmStringJARM data.
VirusTotal.Domain.attributes.whoisStringwhois data.
VirusTotal.Domain.attributes.last_dns_records_dateNumberThe last DNS records date in epoch format.
VirusTotal.Domain.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the domain to be harmless.
VirusTotal.Domain.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.Domain.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.Domain.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.Domain.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.Domain.attributes.favicon.raw_md5StringMD5 hash of the domain.
VirusTotal.Domain.attributes.favicon.dhashStringDifference hash.
VirusTotal.Domain.attributes.reputationNumberReputation of the indicator.
VirusTotal.Domain.attributes.registrarStringRegistrar information.
VirusTotal.Domain.attributes.last_update_dateNumberLast updated date in epoch format.
VirusTotal.Domain.attributes.last_modification_dateNumberLast modification date in epoch format.
VirusTotal.Domain.attributes.creation_dateNumberCreation date in epoch format.
VirusTotal.Domain.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.Domain.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.Domain.typeStringType of indicator (domain).
VirusTotal.Domain.idStringID of the domain.
VirusTotal.Domain.links.selfStringLink to the domain investigation.

Command Example#

!domain domain=example.com

Context Example#

{
"DBotScore": {
"Indicator": "example.com",
"Reliability": "A - Completely reliable",
"Score": 2,
"Type": "domain",
"Vendor": "VirusTotal"
},
"Domain": {
"Admin": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": " WhoisGuard, Inc.",
"Phone": null
},
"CreationDate": [
" 2017-01-21T16:26:19.0Z"
],
"ExpirationDate": " 2018-01-21T23:59:59.0Z",
"Name": "example.com",
"NameServers": [
" PDNS1.REGISTRAR-SERVERS.COM"
],
"Registrant": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": null,
"Phone": null
},
"Registrar": {
"AbuseEmail": " abuse@namecheap.com",
"AbusePhone": " +1.6613102107",
"Name": [
" Namecheap",
" NAMECHEAP INC"
]
},
"UpdatedDate": [
"2017-03-06T21:52:39.0Z"
],
"WHOIS": {
"Admin": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": " WhoisGuard, Inc.",
"Phone": null
},
"CreationDate": [
"2017-01-21T16:26:19.0Z"
],
"ExpirationDate": " 2018-01-21T23:59:59.0Z",
"NameServers": [
" PDNS1.REGISTRAR-SERVERS.COM"
],
"Registrant": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": null,
"Phone": null
},
"Registrar": {
"AbuseEmail": " abuse@namecheap.com",
"AbusePhone": " +1.6613102107",
"Name": [
" Namecheap",
" NAMECHEAP INC"
]
},
"UpdatedDate": [
" 2017-03-06T21:52:39.0Z"
]
}
},
"VirusTotal": {
"Domain": {
"attributes": {
"categories": {
"Dr.Web": "known infection source",
"Forcepoint ThreatSeeker": "information technology",
"alphaMountain.ai": "Malicious",
"sophos": "malware callhome, command and control"
},
"creation_date": 1485015979,
"favicon": {
"dhash": "f4cca89496a0ccb2",
"raw_md5": "6eb4a43cb64c97f76562af703893c8fd"
},
"jarm": "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38",
"last_analysis_stats": {
"harmless": 66,
"malicious": 8,
"suspicious": 0,
"timeout": 0,
"undetected": 8
},
"last_dns_records": [
{
"ttl": 3599,
"type": "A",
"value": "value"
}
],
"last_dns_records_date": 1615900633,
"last_modification_date": 1615900633,
"last_update_date": 1488837159,
"popularity_ranks": {},
"registrar": "Namecheap",
"reputation": 0,
"tags": [],
"total_votes": {
"harmless": 0,
"malicious": 0
},
"whois": "**whoisstring**"
},
"id": "example.com",
"links": {
"self": "https://www.virustotal.com/api/v3/domains/example.com"
},
"type": "domain"
}
}
}

Human Readable Output#

Domain data of example.com#

IdRegistrant CountryLastModifiedLastAnalysisStats
example.comPA2021-03-16 13:17:13Zharmless: 66
malicious: 8
suspicious: 0
undetected: 8
timeout: 0

url-scan#


Scans a specified URL. Use the vt-analysis-get command to get the scan results.

Base Command#

url-scan

Input#

Argument NameDescriptionRequired
urlThe URL to scan.Required

Context Output#

PathTypeDescription
VirusTotal.Submission.TypeStringThe type of the submission (analysis).
VirusTotal.Submission.idStringThe ID of the submission.
VirusTotal.Submission.hashStringThe indicator sent to rescan.

Command Example#

!url-scan url=https://example.com

Context Example#

{
"VirusTotal": {
"Submission": {
"id": "u-0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1617088890",
"type": "analysis",
"url": "https://example.com"
}
},
"vtScanID": "u-0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1617088890"
}

Human Readable Output#

New url submission:#

idurl
u-0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1617088890https://example.com

vt-comments-add#


Adds comments to files and URLs.

