Skip to main content

VirusTotal (API v3)

This Integration is part of the VirusTotal Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

VirusTotal (API v3)#

This integration analyzes suspicious hashes, URLs, domains, and IP addresses. The integration was integrated and tested with version v3 API of VirusTotal.

Configure VirusTotal (API v3) in Cortex#

ParameterDescriptionRequired
API KeySee Acquiring your API keyTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
Source ReliabilityReliability of the source providing the intelligence data
Premium SubscriptionWhether to use premium subscription. (For advanced reputation analyze. See Premium analysis - Relationship Files Threshold)False
File Malicious Threshold. Minimum number of positive results from VT scanners to consider the file malicious.See Indicator Thresholds.False
File Suspicious Threshold. Minimum number of positive and suspicious results from VT scanners to consider the file suspicious.See Indicator Thresholds.False
IP Malicious Threshold. Minimum number of positive results from VT scanners to consider the IP malicious.See Indicator Thresholds.False
IP Suspicious Threshold. Minimum number of positive and suspicious results from VT scanners to consider the IP suspicious.See Indicator Thresholds.False
Disable reputation lookups for private IP addressesTo reduce the number of lookups made to the VT API, this option can be selected to gracefully skip enrichment of any IP addresses allocated for private networks.False
URL Malicious Threshold. Minimum number of positive results from VT scanners to consider the URL malicious.See Indicator Thresholds.False
URL Suspicious Threshold. Minimum number of positive and suspicious results from VT scanners to consider the URL suspicious.See Indicator Thresholds.False
Domain Malicious Threshold. Minimum number of positive results from VT scanners to consider the domain malicious.See Indicator Thresholds.False
Domain Suspicious Threshold. Minimum number of positive and suspicious results from VT scanners to consider the domain suspicious.See Indicator Thresholds.False
Preferred Vendors List. CSV list of vendors who are considered more trustworthy.See Indicator Thresholds.False
Preferred Vendor Threshold. The minimum number of highly trusted vendors required to consider a domain, IP address, URL, or file as malicious.See Indicator Thresholds.False
Enable score analyzing by Crowdsourced Yara Rules, Sigma, and IDSSee Rules Threshold.False
Crowdsourced Yara Rules ThresholdSee Rules Threshold.False
Sigma and Intrusion Detection Rules ThresholdSee Rules Threshold.False
Domain Popularity Ranking ThresholdSee Rules Threshold.False
Premium Subscription Only: Relationship Malicious Files ThresholdSee Premium analysis - Relationship Files ThresholdFalse
Premium Subscription Only: Relationship Suspicious Files ThresholdSee Premium analysis - Relationship Files ThresholdFalse

Acquiring your API key#

Your API key can be found in your VirusTotal account user menu: how to get api key in virus total Your API key carries all your privileges, so keep it secure and don't share it with anyone.

DBot Score / Reputation scores#

The following information describes DBot Score which is new for this version.

Indicator Thresholds#

Configure the default threshold for each indicator type in the instance settings. You can also specify the threshold as an argument when running relevant commands.

  • Indicators with positive results from preferred vendors equal to or higher than the threshold will be considered malicious.
  • Indicators with positive results equal to or higher than the malicious threshold will be considered malicious.
  • Indicators with positive results equal to or higher than the suspicious threshold value will be considered suspicious.
  • Domain popularity ranks: VirusTotal is returning a popularity ranks for each vendor. The integration will calculate its average and will compare it to the threshold.

Rules Threshold#

If the YARA rules analysis threshold is enabled:

  • Indicators with positive results, the number of found YARA rules results, Sigma analysis, or IDS equal to or higher than the threshold, will be considered suspicious.
  • If both the the basic analysis and the rules analysis is suspicious, the indicator will be considered as malicious. If the indicator was found to be suspicious only by the rules thresholds, the indicator will be considered suspicious.
  • Domain popularity ranks: VirusTotal is returning a popularity ranks for each vendor. The integration will calculate its average and will compare it to the threshold.

The DbotScore calculation process can be seen on the "description" field in any malicious/suspicious DBot score. You can aquire those calculation on all of the indicators also from the debug log.

Example of a VirusTotal (API v3) DBot score log:

Basic analyzing of "<domain>"
Found popularity ranks. Analyzing.
The average of the ranks is 809009.0 and the threshold is 10000
Indicator is good by popularity ranks.
Analyzing by get_domain_communicating_files
Found safe by relationship files. total_malicious=0 >= 3
Analyzing by get_url_downloaded_files
Found safe by relationship files. total_malicious=0 >= 3
Analyzing by get_url_referrer_files
Found safe by relationship files. total_malicious=0 >= 3

Premium analysis - Relationship Files Threshold#

If the organization is using the premium subscription of VirusTotal, you can use the premium API analysis. The premium API analysis will check 3 file relationships of each indicator (domain, url, and ip).

  • If the relationship is found to be malicious, the indicator will be considered malicious.
  • If the relationship is found to be suspicious and the basic score is suspicious, the indicator will be considered malicious.
  • If the relationship is found to be suspicious, the indicator will be considered suspicious.

The premium API analysis can call up to 4 API calls per indicator. If you want to decrease the use of the API quota, you can disable it.

Changes from VirusTotal integration#

The following lists the changes in this version according to the commands from the VirusTotal integration.

Reputation commands (ip, url, domain, and file)#

  • Removed output paths: Due to changes in VirusTotal API, the following output paths are no longer supported:

    • IP.VirusTotal

    • Domain.VirusTotal

    • URL.VirusTotal

    • File.VirusTotal

      Instead, you can use the following output paths that return concrete indicator reputations.

    • VirusTotal.IP

    • VirusTotal.Domain

    • VirusTotal.File

    • VirusTotal.URL

  • The following commands will no longer analyze the file/url sent to it, but will get the information stored in VirusTotal.

    • VirusTotal.Domain
    • VirusTotal.IP

    To analyze (detonate) the indicator, you can use the following playbooks:

    • Detonate File - VirusTotal (API v3)
    • Detonate URL - VirusTotal (API v3)
  • Each reputation command will use at least 1 API call. For advanced reputation commands, use the Premium API flag.

  • For each reputation command there is the new extended_data argument . When set to "true", the results returned by the commands will contain additional information as last_analysis_results which contains the service name and its specific analysis.

  • Reputation commands can return relationships of the indicator. The relationships that are supported are defined as part of the instance configuration. For more information regarding URL relationships, see: https://docs.virustotal.com/reference/url-object For more information regarding IP relationships, see: https://docs.virustotal.com/reference/ip-object For more information regarding Domain relationships, see: https://docs.virustotal.com/reference/domains-object For more information regarding File relationships, see: https://docs.virustotal.com/reference/files

  • Starting with XSOAR version 6.8.0, You may monitor API usage via the VirusTotal API Execution Metrics dashboard.

Comments#

In VirusTotal (API v3) you can now add comments to all indicator types (IP, Domain, File and URL) so each command now has the resource_type argument. If supplied, the command will use the resource type to add a comment. If not, the command will determine if the given input is a hash or a URL. This arguments is available in the following commands:

  • vt-comments-get
  • vt-comments-add

vt-comments-get#

  • Added the resource_type argument. If not supplied, will try to determine if the resource argument is a hash or a URL.
  • Added the limit argument. Gets the latest comments within the given limit.
  • New output path: VirusTotal.Comments.