Base Command#

vt-comments-add

Input#

Argument NameDescriptionRequired
resourceThe file hash (MD5, SHA1, orSHA256), Domain, URL or IP on which you're commenting on. If not supplied, will try to determine if it's a hash or a url.Required
resource_typeThe type of the resource on which you're commenting. Possible values are: ip, url, domain, hash.Optional
commentThe actual review that you can tag by using the "#" twitter-like syntax, for example, #disinfection #zbot, and reference users using the "@" syntax, for example, @VirusTotalTeam.Required

Context Output#

PathTypeDescription
VirusTotal.Comments.comments.attributes.dateNumberThe date of the comment in epoch format.
VirusTotal.Comments.comments.attributes.textStringThe text of the comment.
VirusTotal.Comments.comments.attributes.votes.positiveNumberNumber of positive votes.
VirusTotal.Comments.comments.attributes.votes.abuseNumberNumber of abuse votes.
VirusTotal.Comments.comments.attributes.votes.negativeNumberNumber of negative votes.
VirusTotal.Comments.comments.attributes.htmlStringThe HTML content.
VirusTotal.Comments.comments.typeStringThe type of the comment.
VirusTotal.Comments.comments.idStringID of the comment.
VirusTotal.Comments.comments.links.selfStringLink to the request.

Command Example#

!vt-comments-add resource=paloaltonetworks.com resource_type=domain comment="this is a comment"

Context Example#

{
"VirusTotal": {
"Comments": {
"comments": {
"attributes": {
"date": 1617088894,
"html": "this is a comment",
"tags": [],
"text": "this is a comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "d-paloaltonetworks.com-e757b16b",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/d-paloaltonetworks.com-e757b16b"
},
"type": "comment"
}
}
}
}

Human Readable Output#

Comment has been added!#

DateTextPositive VotesAbuse VotesNegative Votes
2021-03-30 07:21:34Zthis is a comment000

vt-file-scan-upload-url#


Premium API. Get a special URL for files larger than 32 MB.

Base Command#

vt-file-scan-upload-url

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
VirusTotal.FileUploadURLunknownThe special upload URL for large files.

Command Example#

!vt-file-scan-upload-url

Context Example#

{
"VirusTotal": {
"FileUploadURL": "https://www.virustotal.com/_ah/upload/AMmfu6ZDt_t1X9y-O6BDDco3BzQM0u4LOTdib_B49i9MI7ykV6mdrQMbA4HETkMCGizBzmzUaitIbRrzPjls4hrNhR-IUxvNxIt3VoR1OiqAaDqkDvNOAjjZ5BEBt0otSxzkH2stfChRSCqVosoGsVQ2qztWqeVmLxqBrCUM0sRaQo713Q3WfgpJc5wuwAPhwif71bsgJU4KKIadzH67y6xYqiZem9OVpHEjvRFwdjUByntJtTJS0aMJ-DmgXVUeTQ_WjDm1U21Y9wDaU24j1CUnwiYCBhMw42YcZ0ppVuQ56qfeShflThXTtjCFHMMhEZ4YbzQXgbToLgzfPRy6T4fAozwKE1IR9XdzZzmoJmiV5Bc3f4DT6QSf6hLbVjmnY0WPTfjsZwchX7yT4zWZ2HzSXR6DkqGuL1FAKCMCz_t5bx4la9XBbrboitsMbufmfxtD_4VtRYpWya5TcS9eQuuRAfvAsZS85Dqdd_BtmT9itbYvr64W2FJIKZW4j1fwrxMbrap0_6J_qWSxOgqWFWPZp_xloSUJA9Qepi5pj8QD_MZ1yhuTvLN5u2nxcE6-szdXHL3mgAJmPTDy0FcFMvk-vnHrv3GAojhP9IURHHBm_qkRpesEGGlEIcAe7dYRv2mocjeyRI4PCCRuY-dLHj41SfSZosqhgrgHu8WEh9x9z3L-DDoeiRi3lDkKrPjXdAhx4uVKxtuOJT44y3Md32c3iFV-xjr8ZPJHMUz7j1h6r4IVbek5t--q1fBwmoFIiUodVPupXLj21GtQPneiWiCXvevHf9zMxU2Av9aqvAlISqhJoiId2Yza1AvOLWQh6PhNPwXAY5Qo18zV0RGm33kNZn4J-n4svIE--y1b_9j4IApdtf65Mue1lFJ0B6RlEIjRbeaSB5P6U7LUFCbzmhiagw2x9xf_5EmsQn66-EtAH42E7Rurcu1G4QflDL0vMky54ukk8Nx8d-bQgfqmkSVhqELH_Ht-taO1doAqNiatdzDpbAxAOUo2Uf1VAaDpBJnLq1Yfh2qn7EqQniBBedR8YY4A4-ApYW_ZgrclceyrWJ_zLOsDU9NlNVeuuSQ98q2Qbn0x5pN6/ALBNUaYAAAAAYGLUFoVWv3ZAaGqdk9AzEGlZ9eUZoyHd/"
},
"vtUploadURL": "https://www.virustotal.com/_ah/upload/AMmfu6ZDt_t1X9y-O6BDDco3BzQM0u4LOTdib_B49i9MI7ykV6mdrQMbA4HETkMCGizBzmzUaitIbRrzPjls4hrNhR-IUxvNxIt3VoR1OiqAaDqkDvNOAjjZ5BEBt0otSxzkH2stfChRSCqVosoGsVQ2qztWqeVmLxqBrCUM0sRaQo713Q3WfgpJc5wuwAPhwif71bsgJU4KKIadzH67y6xYqiZem9OVpHEjvRFwdjUByntJtTJS0aMJ-DmgXVUeTQ_WjDm1U21Y9wDaU24j1CUnwiYCBhMw42YcZ0ppVuQ56qfeShflThXTtjCFHMMhEZ4YbzQXgbToLgzfPRy6T4fAozwKE1IR9XdzZzmoJmiV5Bc3f4DT6QSf6hLbVjmnY0WPTfjsZwchX7yT4zWZ2HzSXR6DkqGuL1FAKCMCz_t5bx4la9XBbrboitsMbufmfxtD_4VtRYpWya5TcS9eQuuRAfvAsZS85Dqdd_BtmT9itbYvr64W2FJIKZW4j1fwrxMbrap0_6J_qWSxOgqWFWPZp_xloSUJA9Qepi5pj8QD_MZ1yhuTvLN5u2nxcE6-szdXHL3mgAJmPTDy0FcFMvk-vnHrv3GAojhP9IURHHBm_qkRpesEGGlEIcAe7dYRv2mocjeyRI4PCCRuY-dLHj41SfSZosqhgrgHu8WEh9x9z3L-DDoeiRi3lDkKrPjXdAhx4uVKxtuOJT44y3Md32c3iFV-xjr8ZPJHMUz7j1h6r4IVbek5t--q1fBwmoFIiUodVPupXLj21GtQPneiWiCXvevHf9zMxU2Av9aqvAlISqhJoiId2Yza1AvOLWQh6PhNPwXAY5Qo18zV0RGm33kNZn4J-n4svIE--y1b_9j4IApdtf65Mue1lFJ0B6RlEIjRbeaSB5P6U7LUFCbzmhiagw2x9xf_5EmsQn66-EtAH42E7Rurcu1G4QflDL0vMky54ukk8Nx8d-bQgfqmkSVhqELH_Ht-taO1doAqNiatdzDpbAxAOUo2Uf1VAaDpBJnLq1Yfh2qn7EqQniBBedR8YY4A4-ApYW_ZgrclceyrWJ_zLOsDU9NlNVeuuSQ98q2Qbn0x5pN6/ALBNUaYAAAAAYGLUFoVWv3ZAaGqdk9AzEGlZ9eUZoyHd/"
}