Detonation (scan) Commands#

Removed the vtLink output from all commands as it does no longer return from the API. To easily use the scan commands we suggest using the following playbooks:

  • Detonate File - VirusTotal (API v3)
  • Detonate URL - VirusTotal (API v3)

Use the vt-analysis-get command to get the report from the scans.

file#


Checks the file reputation of the specified hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileHash of the file to query. Supports MD5, SHA1, and SHA256.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
File.MD5StringBad MD5 hash.
File.SHA1StringBad SHA1 hash.
File.SHA256StringBad SHA256 hash.
File.Relationships.EntityAStringThe source of the relationship.
File.Relationships.EntityBStringThe destination of the relationship.
File.Relationships.RelationshipStringThe name of the relationship.
File.Relationships.EntityATypeStringThe type of the source of the relationship.
File.Relationships.EntityBTypeStringThe type of the destination of the relationship.
File.Malicious.VendorStringFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionStringFor malicious files, the reason that the vendor made the decision.
File.Malicious.DetectionsNumberFor malicious files, the total number of detections.
File.Malicious.TotalEnginesNumberFor malicious files, the total number of engines that checked the file hash.
File.VTVendors.EngineDetectionsNumberNumber of VT vendors that flagged the file as malicious.
File.VTVendors.EngineVendorsArrayVT vendors who flagged the file as malicious.
File.VTVendors.EngineDetectionNamesArrayVT detection names that flagged the file as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.File.attributes.type_descriptionStringDescription of the type of the file.
VirusTotal.File.attributes.tlshStringThe locality-sensitive hashing.
VirusTotal.File.attributes.exiftool.MIMETypeStringMIME type of the file.
VirusTotal.File.attributes.namesStringNames of the file.
VirusTotal.File.attributes.javascript_info.tagsStringTags of the JavaScript.
VirusTotal.File.attributes.exiftool.FileTypeStringThe file type.
VirusTotal.File.attributes.exiftool.WordCountStringTotal number of words in the file.
VirusTotal.File.attributes.exiftool.LineCountStringTotal number of lines in file.
VirusTotal.File.attributes.crowdsourced_ids_stats.infoNumberNumber of IDS that marked the file as "info".
VirusTotal.File.attributes.crowdsourced_ids_stats.highNumberNumber of IDS that marked the file as "high".
VirusTotal.File.attributes.crowdsourced_ids_stats.mediumNumberNumber of IDS that marked the file as "medium".
VirusTotal.File.attributes.crowdsourced_ids_stats.lowNumberNumber of IDS that marked the file as "low".
VirusTotal.File.attributes.sigma_analysis_stats.criticalNumberNumber of Sigma analysis that marked the file as "critical".
VirusTotal.File.attributes.sigma_analysis_stats.highNumberNumber of Sigma analysis that marked the file as "high".
VirusTotal.File.attributes.sigma_analysis_stats.mediumNumberNumber of Sigma analysis that marked the file as "medium".
VirusTotal.File.attributes.sigma_analysis_stats.lowNumberNumber of Sigma analysis that marked the file as "low".
VirusTotal.File.attributes.exiftool.MIMEEncodingStringThe MIME encoding.
VirusTotal.File.attributes.exiftool.FileTypeExtensionStringThe file type extension.
VirusTotal.File.attributes.exiftool.NewlinesStringNumber of newlines signs.
VirusTotal.File.attributes.trid.file_typeStringThe TrID file type.
VirusTotal.File.attributes.trid.probabilityNumberThe TrID probability.
VirusTotal.File.attributes.crowdsourced_yara_results.descriptionStringDescription of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.sourceStringSource of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.authorStringAuthor of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_nameStringRule set name of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.rule_nameStringName of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_idStringID of the YARA rule.
VirusTotal.File.attributes.namesStringName of the file.
VirusTotal.File.attributes.last_modification_dateNumberThe last modification date in epoch format.
VirusTotal.File.attributes.type_tagStringTag of the type.
VirusTotal.File.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.File.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.File.attributes.sizeNumberSize of the file.
VirusTotal.File.attributes.popular_threat_classification.suggested_threat_labelStringSuggested thread label.
VirusTotal.File.attributes.popular_threat_classification.popular_threat_nameNumberThe popular thread name.
VirusTotal.File.attributes.times_submittedNumberNumber of times the file was submitted.
VirusTotal.File.attributes.last_submission_dateNumberLast submission date in epoch format.
VirusTotal.File.attributes.downloadableBooleanWhether the file is downloadable.
VirusTotal.File.attributes.sha256StringSHA-256 hash of the file.
VirusTotal.File.attributes.type_extensionStringExtension of the type.
VirusTotal.File.attributes.tagsStringFile tags.
VirusTotal.File.attributes.last_analysis_dateNumberLast analysis date in epoch format.
VirusTotal.File.attributes.unique_sourcesNumberUnique sources.
VirusTotal.File.attributes.first_submission_dateNumberFirst submission date in epoch format.
VirusTotal.File.attributes.ssdeepStringSSDeep hash of the file.
VirusTotal.File.attributes.md5StringMD5 hash of the file.
VirusTotal.File.attributes.sha1StringSHA-1 hash of the file.
VirusTotal.File.attributes.magicStringIdentification of file by the magic number.
VirusTotal.File.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the indicator to be harmless.
VirusTotal.File.attributes.last_analysis_stats.type-unsupportedNumberThe number of engines that found the indicator to be of type unsupported.
VirusTotal.File.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.File.attributes.last_analysis_stats.confirmed-timeoutNumberThe number of engines that confirmed the timeout of the indicator.
VirusTotal.File.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.File.attributes.last_analysis_stats.failureNumberThe number of failed analysis engines.
VirusTotal.File.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.File.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.File.attributes.meaningful_nameStringMeaningful name of the file.
VirusTotal.File.attributes.reputationNumberThe reputation of the file.
VirusTotal.File.typeStringType of the indicator (file).
VirusTotal.File.idStringType ID of the indicator.
VirusTotal.File.links.selfStringLink to the response.

Command Example#

!file file=6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e

Context Example#

{
"DBotScore": {
"Indicator": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"Reliability": "A - Completely reliable",
"Score": 2,
"Type": "file",
"Vendor": "VirusTotal"
},
"File": {
"Extension": "txt",
"MD5": "bea65efcc00169dec4f7e2ed612e041f",
"SHA1": "24a0006bc375afc0987493f743ebc422ded9d561",
"SHA256": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"SSDeep": "3:AIO9AJraNvsgzsVqSwHqiUZ:AeJuOgzskwZ",
"Size": 103,
"Tags": [
"text"
],
"Type": "text/plain"
},
"VirusTotal": {
"File": {
"attributes": {
"capabilities_tags": [],
"crowdsourced_yara_results": [
{
"author": "Marc Rivero | McAfee ATR Team",
"description": "Rule to detect the EICAR pattern",
"rule_name": "malw_eicar",
"ruleset_id": "0019ab4291",
"ruleset_name": "MALW_Eicar",
"source": "https://github.com/advanced-threat-research/Yara-Rules"
}
],
"downloadable": true,
"exiftool": {
"FileType": "TXT",
"FileTypeExtension": "txt",
"LineCount": "1",
"MIMEEncoding": "us-ascii",
"MIMEType": "text/plain",
"Newlines": "(none)",
"WordCount": "7"
},
"first_submission_date": 1613356237,
"last_analysis_date": 1617088893,
"last_analysis_stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 7,
"suspicious": 0,
"timeout": 1,
"type-unsupported": 16,
"undetected": 50
},
"last_modification_date": 1617088964,
"last_submission_date": 1613356237,
"magic": "ASCII text, with no line terminators",
"md5": "bea65efcc00169dec4f7e2ed612e041f",
"meaningful_name": "brokencert.exe",
"names": [
"brokencert.exe"
],
"popular_threat_classification": {
"popular_threat_name": [
[
"eicar",
7
]
],
"suggested_threat_label": "eicar/test"
},
"reputation": 0,
"sha1": "24a0006bc375afc0987493f743ebc422ded9d561",
"sha256": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"size": 103,
"ssdeep": "3:AIO9AJraNvsgzsVqSwHqiUZ:AeJuOgzskwZ",
"tags": [
"text"
],
"times_submitted": 1,
"tlsh": "T1AEB01208274FFB1ED10738340431F8F14428434D1CD4697414911174887614512D8354",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"type_description": "Text",
"type_extension": "txt",
"type_tag": "text",
"unique_sources": 1
},
"id": "6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e",
"links": {
"self": "https://www.virustotal.com/api/v3/files/6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e"
},
"type": "file"
}
}
}

Human Readable Output#

Results of file hash 6bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7e#

Sha1Sha256Md5MeaningfulNameTypeExtensionLast ModifiedReputationPositives
24a0006bc375afc0987493f743ebc422ded9d5616bcae8ceb7f8b3a503c321085d59d7441c2ae87220f7e7170fec91098d99bb7ebea65efcc00169dec4f7e2ed612e041fbrokencert.exetxt2021-03-30 07:22:44Z07/74

url-scan#

  • New output path: VirusTotal.Submission
  • Preserved output: vtScanID
  • Removed output path: vtLink - The V3 API does not returns a link to the GUI anymore.