Human Readable Output#

New upload url acquired!#

Upload url
https://www.virustotal.com/_ah/upload/AMmfu6ZDt_t1X9y-O6BDDco3BzQM0u4LOTdib_B49i9MI7ykV6mdrQMbA4HETkMCGizBzmzUaitIbRrzPjls4hrNhR-IUxvNxIt3VoR1OiqAaDqkDvNOAjjZ5BEBt0otSxzkH2stfChRSCqVosoGsVQ2qztWqeVmLxqBrCUM0sRaQo713Q3WfgpJc5wuwAPhwif71bsgJU4KKIadzH67y6xYqiZem9OVpHEjvRFwdjUByntJtTJS0aMJ-DmgXVUeTQ_WjDm1U21Y9wDaU24j1CUnwiYCBhMw42YcZ0ppVuQ56qfeShflThXTtjCFHMMhEZ4YbzQXgbToLgzfPRy6T4fAozwKE1IR9XdzZzmoJmiV5Bc3f4DT6QSf6hLbVjmnY0WPTfjsZwchX7yT4zWZ2HzSXR6DkqGuL1FAKCMCz_t5bx4la9XBbrboitsMbufmfxtD_4VtRYpWya5TcS9eQuuRAfvAsZS85Dqdd_BtmT9itbYvr64W2FJIKZW4j1fwrxMbrap0_6J_qWSxOgqWFWPZp_xloSUJA9Qepi5pj8QD_MZ1yhuTvLN5u2nxcE6-szdXHL3mgAJmPTDy0FcFMvk-vnHrv3GAojhP9IURHHBm_qkRpesEGGlEIcAe7dYRv2mocjeyRI4PCCRuY-dLHj41SfSZosqhgrgHu8WEh9x9z3L-DDoeiRi3lDkKrPjXdAhx4uVKxtuOJT44y3Md32c3iFV-xjr8ZPJHMUz7j1h6r4IVbek5t--q1fBwmoFIiUodVPupXLj21GtQPneiWiCXvevHf9zMxU2Av9aqvAlISqhJoiId2Yza1AvOLWQh6PhNPwXAY5Qo18zV0RGm33kNZn4J-n4svIE--y1b_9j4IApdtf65Mue1lFJ0B6RlEIjRbeaSB5P6U7LUFCbzmhiagw2x9xf_5EmsQn66-EtAH42E7Rurcu1G4QflDL0vMky54ukk8Nx8d-bQgfqmkSVhqELH_Ht-taO1doAqNiatdzDpbAxAOUo2Uf1VAaDpBJnLq1Yfh2qn7EqQniBBedR8YY4A4-ApYW_ZgrclceyrWJ_zLOsDU9NlNVeuuSQ98q2Qbn0x5pN6/ALBNUaYAAAAAYGLUFoVWv3ZAaGqdk9AzEGlZ9eUZoyHd/

vt-comments-delete#


Delete a comment.