vt-file-scan-upload-url#

  • New output path: VirusTotal.FileUploadURL
  • Preserved output: vtUploadURL

New Commands#

  • vt-search
  • vt-ip-passive-dns-data
  • vt-file-sandbox-report
  • vt-comments-get-by-id
  • vt-analysis-get

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional
override_private_lookupWhen set to "true", enrichment of private IP addresses will be conducted even if it has been disabled at the integration level. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
IP.AddressunknownBad IP address.
IP.ASNunknownBad IP ASN.
IP.Geo.CountryunknownBad IP country.
IP.Relationships.EntityAstringThe source of the relationship.
IP.Relationships.EntityBstringThe destination of the relationship.
IP.Relationships.RelationshipstringThe name of the relationship.
IP.Relationships.EntityATypestringThe type of the source of the relationship.
IP.Relationships.EntityBTypestringThe type of the destination of the relationship.
IP.Malicious.VendorStringFor malicious IPs, the vendor who made the decision.
IP.Malicious.DescriptionStringFor malicious IPs, the reason that the vendor made the decision.
IP.VTVendors.EngineDetectionsNumberNumber of VT vendors that flagged the IP as malicious.
IP.VTVendors.EngineVendorsArrayVT vendors who flagged the IP as malicious.
IP.VTVendors.EngineDetectionNamesArrayVT detection names that flagged the IP as malicious.
IP.ASOwnerStringThe autonomous system owner of the IP.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.IP.attributes.regional_internet_registryStringRegional internet registry (RIR).
VirusTotal.IP.attributes.jarmStringJARM data.
VirusTotal.IP.attributes.networkStringNetwork data.
VirusTotal.IP.attributes.countryStringThe country where the IP is located.
VirusTotal.IP.attributes.as_ownerStringIP owner.
VirusTotal.IP.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the domain to be harmless.
VirusTotal.IP.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.IP.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.IP.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.IP.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.IP.attributes.asnNumberASN data.
VirusTotal.IP.attributes.whois_dateNumberDate of the last update of the whois record.
VirusTotal.IP.attributes.reputationNumberIP reputation.
VirusTotal.IP.attributes.last_modification_dateNumberLast modification date in epoch format.
VirusTotal.IP.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.IP.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.IP.attributes.continentStringThe continent where the IP is located.
VirusTotal.IP.attributes.whoisStringwhois data.
VirusTotal.IP.typeStringIndicator IP type.
VirusTotal.IP.idStringID of the IP.

Command example#

!ip ip=1.1.1.1

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Reliability": "C - Fairly reliable",
"Score": 1,
"Type": "ip",
"Vendor": "VirusTotal (API v3)"
},
"IP": {
"ASN": 13335,
"ASOwner": "CLOUDFLARENET",
"Address": "1.1.1.1",
"DetectionEngines": 94,
"PositiveDetections": 4,
"Relationships": [
{
"EntityA": "1.1.1.1",
"EntityAType": "IP",
"EntityB": "00000cd773f456da710fa334507f8303e87ee228a0c42e365b0250a9a267e734",
"EntityBType": "File",
"Relationship": "communicates-with"
},
{
"EntityA": "1.1.1.1",
"EntityAType": "IP",
"EntityB": "0000703e66fe64992425a5a6231671c08a6c3382a28d0efacc7efd3fb289a143",
"EntityBType": "File",
"Relationship": "communicates-with"
}
]
},
"VirusTotal": {
"IP": {
"attributes": {
"as_owner": "CLOUDFLARENET",
"asn": 13335,
"jarm": "27d3ed3ed0003ed1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c",
"last_analysis_stats": {
"harmless": 80,
"malicious": 4,
"suspicious": 0,
"timeout": 0,
"undetected": 10
},
"last_https_certificate": {
"cert_signature": {
"signature": "3064023024c2cf6cbdf6aed1c9d51f4a742e3c3dd1c03edcd71bd394715bfea5861626820122d30a6efc98b5d2e2b9e5076977960230457b6f82a67db662c33185d5b5355d4f4c8488ac1a003d0c8440dcb0a7ca1c1327151e37f946c3aed9fdf9b9238b7f2a",
"signature_algorithm": "1.2.840.10045.4.3.3"
},
"extensions": {
"**exten**": "0481f200f00076002979bef09e393921f056739f63a577e5be577d9c600af8f9",
"CA": true,
"authority_key_identifier": {
"keyid": "0abc0829178ca5396d7a0ece33c72eb3edfbc37a"
},
"ca_information_access": {
"CA Issuers": "http://cacerts.example.com/exampleTLSHybridECCSHA3842020CA1.crt",
"OCSP": "http://ocsp.example.com"
},
"certificate_policies": [
"**policy**"
],
"crl_distribution_points": [
"http://crl3.example.com/exampleTLSHybridECCSHA3842020CA1.crl",
"http://crl4.example.com/exampleTLSHybridECCSHA3842020CA1.crl"
],
"extended_key_usage": [
"serverAuth",
"clientAuth"
],
"key_usage": [
"ff"
],
"subject_alternative_name": [
"cloudflare-dns.com",
"*.cloudflare-dns.com",
"one.one.one.one",
"\u0001\u0001\u0001\u0001",
"\u0001\u0001",
"\\xa2\\x9f$\\x01",
"\\xa2\\x9f.\\x01",
"&\u0006GG\u0011\u0011",
"&\u0006GG\u0010\u0001",
"GGd",
"GGd"
],
"subject_key_identifier": "19451b2318f874da2214cb466be213b360158240",
"tags": []
},
"issuer": {
"C": "US",
"CN": "example TLS Hybrid ECC SHA384 2020 CA1",
"O": "example Inc"
},
"public_key": {
"algorithm": "EC",
"ec": {
"oid": "secp256r1",
"pub": "0417ad1fe835af70d38d9c9e64fd471e5b970c0ad110a826321136664d1299c3e131bbf5216373dda5c1c1a0f06da4c45ee1c2dbdaf90d34801af7b9e03af2d574"
}
},
"serial_number": "5076f66d11b692256ccacd546ffec53",
"signature_algorithm": "1.2.840.10045.4.3.3",
"size": 1418,
"subject": {
"C": "US",
"CN": "cloudflare-dns.com",
"L": "San Francisco",
"O": "Cloudflare, Inc.",
"ST": "California"
},
"tags": [],
"thumbprint": "f1b38143b992645497cf452f8c1ac84249794282",
"thumbprint_sha256": "fb444eb8e68437bae06232b9f5091bccff62a768ca09e92eb5c9c2cf9d17c426",
"validity": {
"not_after": "2022-10-25 23:59:59",
"not_before": "2021-10-25 00:00:00"
},
"version": "V3"
},
"last_https_certificate_date": 1617041198,
"last_modification_date": 1617083545,
"network": "1.1.1.0/24",
"reputation": 134,
"tags": [],
"total_votes": {
"harmless": 63,
"malicious": 8
},
"whois": "**whois string**",
"whois_date": 1631599972
},
"id": "1.1.1.1",
"links": {
"self": "https://www.virustotal.com/api/v3/ip_addresses/1.1.1.1"
},
"relationships": {
"communicating_files": {
"data": [
{
"id": "00000cd773f456da710fa334507f8303e87ee228a0c42e365b0250a9a267e734",
"type": "file"
},
{
"id": "0000703e66fe64992425a5a6231671c08a6c3382a28d0efacc7efd3fb289a143",
"type": "file"
}
],
"links": {
"next": "https://www.virustotal.com/api/v3/ip_addresses/1.1.1.1/relationships/communicating_files?cursor=eyJsaW1pdCI6IDIwLCAib2Zmc2V0IjogMjB9&limit=20",
"related": "https://www.virustotal.com/api/v3/ip_addresses/1.1.1.1/communicating_files",
"self": "https://www.virustotal.com/api/v3/ip_addresses/1.1.1.1/relationships/communicating_files?limit=20"
},
"meta": {
"cursor": "eyJsaW1pdCI6IDIwLCAib2Zmc2V0IjogMjB9"
}
}
},
"type": "ip_address"
}
}
}