Base Command#

vt-comments-delete

Input#

Argument NameDescriptionRequired
idComment ID.Required

Context Output#

There is no context output for this command.

Command Example#

!vt-comments-delete id=d-paloaltonetworks.com-7886a33c

Human Readable Output#

Comment d-paloaltonetworks.com-7886a33c has been deleted!

vt-comments-get#


Retrieves comments for a given resource.

Base Command#

vt-comments-get

Input#

Argument NameDescriptionRequired
resourceThe file hash (MD5, SHA1, orSHA256), Domain, URL or IP on which you're commenting on. If not supplied, will try to determine if it's a hash or a url.Required
resource_typeThe type of the resource on which you're commenting. If not supplied, will determine if it's a url or a file. Possible values are: ip, url, domain, file.Optional
limitMaximum comments to fetch. Default is 10.Optional
beforeFetch only comments before the given time.Optional

Context Output#

PathTypeDescription
VirusTotal.Comments.idStringID that contains the comment (the given hash, domain, url, or ip).
VirusTotal.Comments.comments.attributes.dateNumberThe date of the comment in epoch format.
VirusTotal.Comments.comments.attributes.textStringThe text of the comment.
VirusTotal.Comments.comments.attributes.votes.positiveNumberNumber of positive votes.
VirusTotal.Comments.comments.attributes.votes.abuseNumberNumber of abuse votes.
VirusTotal.Comments.comments.attributes.votes.negativeNumberNumber of negative votes.
VirusTotal.Comments.comments.attributes.htmlStringThe HTML content.
VirusTotal.Comments.comments.typeStringThe type of the comment.
VirusTotal.Comments.comments.idStringID of the commented.
VirusTotal.Comments.comments.links.selfStringLink to the request

Command Example#

!vt-comments-get resource=https://paloaltonetworks.com

Context Example#

{
"VirusTotal": {
"Comments": {
"comments": [
{
"attributes": {
"date": 1616325673,
"html": "another comment",
"tags": [],
"text": "another comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-fe2d6a9e",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-fe2d6a9e"
},
"type": "comment"
},
{
"attributes": {
"date": 1616325673,
"html": "another comment",
"tags": [],
"text": "another comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-d63782a9",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-d63782a9"
},
"type": "comment"
},
{
"attributes": {
"date": 1616313101,
"html": "a new comment",
"tags": [],
"text": "a new comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-97a331a3",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-97a331a3"
},
"type": "comment"
},
{
"attributes": {
"date": 1616313067,
"html": "a comment",
"tags": [],
"text": "a comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-ae0de9fc",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-ae0de9fc"
},
"type": "comment"
}
],
"indicator": "https://paloaltonetworks.com"
}
}
}

Human Readable Output#

Virus Total comments of url: "https://paloaltonetworks.com"#

DateTextPositive VotesAbuse VotesNegative Votes
2021-03-21 11:21:13Zanother comment000
2021-03-21 11:21:13Zanother comment000
2021-03-21 07:51:41Za new comment000
2021-03-21 07:51:07Za comment000

vt-comments-get-by-id#


Retrieves a comment by comment ID.

Base Command#

vt-comments-get-by-id

Input#

Argument NameDescriptionRequired
idThe comment's ID. Can be retrieved using the vt-comments-get command.Required

Context Output#

PathTypeDescription
VirusTotal.Comments.comments.idStringID of the comment.
VirusTotal.Comments.comments.attributes.dateNumberThe date of the comment in epoch format.
VirusTotal.Comments.comments.attributes.textStringThe text of the comment.
VirusTotal.Comments.comments.attributes.votes.positiveNumberNumber of positive votes.
VirusTotal.Comments.comments.attributes.votes.abuseNumberNumber of abuse votes.
VirusTotal.Comments.comments.attributes.votes.negativeNumberNumber of negative votes.
VirusTotal.Comments.comments.attributes.htmlStringThe HTML content.
VirusTotal.Comments.comments.typeStringThe type of the comment.
VirusTotal.Comments.comments.links.selfStringLink to the request.

Command Example#

!vt-comments-get-by-id id=d-paloaltonetworks.com-64591897

Context Example#

{
"VirusTotal": {
"Comments": {
"comments": {
"attributes": {
"date": 1615195751,
"html": "a new comment!",
"tags": [],
"text": "a new comment!",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "d-paloaltonetworks.com-64591897",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/d-paloaltonetworks.com-64591897"
},
"type": "comment"
}
}
}
}

Human Readable Output#

Comment of ID d-paloaltonetworks.com-64591897#

DateTextPositive VotesAbuse VotesNegative Votes
2021-03-08 09:29:11Za new comment!000

vt-search#


Search for an indicator in VirusTotal.