Human Readable Output#

IP reputation of 1.1.1.1#

IdNetworkCountryAsOwnerLastModifiedReputationPositives
1.1.1.11.1.1.0/24CLOUDFLARENET2022-08-29 15:15:41Z1344/94

url#


Checks the reputation of a URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to check.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
URL.DataunknownBad URLs found.
URL.Relationships.EntityAStringThe source of the relationship.
URL.Relationships.EntityBStringThe destination of the relationship.
URL.Relationships.RelationshipStringThe name of the relationship.
URL.Relationships.EntityATypeStringThe type of the source of the relationship.
URL.Relationships.EntityBTypeStringThe type of the destination of the relationship.
URL.Malicious.VendorStringFor malicious URLs, the vendor who made the decision.
URL.Malicious.DescriptionStringFor malicious URLs, the reason that the vendor made the decision.
URL.VTVendors.EngineDetectionsNumberNumber of VT vendors that flagged the URL as malicious.
URL.VTVendors.EngineVendorsArrayVT vendors who flagged the URL as malicious.
URL.VTVendors.EngineDetectionNamesArrayVT detection names that flagged the URL as malicious.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.URL.attributes.favicon.raw_md5StringThe MD5 hash of the URL.
VirusTotal.URL.attributes.favicon.dhashStringDifference hash.
VirusTotal.URL.attributes.last_modification_dateNumberLast modification date in epoch format.
VirusTotal.URL.attributes.times_submittedNumberThe number of times the url has been submitted.
VirusTotal.URL.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.URL.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.URL.attributes.threat_namesStringName of the threats found.
VirusTotal.URL.attributes.last_submission_dateNumberThe last submission date in epoch format.
VirusTotal.URL.attributes.last_http_response_content_lengthNumberThe last HTTPS response length.
VirusTotal.URL.attributes.last_http_response_headers.dateDateThe last response header date.
VirusTotal.URL.attributes.last_http_response_headers.x-sinkholeStringDNS sinkhole from last response.
VirusTotal.URL.attributes.last_http_response_headers.content-lengthStringThe content length of the last response.
VirusTotal.URL.attributes.last_http_response_headers.content-typeStringThe content type of the last response.
VirusTotal.URL.attributes.reputationNumberReputation of the indicator.
VirusTotal.URL.attributes.last_analysis_dateNumberThe date of the last analysis in epoch format.
VirusTotal.URL.attributes.has_contentBooleanWhether the url has content in it.
VirusTotal.URL.attributes.first_submission_dateNumberThe first submission date in epoch format.
VirusTotal.URL.attributes.last_http_response_content_sha256StringThe SHA-256 hash of the content of the last response.
VirusTotal.URL.attributes.last_http_response_codeNumberLast response status code.
VirusTotal.URL.attributes.last_final_urlStringLast final URL.
VirusTotal.URL.attributes.urlStringThe URL itself.
VirusTotal.URL.attributes.titleStringTitle of the page.
VirusTotal.URL.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the domain to be harmless.
VirusTotal.URL.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.URL.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.URL.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.URL.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.URL.attributes.outgoing_linksStringOutgoing links of the URL page.
VirusTotal.URL.typeStringType of the indicator (url).
VirusTotal.URL.idStringID of the indicator.
VirusTotal.URL.links.selfStringLink to the response.

Command Example#

!url url=https://example.com

Context Example#

{
"DBotScore": {
"Indicator": "https://example.com",
"Reliability": "A - Completely reliable",
"Score": 2,
"Type": "url",
"Vendor": "VirusTotal"
},
"URL": {
"Category": {
"Dr.Web": "known infection source",
"Forcepoint ThreatSeeker": "information technology",
"alphaMountain.ai": "Malicious",
"sophos": "malware callhome, command and control"
},
"Data": "https://example.com",
"DetectionEngines": 86,
"PositiveDetections": 8
},
"VirusTotal": {
"URL": {
"attributes": {
"categories": {
"Dr.Web": "known infection source"
},
"first_submission_date": 1554509044,
"has_content": false,
"html_meta": {},
"last_analysis_date": 1615900309,
"last_analysis_stats": {
"harmless": 71,
"malicious": 8,
"suspicious": 0,
"timeout": 0,
"undetected": 7
},
"last_final_url": "https://example.com/dashboard/",
"last_http_response_code": 200,
"last_http_response_content_length": 1671,
"last_http_response_content_sha256": "f2ddbc5b5468c2cd9c28ae820420d32c4f53d088e4a1cc31f661230e4893104a",
"last_http_response_headers": {
"content-length": "1671",
"content-type": "text/html; charset=utf-8",
"date": "Tue, 16 Mar 2021 13:16:50 GMT",
"x-sinkhole": "Malware"
},
"last_modification_date": 1615900620,
"last_submission_date": 1615900309,
"outgoing_links": [
"http://www.example.com",
"http://www.example.com"
],
"reputation": 0,
"tags": [],
"targeted_brand": {},
"threat_names": [
"C2/Generic-A"
],
"times_submitted": 5,
"title": "Welcome page",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trackers": {},
"url": "https://example.com/"
},
"id": "84eb1485254266e093683024b3bd172abde615fc6a37498707ca912964a108a9",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/84eb1485254266e093683024b3bd172abde615fc6a37498707ca912964a108a9"
},
"type": "url"
}
}
}

Human Readable Output#

URL data of "https://example.com"#

UrlTitleLastModifiedHasContentLastHttpResponseContentSha256PositivesReputation
https://example.comWelcome page2021-03-16 13:17:00Zfalsef2ddbc5b5468c2cd9c28ae820420d32c4f53d088e4a1cc31f661230e4893104a8/860

domain#


Checks the reputation of a domain.

Base Command#

domain\

Input#

Argument NameDescriptionRequired
domainDomain name to check.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Domain.NameunknownBad domain found.
Domain.Relationships.EntityAStringThe source of the relationship.
Domain.Relationships.EntityBStringThe destination of the relationship.
Domain.Relationships.RelationshipStringThe name of the relationship.
Domain.Relationships.EntityATypeStringThe type of the source of the relationship.
Domain.Relationships.EntityBTypeStringThe type of the destination of the relationship.
Domain.Malicious.VendorStringFor malicious domains, the vendor who made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason that the vendor made the decision.
Domain.VTVendors.EngineDetectionsNumberNumber of VT vendors that flagged the domain as malicious.
Domain.VTVendors.EngineVendorsArrayVT vendors who flagged the domain as malicious.
Domain.VTVendors.EngineDetectionNamesArrayVT detection names that flagged the domain as malicious.
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VirusTotal.Domain.attributes.last_dns_records.typeStringThe type of the last DNS records.
VirusTotal.Domain.attributes.last_dns_records.valueStringThe value of the last DNS records.
VirusTotal.Domain.attributes.last_dns_records.ttlNumberThe time To live (ttl) of the last DNS records.
VirusTotal.Domain.attributes.jarmStringJARM data.
VirusTotal.Domain.attributes.whoisStringwhois data.
VirusTotal.Domain.attributes.last_dns_records_dateNumberThe last DNS records date in epoch format.
VirusTotal.Domain.attributes.last_analysis_stats.harmlessNumberThe number of engines that found the domain to be harmless.
VirusTotal.Domain.attributes.last_analysis_stats.maliciousNumberThe number of engines that found the indicator to be malicious.
VirusTotal.Domain.attributes.last_analysis_stats.suspiciousNumberThe number of engines that found the indicator to be suspicious.
VirusTotal.Domain.attributes.last_analysis_stats.undetectedNumberThe number of engines that could not detect the indicator.
VirusTotal.Domain.attributes.last_analysis_stats.timeoutNumberThe number of engines that timed out for the indicator.
VirusTotal.Domain.attributes.favicon.raw_md5StringMD5 hash of the domain.
VirusTotal.Domain.attributes.favicon.dhashStringDifference hash.
VirusTotal.Domain.attributes.reputationNumberReputation of the indicator.
VirusTotal.Domain.attributes.registrarStringRegistrar information.
VirusTotal.Domain.attributes.last_update_dateNumberLast updated date in epoch format.
VirusTotal.Domain.attributes.last_modification_dateNumberLast modification date in epoch format.
VirusTotal.Domain.attributes.creation_dateNumberCreation date in epoch format.
VirusTotal.Domain.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.Domain.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.Domain.typeStringType of indicator (domain).
VirusTotal.Domain.idStringID of the domain.
VirusTotal.Domain.links.selfStringLink to the domain investigation.

Command Example#

!domain domain=example.com

Context Example#

{
"DBotScore": {
"Indicator": "example.com",
"Reliability": "A - Completely reliable",
"Score": 2,
"Type": "domain",
"Vendor": "VirusTotal"
},
"Domain": {
"Admin": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": " WhoisGuard, Inc.",
"Phone": null
},
"CreationDate": [
" 2017-01-21T16:26:19.0Z"
],
"ExpirationDate": " 2018-01-21T23:59:59.0Z",
"Name": "example.com",
"NameServers": [
" PDNS1.REGISTRAR-SERVERS.COM"
],
"Registrant": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": null,
"Phone": null
},
"Registrar": {
"AbuseEmail": " abuse@namecheap.com",
"AbusePhone": " +1.6613102107",
"Name": [
" Namecheap",
" NAMECHEAP INC"
]
},
"UpdatedDate": [
"2017-03-06T21:52:39.0Z"
],
"WHOIS": {
"Admin": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": " WhoisGuard, Inc.",
"Phone": null
},
"CreationDate": [
"2017-01-21T16:26:19.0Z"
],
"ExpirationDate": " 2018-01-21T23:59:59.0Z",
"NameServers": [
" PDNS1.REGISTRAR-SERVERS.COM"
],
"Registrant": {
"Country": " PA",
"Email": " [REDACTED]@whoisguard.com",
"Name": null,
"Phone": null
},
"Registrar": {
"AbuseEmail": " abuse@namecheap.com",
"AbusePhone": " +1.6613102107",
"Name": [
" Namecheap",
" NAMECHEAP INC"
]
},
"UpdatedDate": [
" 2017-03-06T21:52:39.0Z"
]
}
},
"VirusTotal": {
"Domain": {
"attributes": {
"categories": {
"Dr.Web": "known infection source",
"Forcepoint ThreatSeeker": "information technology",
"alphaMountain.ai": "Malicious",
"sophos": "malware callhome, command and control"
},
"creation_date": 1485015979,
"favicon": {
"dhash": "f4cca89496a0ccb2",
"raw_md5": "6eb4a43cb64c97f76562af703893c8fd"
},
"jarm": "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38",
"last_analysis_stats": {
"harmless": 66,
"malicious": 8,
"suspicious": 0,
"timeout": 0,
"undetected": 8
},
"last_dns_records": [
{
"ttl": 3599,
"type": "A",
"value": "value"
}
],
"last_dns_records_date": 1615900633,
"last_modification_date": 1615900633,
"last_update_date": 1488837159,
"popularity_ranks": {},
"registrar": "Namecheap",
"reputation": 0,
"tags": [],
"total_votes": {
"harmless": 0,
"malicious": 0
},
"whois": "**whoisstring**"
},
"id": "example.com",
"links": {
"self": "https://www.virustotal.com/api/v3/domains/example.com"
},
"type": "domain"
}
}
}

Human Readable Output#

Domain data of example.com#

IdRegistrant CountryLastModifiedLastAnalysisStats
example.comPA2021-03-16 13:17:13Zharmless: 66malicious: 8
suspicious: 0
undetected: 8
timeout: 0

url-scan#


Scans a specified URL. Use the vt-analysis-get command to get the scan results.

Base Command#

url-scan

Input#

Argument NameDescriptionRequired
urlThe URL to scan.Required

Context Output#

PathTypeDescription
VirusTotal.Submission.TypeStringThe type of the submission (analysis).
VirusTotal.Submission.idStringThe ID of the submission.
VirusTotal.Submission.hashStringThe indicator sent to rescan.

Command Example#

!url-scan url=https://example.com

Context Example#

{
"VirusTotal": {
"Submission": {
"id": "u-0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1617088890",
"type": "analysis",
"url": "https://example.com"
}
},
"vtScanID": "u-0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1617088890"
}

Human Readable Output#

New url submission#

idurl
u-0f115db062b7c0dd030b16878c99dea5c354b49dc37b38eb8846179c7783e9d7-1617088890https://example.com

vt-comments-add#


Adds comments to files and URLs.

Base Command#

vt-comments-add

Input#

Argument NameDescriptionRequired
resourceThe file hash (MD5, SHA1, orSHA256), Domain, URL or IP on which you're commenting on. If not supplied, will try to determine if it's a hash or a url.Required
resource_typeThe type of the resource on which you're commenting. Possible values are: ip, url, domain, hash.Optional
commentThe actual review that you can tag by using the "#" twitter-like syntax, for example, #disinfection #zbot, and reference users using the "@" syntax, for example, @VirusTotalTeam.Required

Context Output#

PathTypeDescription
VirusTotal.Comments.comments.attributes.dateNumberThe date of the comment in epoch format.
VirusTotal.Comments.comments.attributes.textStringThe text of the comment.
VirusTotal.Comments.comments.attributes.votes.positiveNumberNumber of positive votes.
VirusTotal.Comments.comments.attributes.votes.abuseNumberNumber of abuse votes.
VirusTotal.Comments.comments.attributes.votes.negativeNumberNumber of negative votes.
VirusTotal.Comments.comments.attributes.htmlStringThe HTML content.
VirusTotal.Comments.comments.typeStringThe type of the comment.
VirusTotal.Comments.comments.idStringID of the comment.
VirusTotal.Comments.comments.links.selfStringLink to the request.

Command Example#

!vt-comments-add resource=paloaltonetworks.com resource_type=domain comment="this is a comment"

Context Example#

{
"VirusTotal": {
"Comments": {
"comments": {
"attributes": {
"date": 1617088894,
"html": "this is a comment",
"tags": [],
"text": "this is a comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "d-paloaltonetworks.com-e757b16b",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/d-paloaltonetworks.com-e757b16b"
},
"type": "comment"
}
}
}
}

Human Readable Output#

Comment has been added#

DateTextPositive VotesAbuse VotesNegative Votes
2021-03-30 07:21:34Zthis is a comment000

vt-file-scan-upload-url#


Premium API. Get a special URL for files larger than 32 MB.

Base Command#

vt-file-scan-upload-url

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
VirusTotal.FileUploadURLunknownThe special upload URL for large files.

Command Example#

!vt-file-scan-upload-url

Context Example#

{
"VirusTotal": {
"FileUploadURL": "https://www.virustotal.com/_ah/upload/**upload-hash**"
},
"vtUploadURL": "https://www.virustotal.com/_ah/upload/**upload-hash**"
}

Human Readable Output#

New upload url acquired#

Upload url
https://www.virustotal.com/_ah/upload/**upload-hash**/

vt-comments-delete#


Delete a comment.

Base Command#

vt-comments-delete

Input#

Argument NameDescriptionRequired
idComment ID.Required

Context Output#

There is no context output for this command.

Command Example#

!vt-comments-delete id=d-paloaltonetworks.com-7886a33c

Human Readable Output#

Comment d-paloaltonetworks.com-7886a33c has been deleted!

vt-comments-get#


Retrieves comments for a given resource.