Base Command#

vt-search

Input#

Argument NameDescriptionRequired
queryThis endpoint searches any of the following: A file hash, URL, domain, IP address, tag comments.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
VirusTotal.SearchResults.attributes.last_analysis_stats.harmlessNumberNumber of engines that found the indicator to be harmless.
VirusTotal.SearchResults.attributes.last_analysis_stats.maliciousNumberNumber of engines that found the indicator to be malicious.
VirusTotal.SearchResults.attributes.last_analysis_stats.suspiciousNumberNumber of engines that found the indicator to be suspicious.
VirusTotal.SearchResults.attributes.last_analysis_stats.undetectedNumberNumber of engines that could not detect the indicator.
VirusTotal.SearchResults.attributes.last_analysis_stats.timeoutNumberNumber of engines that timed out.
VirusTotal.SearchResults.attributes.reputationNumberThe indicator's reputation
VirusTotal.SearchResults.attributes.last_modification_dateNumberThe last modification date in epoch format.
VirusTotal.SearchResults.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.SearchResults.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.SearchResults.typeStringThe type of the indicator (ip, domain, url, file).
VirusTotal.SearchResults.idStringID of the indicator.
VirusTotal.SearchResults.links.selfStringLink to the response.

Command Example#

!vt-search query=paloaltonetworks.com

Context Example#

{
"VirusTotal": {
"SearchResults": {
"attributes": {
"categories": {
"BitDefender": "marketing",
"Forcepoint ThreatSeeker": "information technology",
"alphaMountain.ai": "Business/Economy, Information Technology",
"sophos": "information technology"
},
"creation_date": 1108953730,
"favicon": {
"dhash": "02e9ecb69ac869a8",
"raw_md5": "920c3c89139c32d356fa4b8b61616f37"
},
"jarm": "29d3fd00029d29d00042d43d00041d598ac0c1012db967bb1ad0ff2491b3ae",
"last_analysis_stats": {
"harmless": 75,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"undetected": 7
},
"last_dns_records": [
{
"ttl": 14399,
"type": "TXT",
"value": "atlassian-domain-verification=WeW32v7AwYQEviMzlNjYyXNMUngcnmIMtNZKJ69TuQUoda5T6DFFV/A6rRvOzwvs"
}
],
"last_dns_records_date": 1616986415,
"last_https_certificate": {
"cert_signature": {
"signature": "signature",
"signature_algorithm": "sha256RSA"
},
"extensions": {
"**exten**": "0482016a0168007600a4b90990b418581487bb13a2cc67700a3c359804f91bdf",
"CA": true,
"authority_key_identifier": {
"keyid": "40c2bd278ecc348330a233d7fb6cb3f0b42c80ce"
},
"ca_information_access": {
"CA Issuers": "http://certificates.example.com/repository/gdig2.crt",
"OCSP": "http://ocsp.example.com/"
},
"certificate_policies": [
"**policy**"
],
"crl_distribution_points": [
"http://example.com/gdig2s1-1677.crl"
],
"extended_key_usage": [
"serverAuth",
"clientAuth"
],
"key_usage": [
"ff"
],
"subject_alternative_name": [
"www.paloaltonetworks.com"
],
"subject_key_identifier": "ed89d4b918aab2968bd1dfde421a179c51445be0",
"tags": []
},
"issuer": {
"C": "US",
"CN": "Go Daddy Secure Certificate Authority - G2",
"L": "Scottsdale",
"O": "example.com, Inc.",
"OU": "http://certs.example.com/repository/",
"ST": "Arizona"
},
"public_key": {
"algorithm": "RSA",
"rsa": {
"exponent": "010001",
"key_size": 2048,
"modulus": "modulus"
}
},
"serial_number": "f5fa379466d9884a",
"signature_algorithm": "sha256RSA",
"size": 1963,
"subject": {
"CN": "www.paloaltonetworks.com",
"OU": "Domain Control Validated"
},
"tags": [],
"thumbprint": "0296c20e3a4a607b8d9e2af86155cde04594535e",
"thumbprint_sha256": "17bb7bda507abc602bdf1b160d7f51edaccac39fd34f8dab1e793c3612cfc8c2",
"validity": {
"not_after": "2022-01-27 16:52:24",
"not_before": "2020-01-27 16:52:24"
},
"version": "V3"
},
"last_https_certificate_date": 1616986415,
"last_modification_date": 1617084294,
"last_update_date": 1594825871,
"popularity_ranks": {
"Alexa": {
"rank": 32577,
"timestamp": 1617032161
}
},
"registrar": "MarkMonitor Inc.",
"reputation": 0,
"tags": [],
"total_votes": {
"harmless": 0,
"malicious": 0
},
"whois": "whois string",
"whois_date": 1615321176
},
"id": "paloaltonetworks.com",
"links": {
"self": "https://www.virustotal.com/api/v3/domains/paloaltonetworks.com"
},
"type": "domain"
}
}
}

Human Readable Output#

Search result of query paloaltonetworks.com#

CategoriesCreationDateLastAnalysisStats
Forcepoint ThreatSeeker: information technology
sophos: information technology
BitDefender: marketing
alphaMountain.ai: Business/Economy, Information Technology
1108953730harmless: 75
malicious: 0
suspicious: 0
undetected: 7
timeout: 0

vt-file-sandbox-report#


Retrieves a behavioral relationship of the given file hash.

Base Command#

vt-file-sandbox-report

Input#

Argument NameDescriptionRequired
fileHash of the file to query. Supports MD5, SHA1, and SHA256.Required
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
SandboxReport.attributes.analysis_dateNumberThe date of the analysis in epoch format.
SandboxReport.attributes.behashStringBehash of the attribute.
SandboxReport.attributes.command_executionsStringWhich command were executed.
SandboxReport.attributes.dns_lookups.hostnameStringHost names found in the lookup.
SandboxReport.attributes.dns_lookups.resolved_ipsStringThe IPs that were resolved.
SandboxReport.attributes.files_attribute_changedStringThe file attributes that were changed.
SandboxReport.attributes.has_html_reportBooleanWhether there is an HTML report.
SandboxReport.attributes.has_pcapBooleanWhether the IP has a PCAP file.
SandboxReport.attributes.http_conversations.request_methodStringThe request method of the HTTP conversation.
SandboxReport.attributes.http_conversations.response_headers.Cache-ControlStringThe cache-control method of the response header.
SandboxReport.attributes.http_conversations.response_headers.ConnectionStringThe connection of the response header.
SandboxReport.attributes.http_conversations.response_headers.Content-LengthStringTHe Content-Length of the response header.
SandboxReport.attributes.http_conversations.response_headers.Content-TypeStringThe Content-Type of the response header.
SandboxReport.attributes.http_conversations.response_headers.PragmaStringThe pragma of the response header.
SandboxReport.attributes.http_conversations.response_headers.ServerStringThe server of the response header.
SandboxReport.attributes.http_conversations.response_headers.Status-LineStringThe Status-Line of the response header.
SandboxReport.attributes.http_conversations.response_status_codeNumberThe response status code.
SandboxReport.attributes.http_conversations.urlStringThe conversation URL.
SandboxReport.attributes.last_modification_dateNumberLast modified data in epoch format.
SandboxReport.attributes.modules_loadedStringLoaded modules.
SandboxReport.attributes.mutexes_createdStringThe mutexes that were created.
SandboxReport.attributes.mutexes_openedStringThe mutexes that were opened.
SandboxReport.attributes.processes_createdStringThe processes that were created.
SandboxReport.attributes.processes_tree.nameStringThe name of the process tree.
SandboxReport.attributes.processes_tree.process_idStringThe ID of the process.
SandboxReport.attributes.registry_keys_deletedStringDeleted registry keys.
SandboxReport.attributes.registry_keys_set.keyStringKey of the registry key.
SandboxReport.attributes.registry_keys_set.valueStringValue of the registry key.
SandboxReport.attributes.sandbox_nameStringThe name of the sandbox.
SandboxReport.attributes.services_startedStringThe services that were started.
SandboxReport.attributes.verdictsStringThe verdicts.
SandboxReport.idStringThe IP analyzed.
SandboxReport.links.selfStringLink to the response.
SandboxReport.attributes.files_dropped.pathStringPath of the file dropped.
SandboxReport.attributes.files_dropped.sha256StringSHA-256 hash of the dropped files.
SandboxReport.attributes.files_openedStringThe files that were opened.
SandboxReport.attributes.files_writtenStringThe files that were written.
SandboxReport.attributes.ip_traffic.destination_ipStringDestination IP in the traffic.
SandboxReport.attributes.ip_traffic.destination_portNumberDestination port in the traffic.
SandboxReport.attributes.ip_traffic.transport_layer_protocolStringTransport layer protocol in the traffic.
SandboxReport.attributes.registry_keys_openedStringThe registry keys that were opened.
SandboxReport.attributes.tagsStringThe tags of the DNS data.
SandboxReport.attributes.files_copied.destinationStringDestination of the files copied.
SandboxReport.attributes.files_copied.sourceStringSource of the files copied.
SandboxReport.attributes.permissions_requestedStringThe permissions that where requested.
SandboxReport.attributes.processes_injectedStringThe processes that were injected.
SandboxReport.attributes.processes_terminatedStringThe processes that were terminated.
SandboxReport.attributes.processes_tree.children.nameStringThe name of the children of the process.
SandboxReport.attributes.processes_tree.children.process_idStringThe ID of the children of the process.
SandboxReport.attributes.services_openedStringThe services that were opened.
SandboxReport.attributes.text_highlightedStringThe text that was highlighted.
SandboxReport.attributes.calls_highlightedStringThe calls that were highlighted.
SandboxReport.attributes.processes_tree.children.time_offsetNumberThe time offset of the children in the process.
SandboxReport.links.selfStringThe link to the response.
SandboxReport.meta.countNumberThe number of objects that were found in the attributes.