Base Command#

vt-comments-get

Input#

Argument NameDescriptionRequired
resourceThe file hash (MD5, SHA1, orSHA256), Domain, URL or IP on which you're commenting on. If not supplied, will try to determine if it's a hash or a url.Required
resource_typeThe type of the resource on which you're commenting. If not supplied, will determine if it's a url or a file. Possible values are: ip, url, domain, file.Optional
limitMaximum comments to fetch. Default is 10.Optional
beforeFetch only comments before the given time.Optional

Context Output#

PathTypeDescription
VirusTotal.Comments.idStringID that contains the comment (the given hash, domain, url, or ip).
VirusTotal.Comments.comments.attributes.dateNumberThe date of the comment in epoch format.
VirusTotal.Comments.comments.attributes.textStringThe text of the comment.
VirusTotal.Comments.comments.attributes.votes.positiveNumberNumber of positive votes.
VirusTotal.Comments.comments.attributes.votes.abuseNumberNumber of abuse votes.
VirusTotal.Comments.comments.attributes.votes.negativeNumberNumber of negative votes.
VirusTotal.Comments.comments.attributes.htmlStringThe HTML content.
VirusTotal.Comments.comments.typeStringThe type of the comment.
VirusTotal.Comments.comments.idStringID of the commented.
VirusTotal.Comments.comments.links.selfStringLink to the request

Command Example#

!vt-comments-get resource=https://paloaltonetworks.com

Context Example#

{
"VirusTotal": {
"Comments": {
"comments": [
{
"attributes": {
"date": 1616325673,
"html": "another comment",
"tags": [],
"text": "another comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-fe2d6a9e",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-fe2d6a9e"
},
"type": "comment"
},
{
"attributes": {
"date": 1616325673,
"html": "another comment",
"tags": [],
"text": "another comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-d63782a9",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-d63782a9"
},
"type": "comment"
},
{
"attributes": {
"date": 1616313101,
"html": "a new comment",
"tags": [],
"text": "a new comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-97a331a3",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-97a331a3"
},
"type": "comment"
},
{
"attributes": {
"date": 1616313067,
"html": "a comment",
"tags": [],
"text": "a comment",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-ae0de9fc",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/u-c5fad1f7084153e328563fbacdb07a9ad6428dc3f0a88e756266efb7c0553d9d-ae0de9fc"
},
"type": "comment"
}
],
"indicator": "https://paloaltonetworks.com"
}
}
}

Human Readable Output#

Virus Total comments of url: "https://paloaltonetworks.com"#

DateTextPositive VotesAbuse VotesNegative Votes
2021-03-21 11:21:13Zanother comment000
2021-03-21 11:21:13Zanother comment000
2021-03-21 07:51:41Za new comment000
2021-03-21 07:51:07Za comment000

vt-comments-get-by-id#


Retrieves a comment by comment ID.

Base Command#

vt-comments-get-by-id

Input#

Argument NameDescriptionRequired
idThe comment's ID. Can be retrieved using the vt-comments-get command.Required

Context Output#

PathTypeDescription
VirusTotal.Comments.comments.idStringID of the comment.
VirusTotal.Comments.comments.attributes.dateNumberThe date of the comment in epoch format.
VirusTotal.Comments.comments.attributes.textStringThe text of the comment.
VirusTotal.Comments.comments.attributes.votes.positiveNumberNumber of positive votes.
VirusTotal.Comments.comments.attributes.votes.abuseNumberNumber of abuse votes.
VirusTotal.Comments.comments.attributes.votes.negativeNumberNumber of negative votes.
VirusTotal.Comments.comments.attributes.htmlStringThe HTML content.
VirusTotal.Comments.comments.typeStringThe type of the comment.
VirusTotal.Comments.comments.links.selfStringLink to the request.

Command Example#

!vt-comments-get-by-id id=d-paloaltonetworks.com-64591897

Context Example#

{
"VirusTotal": {
"Comments": {
"comments": {
"attributes": {
"date": 1615195751,
"html": "a new comment!",
"tags": [],
"text": "a new comment!",
"votes": {
"abuse": 0,
"negative": 0,
"positive": 0
}
},
"id": "d-paloaltonetworks.com-64591897",
"links": {
"self": "https://www.virustotal.com/api/v3/comments/d-paloaltonetworks.com-64591897"
},
"type": "comment"
}
}
}
}

Human Readable Output#

Comment of ID d-paloaltonetworks.com-64591897#

DateTextPositive VotesAbuse VotesNegative Votes
2021-03-08 09:29:11Za new comment!000

vt-search#


Search for an indicator in VirusTotal.

Base Command#

vt-search

Input#

Argument NameDescriptionRequired
queryThis endpoint searches any of the following: A file hash, URL, domain, IP address, tag comments.Required
extended_dataWhether to return extended data (last_analysis_results). Possible values are: true, false.Optional
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
VirusTotal.SearchResults.attributes.last_analysis_stats.harmlessNumberNumber of engines that found the indicator to be harmless.
VirusTotal.SearchResults.attributes.last_analysis_stats.maliciousNumberNumber of engines that found the indicator to be malicious.
VirusTotal.SearchResults.attributes.last_analysis_stats.suspiciousNumberNumber of engines that found the indicator to be suspicious.
VirusTotal.SearchResults.attributes.last_analysis_stats.undetectedNumberNumber of engines that could not detect the indicator.
VirusTotal.SearchResults.attributes.last_analysis_stats.timeoutNumberNumber of engines that timed out.
VirusTotal.SearchResults.attributes.reputationNumberThe indicator's reputation
VirusTotal.SearchResults.attributes.last_modification_dateNumberThe last modification date in epoch format.
VirusTotal.SearchResults.attributes.total_votes.harmlessNumberTotal number of harmless votes.
VirusTotal.SearchResults.attributes.total_votes.maliciousNumberTotal number of malicious votes.
VirusTotal.SearchResults.typeStringThe type of the indicator (ip, domain, url, file).
VirusTotal.SearchResults.idStringID of the indicator.
VirusTotal.SearchResults.links.selfStringLink to the response.

Command Example#

!vt-search query=paloaltonetworks.com

Context Example#

{
"VirusTotal": {
"SearchResults": {
"attributes": {
"categories": {
"BitDefender": "marketing",
"Forcepoint ThreatSeeker": "information technology",
"alphaMountain.ai": "Business/Economy, Information Technology",
"sophos": "information technology"
},
"creation_date": 1108953730,
"favicon": {
"dhash": "02e9ecb69ac869a8",
"raw_md5": "920c3c89139c32d356fa4b8b61616f37"
},
"jarm": "29d3fd00029d29d00042d43d00041d598ac0c1012db967bb1ad0ff2491b3ae",
"last_analysis_stats": {
"harmless": 75,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"undetected": 7
},
"last_dns_records": [
{
"ttl": 14399,
"type": "TXT",
"value": "atlassian-domain-verification=WeW32v7AwYQEviMzlNjYyXNMUngcnmIMtNZKJ69TuQUoda5T6DFFV/A6rRvOzwvs"
}
],
"last_dns_records_date": 1616986415,
"last_https_certificate": {
"cert_signature": {
"signature": "signature",
"signature_algorithm": "sha256RSA"
},
"extensions": {
"**exten**": "0482016a0168007600a4b90990b418581487bb13a2cc67700a3c359804f91bdf",
"CA": true,
"authority_key_identifier": {
"keyid": "40c2bd278ecc348330a233d7fb6cb3f0b42c80ce"
},
"ca_information_access": {
"CA Issuers": "http://certificates.example.com/repository/gdig2.crt",
"OCSP": "http://ocsp.example.com/"
},
"certificate_policies": [
"**policy**"
],
"crl_distribution_points": [
"http://example.com/gdig2s1-1677.crl"
],
"extended_key_usage": [
"serverAuth",
"clientAuth"
],
"key_usage": [
"ff"
],
"subject_alternative_name": [
"www.paloaltonetworks.com"
],
"subject_key_identifier": "ed89d4b918aab2968bd1dfde421a179c51445be0",
"tags": []
},
"issuer": {
"C": "US",
"CN": "Go Daddy Secure Certificate Authority - G2",
"L": "Scottsdale",
"O": "example.com, Inc.",
"OU": "http://certs.example.com/repository/",
"ST": "Arizona"
},
"public_key": {
"algorithm": "RSA",
"rsa": {
"exponent": "010001",
"key_size": 2048,
"modulus": "modulus"
}
},
"serial_number": "f5fa379466d9884a",
"signature_algorithm": "sha256RSA",
"size": 1963,
"subject": {
"CN": "www.paloaltonetworks.com",
"OU": "Domain Control Validated"
},
"tags": [],
"thumbprint": "0296c20e3a4a607b8d9e2af86155cde04594535e",
"thumbprint_sha256": "17bb7bda507abc602bdf1b160d7f51edaccac39fd34f8dab1e793c3612cfc8c2",
"validity": {
"not_after": "2022-01-27 16:52:24",
"not_before": "2020-01-27 16:52:24"
},
"version": "V3"
},
"last_https_certificate_date": 1616986415,
"last_modification_date": 1617084294,
"last_update_date": 1594825871,
"popularity_ranks": {
"Alexa": {
"rank": 32577,
"timestamp": 1617032161
}
},
"registrar": "MarkMonitor Inc.",
"reputation": 0,
"tags": [],
"total_votes": {
"harmless": 0,
"malicious": 0
},
"whois": "whois string",
"whois_date": 1615321176
},
"id": "paloaltonetworks.com",
"links": {
"self": "https://www.virustotal.com/api/v3/domains/paloaltonetworks.com"
},
"type": "domain"
}
}
}

Human Readable Output#

Search result of query paloaltonetworks.com#

CategoriesCreationDateLastAnalysisStats
Forcepoint ThreatSeeker: information technology
sophos: information technology
BitDefender: marketing
alphaMountain.ai: Business/Economy, Information Technology
1108953730harmless: 75
malicious: 0
suspicious: 0
undetected: 7
timeout: 0

vt-file-sandbox-report#


Retrieves a behavioral relationship of the given file hash.