Command Example#

!vt-file-sandbox-report file=2b294b3499d1cce794badffc959b7618

Context Example#

{
"VirusTotal": {
"SandboxReport": [
{
"attributes": {
"analysis_date": 1558429832,
"behash": "079386becc949a2aafdcd2c6042cf0a9",
"command_executions": [
"C:\\DOCUME~1\\Miller\\LOCALS~1\\Temp\\Win32.AgentTesla.exe",
],
"dns_lookups": [
{
"hostname": "checkip.dyndns.org",
"resolved_ips": [
"**ip**"
]
},
{
"hostname": "checkip.dyndns.org",
"resolved_ips": [
"**ip**"
]
}
],
"files_attribute_changed": [
"C:\\Documents and Settings\\Miller\\Local Settings\\Temp\\xws\\xws.exe"
],
"has_html_report": false,
"has_pcap": false,
"http_conversations": [
{
"request_method": "GET",
"response_headers": {
"Cache-Control": "no-cache",
"Connection": "close",
"Content-Length": "107",
"Content-Type": "text/html",
"Pragma": "no-cache",
"Server": "DynDNS-CheckIP/1.0.1",
"Status-Line": "HTTP/1.1 200"
},
"response_status_code": 200,
"url": "http://checkip.dyndns.org/"
},
{
"request_method": "GET",
"response_headers": {
"Cache-Control": "no-cache",
"Connection": "close",
"Content-Length": "105",
"Content-Type": "text/html",
"Pragma": "no-cache",
"Server": "DynDNS-CheckIP/1.0.1",
"Status-Line": "HTTP/1.1 200"
},
"response_status_code": 200,
"url": "http://checkip.dyndns.org/"
}
],
"last_modification_date": 1588377117,
"modules_loaded": [
"c:\\windows\\system32\\imm32.dll"
],
"mutexes_created": [
"CTF.Compart.MutexDefaultS-1-5-21-1229272821-1563985344-1801674531-1003"
],
"mutexes_opened": [
"ShimCacheMutex"
],
"processes_created": [
"C:\\DOCUME~1\\Miller\\LOCALS~1\\Temp\\Win32.AgentTesla.exe"
],
"processes_tree": [
{
"name": "C:\\DOCUME~1\\Miller\\LOCALS~1\\Temp\\Win32.AgentTesla.exe",
"process_id": "272"
}
],
"registry_keys_deleted": [
"HKU\\S-1-5-21-3712457824-2419000099-45725732-1005\\SOFTWARE\\CLASSES\\MSCFILE\\SHELL\\OPEN\\COMMAND"
],
"registry_keys_set": [
{
"key": "HKU\\S-1-5-21-1229272821-1563985344-1801674531-1003\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN",
"value": "xws"
}
],
"sandbox_name": "Lastline",
"services_started": [
"RASMAN",
"WinHttpAutoProxySvc"
],
"verdicts": [
"MALWARE",
"TROJAN"
]
},
"id": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Lastline",
"links": {
"self": "https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Lastline"
},
"type": "file_behaviour"
},
{
"attributes": {
"analysis_date": 1561405459,
"files_dropped": [
{
"path": "\\Users\\Petra\\AppData\\Local\\Temp\\xws\\xws.exe",
"sha256": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3"
}
],
"files_opened": [
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config"
],
"files_written": [
"C:\\Users\\<USER>\\AppData\\Local\\Temp\\xws\\xws.exe"
],
"has_html_report": false,
"has_pcap": false,
"ip_traffic": [
{
"destination_ip": "**ip**",
"destination_port": 80,
"transport_layer_protocol": "TCP"
}
],
"last_modification_date": 1563272815,
"processes_tree": [
{
"name": "1526312897-2b294b349.pe32",
"process_id": "2624"
}
],
"registry_keys_opened": [
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\OLE",
],
"registry_keys_set": [
{
"key": "\\REGISTRY\\USER\\S-1-5-21-1119815420-2032815650-2779196966-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"value": "xws"
}
],
"sandbox_name": "SNDBOX",
"tags": [
"PERSISTENCE"
]
},
"id": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_SNDBOX",
"links": {
"self": "https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_SNDBOX"
},
"type": "file_behaviour"
},
{
"attributes": {
"analysis_date": 1601545446,
"behash": "7617055bb3994dea99c19877fd7ec55a",
"command_executions": [
"\"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe\"",
"Shutdown -r -t 5"
],
"dns_lookups": [
{
"hostname": "checkip.dyndns.org"
}
],
"files_copied": [
{
"destination": "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\xws\\xws.exe ",
"source": "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe "
}
],
"files_opened": [
"C:\\WINDOWS\\system32\\winime32.dll"
],
"files_written": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\xws\\xws.exe",
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Ktx.exe"
],
"has_html_report": true,
"has_pcap": false,
"last_modification_date": 1601545448,
"modules_loaded": [
"ADVAPI32.dll"
],
"mutexes_created": [
"CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
],
"mutexes_opened": [
"ShimCacheMutex"
],
"permissions_requested": [
"SE_DEBUG_PRIVILEGE"
],
"processes_created": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_injected": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_terminated": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_tree": [
{
"children": [
{
"children": [
{
"name": "shutdown.exe",
"process_id": "2336"
}
],
"name": "****.exe",
"process_id": "1024"
}
],
"name": "****.exe",
"process_id": "628"
}
],
"registry_keys_opened": [
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\996E.exe"
],
"registry_keys_set": [
{
"key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\xws",
"value": "C:\\Users\\<USER>\\AppData\\Local\\Temp\\xws\\xws.exe"
}
],
"sandbox_name": "VirusTotal Jujubox",
"tags": [
"DIRECT_CPU_CLOCK_ACCESS"
],
"text_highlighted": [
"C:\\Windows\\system32\\cmd.exe"
]
},
"id": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_VirusTotal Jujubox",
"links": {
"self": "https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_VirusTotal Jujubox"
},
"type": "file_behaviour"
}
]
}
}