Base Command#

vt-file-sandbox-report

Input#

Argument NameDescriptionRequired
fileHash of the file to query. Supports MD5, SHA1, and SHA256.Required
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
SandboxReport.attributes.analysis_dateNumberThe date of the analysis in epoch format.
SandboxReport.attributes.behashStringBehash of the attribute.
SandboxReport.attributes.command_executionsStringWhich command were executed.
SandboxReport.attributes.dns_lookups.hostnameStringHost names found in the lookup.
SandboxReport.attributes.dns_lookups.resolved_ipsStringThe IPs that were resolved.
SandboxReport.attributes.files_attribute_changedStringThe file attributes that were changed.
SandboxReport.attributes.has_html_reportBooleanWhether there is an HTML report.
SandboxReport.attributes.has_pcapBooleanWhether the IP has a PCAP file.
SandboxReport.attributes.http_conversations.request_methodStringThe request method of the HTTP conversation.
SandboxReport.attributes.http_conversations.response_headers.Cache-ControlStringThe cache-control method of the response header.
SandboxReport.attributes.http_conversations.response_headers.ConnectionStringThe connection of the response header.
SandboxReport.attributes.http_conversations.response_headers.Content-LengthStringTHe Content-Length of the response header.
SandboxReport.attributes.http_conversations.response_headers.Content-TypeStringThe Content-Type of the response header.
SandboxReport.attributes.http_conversations.response_headers.PragmaStringThe pragma of the response header.
SandboxReport.attributes.http_conversations.response_headers.ServerStringThe server of the response header.
SandboxReport.attributes.http_conversations.response_headers.Status-LineStringThe Status-Line of the response header.
SandboxReport.attributes.http_conversations.response_status_codeNumberThe response status code.
SandboxReport.attributes.http_conversations.urlStringThe conversation URL.
SandboxReport.attributes.last_modification_dateNumberLast modified data in epoch format.
SandboxReport.attributes.modules_loadedStringLoaded modules.
SandboxReport.attributes.mutexes_createdStringThe mutexes that were created.
SandboxReport.attributes.mutexes_openedStringThe mutexes that were opened.
SandboxReport.attributes.processes_createdStringThe processes that were created.
SandboxReport.attributes.processes_tree.nameStringThe name of the process tree.
SandboxReport.attributes.processes_tree.process_idStringThe ID of the process.
SandboxReport.attributes.registry_keys_deletedStringDeleted registry keys.
SandboxReport.attributes.registry_keys_set.keyStringKey of the registry key.
SandboxReport.attributes.registry_keys_set.valueStringValue of the registry key.
SandboxReport.attributes.sandbox_nameStringThe name of the sandbox.
SandboxReport.attributes.services_startedStringThe services that were started.
SandboxReport.attributes.verdictsStringThe verdicts.
SandboxReport.idStringThe IP analyzed.
SandboxReport.links.selfStringLink to the response.
SandboxReport.attributes.files_dropped.pathStringPath of the file dropped.
SandboxReport.attributes.files_dropped.sha256StringSHA-256 hash of the dropped files.
SandboxReport.attributes.files_openedStringThe files that were opened.
SandboxReport.attributes.files_writtenStringThe files that were written.
SandboxReport.attributes.ip_traffic.destination_ipStringDestination IP in the traffic.
SandboxReport.attributes.ip_traffic.destination_portNumberDestination port in the traffic.
SandboxReport.attributes.ip_traffic.transport_layer_protocolStringTransport layer protocol in the traffic.
SandboxReport.attributes.registry_keys_openedStringThe registry keys that were opened.
SandboxReport.attributes.tagsStringThe tags of the DNS data.
SandboxReport.attributes.files_copied.destinationStringDestination of the files copied.
SandboxReport.attributes.files_copied.sourceStringSource of the files copied.
SandboxReport.attributes.permissions_requestedStringThe permissions that where requested.
SandboxReport.attributes.processes_injectedStringThe processes that were injected.
SandboxReport.attributes.processes_terminatedStringThe processes that were terminated.
SandboxReport.attributes.processes_tree.children.nameStringThe name of the children of the process.
SandboxReport.attributes.processes_tree.children.process_idStringThe ID of the children of the process.
SandboxReport.attributes.services_openedStringThe services that were opened.
SandboxReport.attributes.text_highlightedStringThe text that was highlighted.
SandboxReport.attributes.calls_highlightedStringThe calls that were highlighted.
SandboxReport.attributes.processes_tree.children.time_offsetNumberThe time offset of the children in the process.
SandboxReport.links.selfStringThe link to the response.
SandboxReport.meta.countNumberThe number of objects that were found in the attributes.