Human Readable Output#

Sandbox Reports for file hash: 2b294b3499d1cce794badffc959b7618#

AnalysisDateLastModificationDateSandboxNameLink
15584298321588377117Lastlinehttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Lastline
15614054591563272815SNDBOXhttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_SNDBOX
16015454461601545448Tencent HABOhttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Tencent HABO
15923731371592373137VirusTotal Jujuboxhttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_VirusTotal Jujubox

vt-passive-dns-data#


Returns passive DNS records by indicator.

Base Command#

vt-passive-dns-data

Input#

Argument NameDescriptionRequired
ipIP for which to get its DNS data.Required
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
VirusTotal.PassiveDNS.attributes.dateNumberDate of the DNS analysis in epoch format.
VirusTotal.PassiveDNS.attributes.host_nameStringThe DNS host name.
VirusTotal.PassiveDNS.attributes.ip_addressStringThe DNS IP address.
VirusTotal.PassiveDNS.attributes.resolverStringThe name of the resolver.
VirusTotal.PassiveDNS.idStringThe ID of the resolution.
VirusTotal.PassiveDNS.links.selfStringThe link to the resolution.
VirusTotal.PassiveDNS.typeStringThe type of the resolution.

Command Example#

!vt-passive-dns-data ip=1.1.1.1

Context Example#

{
"VirusTotal": {
"PassiveDNS": [
{
"attributes": {
"date": 1617085962,
"host_name": "muhaha.xyz",
"ip_address": "1.1.1.1",
"resolver": "VirusTotal"
},
"id": "1.1.1.1muhaha.xyz",
"links": {
"self": "https://www.virustotal.com/api/v3/resolutions/1.1.1.1muhaha.xyz"
},
"type": "resolution"
}
]
}
}

Human Readable Output#

Passive DNS data for IP 1.1.1.1#

IdDateHostNameIpAddressResolver
1.1.1.1muhaha.xyz1617085962muhaha.xyz1.1.1.1VirusTotal

vt-analysis-get#


Retrieves resolutions of the given IP.

Base Command#

vt-analysis-get

Input#

Argument NameDescriptionRequired
idID of the analysis (from file-scan, file-rescan, or url-scan).Required
extended_dataWhether to return extended data (last_analysis_results).Optional

Context Output#

PathTypeDescription
VirusTotal.Analysis.data.attributes.dateNumberDate of the analysis in epoch format.
VirusTotal.Analysis.data.attributes.stats.harmlessNumberNumber of engines that found the indicator to be harmless.
VirusTotal.Analysis.data.attributes.stats.maliciousNumberNumber of engines that found the indicator to be malicious.
VirusTotal.Analysis.data.attributes.stats.suspiciousNumberNumber of engines that found the indicator to be suspicious.
VirusTotal.Analysis.data.attributes.stats.timeoutNumberhe number of engines that timed out for the indicator.
VirusTotal.Analysis.data.attributes.stats.undetectedNumberNumber of engines the found the indicator to be undetected.
VirusTotal.Analysis.data.attributes.statusStringStatus of the analysis.
VirusTotal.Analysis.data.idStringID of the analysis.
VirusTotal.Analysis.data.typeStringType of object (analysis).
VirusTotal.Analysis.meta.file_info.sha256StringSHA-256 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.sha1StringSHA-1 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.md5StringMD5 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.nameunknownName of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.sizeStringSize of the file (if it is a file).
VirusTotal.Analysis.meta.url_info.idStringID of the url (if it is a URL).
VirusTotal.Analysis.meta.url_info.urlStringThe URL (if it is a URL).
VirusTotal.Analysis.idStringThe analysis ID.

Command Example#

!vt-analysis-get id=u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758

Context Example#

{
"VirusTotal": {
"Analysis": {
"data": {
"attributes": {
"date": 1613980758,
"results": {
"ADMINUSLabs": {
"category": "harmless",
"engine_name": "ADMINUSLabs",
"method": "blacklist",
"result": "clean"
}
},
"stats": {
"harmless": 69,
"malicious": 7,
"suspicious": 0,
"timeout": 0,
"undetected": 7
},
"status": "completed"
},
"id": "u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758",
"links": {
"self": "https://www.virustotal.com/api/v3/analyses/u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758"
},
"type": "analysis"
},
"id": "u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758",
"meta": {
"url_info": {
"id": "20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853"
}
}
}
}
}

Human Readable Output#

Analysis results:#

IdStatsStatus
u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758harmless: 69
malicious: 7
suspicious: 0
undetected: 7
timeout: 0
completed