Command Example#

!vt-file-sandbox-report file=2b294b3499d1cce794badffc959b7618

Context Example#

{
"VirusTotal": {
"SandboxReport": [
{
"attributes": {
"analysis_date": 1558429832,
"behash": "079386becc949a2aafdcd2c6042cf0a9",
"command_executions": [
"C:\\DOCUME~1\\Miller\\LOCALS~1\\Temp\\Win32.AgentTesla.exe",
],
"dns_lookups": [
{
"hostname": "checkip.dyndns.org",
"resolved_ips": [
"**ip**"
]
},
{
"hostname": "checkip.dyndns.org",
"resolved_ips": [
"**ip**"
]
}
],
"files_attribute_changed": [
"C:\\Documents and Settings\\Miller\\Local Settings\\Temp\\xws\\xws.exe"
],
"has_html_report": false,
"has_pcap": false,
"http_conversations": [
{
"request_method": "GET",
"response_headers": {
"Cache-Control": "no-cache",
"Connection": "close",
"Content-Length": "107",
"Content-Type": "text/html",
"Pragma": "no-cache",
"Server": "DynDNS-CheckIP/1.0.1",
"Status-Line": "HTTP/1.1 200"
},
"response_status_code": 200,
"url": "http://checkip.dyndns.org/"
},
{
"request_method": "GET",
"response_headers": {
"Cache-Control": "no-cache",
"Connection": "close",
"Content-Length": "105",
"Content-Type": "text/html",
"Pragma": "no-cache",
"Server": "DynDNS-CheckIP/1.0.1",
"Status-Line": "HTTP/1.1 200"
},
"response_status_code": 200,
"url": "http://checkip.dyndns.org/"
}
],
"last_modification_date": 1588377117,
"modules_loaded": [
"c:\\windows\\system32\\imm32.dll"
],
"mutexes_created": [
"CTF.Compart.MutexDefaultS-1-5-21-1229272821-1563985344-1801674531-1003"
],
"mutexes_opened": [
"ShimCacheMutex"
],
"processes_created": [
"C:\\DOCUME~1\\Miller\\LOCALS~1\\Temp\\Win32.AgentTesla.exe"
],
"processes_tree": [
{
"name": "C:\\DOCUME~1\\Miller\\LOCALS~1\\Temp\\Win32.AgentTesla.exe",
"process_id": "272"
}
],
"registry_keys_deleted": [
"HKU\\S-1-5-21-3712457824-2419000099-45725732-1005\\SOFTWARE\\CLASSES\\MSCFILE\\SHELL\\OPEN\\COMMAND"
],
"registry_keys_set": [
{
"key": "HKU\\S-1-5-21-1229272821-1563985344-1801674531-1003\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN",
"value": "xws"
}
],
"sandbox_name": "Lastline",
"services_started": [
"RASMAN",
"WinHttpAutoProxySvc"
],
"verdicts": [
"MALWARE",
"TROJAN"
]
},
"id": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Lastline",
"links": {
"self": "https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Lastline"
},
"type": "file_behaviour"
},
{
"attributes": {
"analysis_date": 1561405459,
"files_dropped": [
{
"path": "\\Users\\Petra\\AppData\\Local\\Temp\\xws\\xws.exe",
"sha256": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3"
}
],
"files_opened": [
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config"
],
"files_written": [
"C:\\Users\\<USER>\\AppData\\Local\\Temp\\xws\\xws.exe"
],
"has_html_report": false,
"has_pcap": false,
"ip_traffic": [
{
"destination_ip": "**ip**",
"destination_port": 80,
"transport_layer_protocol": "TCP"
}
],
"last_modification_date": 1563272815,
"processes_tree": [
{
"name": "1526312897-2b294b349.pe32",
"process_id": "2624"
}
],
"registry_keys_opened": [
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\OLE",
],
"registry_keys_set": [
{
"key": "\\REGISTRY\\USER\\S-1-5-21-1119815420-2032815650-2779196966-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"value": "xws"
}
],
"sandbox_name": "SNDBOX",
"tags": [
"PERSISTENCE"
]
},
"id": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_SNDBOX",
"links": {
"self": "https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_SNDBOX"
},
"type": "file_behaviour"
},
{
"attributes": {
"analysis_date": 1601545446,
"behash": "7617055bb3994dea99c19877fd7ec55a",
"command_executions": [
"\"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe\"",
"Shutdown -r -t 5"
],
"dns_lookups": [
{
"hostname": "checkip.dyndns.org"
}
],
"files_copied": [
{
"destination": "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\xws\\xws.exe ",
"source": "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe "
}
],
"files_opened": [
"C:\\WINDOWS\\system32\\winime32.dll"
],
"files_written": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\xws\\xws.exe",
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Ktx.exe"
],
"has_html_report": true,
"has_pcap": false,
"last_modification_date": 1601545448,
"modules_loaded": [
"ADVAPI32.dll"
],
"mutexes_created": [
"CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
],
"mutexes_opened": [
"ShimCacheMutex"
],
"permissions_requested": [
"SE_DEBUG_PRIVILEGE"
],
"processes_created": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_injected": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_terminated": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_tree": [
{
"children": [
{
"children": [
{
"name": "shutdown.exe",
"process_id": "2336"
}
],
"name": "****.exe",
"process_id": "1024"
}
],
"name": "****.exe",
"process_id": "628"
}
],
"registry_keys_opened": [
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\996E.exe"
],
"registry_keys_set": [
{
"key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\xws",
"value": "C:\\Users\\<USER>\\AppData\\Local\\Temp\\xws\\xws.exe"
}
],
"sandbox_name": "VirusTotal Jujubox",
"tags": [
"DIRECT_CPU_CLOCK_ACCESS"
],
"text_highlighted": [
"C:\\Windows\\system32\\cmd.exe"
]
},
"id": "699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_VirusTotal Jujubox",
"links": {
"self": "https://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_VirusTotal Jujubox"
},
"type": "file_behaviour"
}
]
}
}

Human Readable Output#

Sandbox Reports for file hash: 2b294b3499d1cce794badffc959b7618#

AnalysisDateLastModificationDateSandboxNameLink
15584298321588377117Lastlinehttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Lastline
15614054591563272815SNDBOXhttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_SNDBOX
16015454461601545448Tencent HABOhttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_Tencent HABO
15923731371592373137VirusTotal Jujuboxhttps://www.virustotal.com/api/v3/file_behaviours/699ec052ecc898bdbdafea0027c4ab44c3d01ae011c17745dd2b7fbddaa077f3_VirusTotal Jujubox

vt-passive-dns-data#


Returns passive DNS records by indicator.

Base Command#

vt-passive-dns-data

Input#

Argument NameDescriptionRequired
idIP or domain for which to get its DNS data.Optional
ipIP for which to get its DNS data.Optional
domainDomain for which to get its DNS data.Optional
limitMaximum number of results to fetch. Default is 10.Optional

Context Output#

PathTypeDescription
VirusTotal.PassiveDNS.attributes.dateNumberDate of the DNS analysis in epoch format.
VirusTotal.PassiveDNS.attributes.host_nameStringThe DNS host name.
VirusTotal.PassiveDNS.attributes.ip_addressStringThe DNS IP address.
VirusTotal.PassiveDNS.attributes.resolverStringThe name of the resolver.
VirusTotal.PassiveDNS.idStringThe ID of the resolution.
VirusTotal.PassiveDNS.links.selfStringThe link to the resolution.
VirusTotal.PassiveDNS.typeStringThe type of the resolution.

Command Example#

!vt-passive-dns-data ip=1.1.1.1

Context Example#

{
"VirusTotal": {
"PassiveDNS": [
{
"attributes": {
"date": 1617085962,
"host_name": "muhaha.xyz",
"ip_address": "1.1.1.1",
"resolver": "VirusTotal"
},
"id": "1.1.1.1muhaha.xyz",
"links": {
"self": "https://www.virustotal.com/api/v3/resolutions/1.1.1.1muhaha.xyz"
},
"type": "resolution"
}
]
}
}

Human Readable Output#

Passive DNS data for IP 1.1.1.1#

IdDateHostNameIpAddressResolver
1.1.1.1muhaha.xyz1617085962muhaha.xyz1.1.1.1VirusTotal

vt-analysis-get#


Retrieves resolutions of the given IP.

Base Command#

vt-analysis-get

Input#

Argument NameDescriptionRequired
idID of the analysis (from file-scan, file-rescan, or url-scan).Required
extended_dataWhether to return extended data (last_analysis_results).Optional

Context Output#

PathTypeDescription
VirusTotal.Analysis.data.attributes.dateNumberDate of the analysis in epoch format.
VirusTotal.Analysis.data.attributes.stats.harmlessNumberNumber of engines that found the indicator to be harmless.
VirusTotal.Analysis.data.attributes.stats.maliciousNumberNumber of engines that found the indicator to be malicious.
VirusTotal.Analysis.data.attributes.stats.suspiciousNumberNumber of engines that found the indicator to be suspicious.
VirusTotal.Analysis.data.attributes.stats.timeoutNumberhe number of engines that timed out for the indicator.
VirusTotal.Analysis.data.attributes.stats.undetectedNumberNumber of engines the found the indicator to be undetected.
VirusTotal.Analysis.data.attributes.statusStringStatus of the analysis.
VirusTotal.Analysis.data.idStringID of the analysis.
VirusTotal.Analysis.data.typeStringType of object (analysis).
VirusTotal.Analysis.meta.file_info.sha256StringSHA-256 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.sha1StringSHA-1 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.md5StringMD5 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.nameunknownName of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.sizeStringSize of the file (if it is a file).
VirusTotal.Analysis.meta.url_info.idStringID of the url (if it is a URL).
VirusTotal.Analysis.meta.url_info.urlStringThe URL (if it is a URL).
VirusTotal.Analysis.idStringThe analysis ID.

Command Example#

!vt-analysis-get id=u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758

Context Example#

{
"VirusTotal": {
"Analysis": {
"data": {
"attributes": {
"date": 1613980758,
"results": {
"ADMINUSLabs": {
"category": "harmless",
"engine_name": "ADMINUSLabs",
"method": "blacklist",
"result": "clean"
}
},
"stats": {
"harmless": 69,
"malicious": 7,
"suspicious": 0,
"timeout": 0,
"undetected": 7
},
"status": "completed"
},
"id": "u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758",
"links": {
"self": "https://www.virustotal.com/api/v3/analyses/u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758"
},
"type": "analysis"
},
"id": "u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758",
"meta": {
"url_info": {
"id": "20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853"
}
}
}
}
}

Human Readable Output#

Analysis results#

IdStatsStatus
u-20694f234fbac92b1dcc16f424aa1c85e9dd7af75b360745df6484dcae410853-1613980758harmless: 69
malicious: 7
suspicious: 0
undetected: 7
timeout: 0
completed

vt-file-sigma-analysis#


Retrieves result of the last Sigma analysis.

Base Command#

vt-file-sigma-analysis

Input#

Argument NameDescriptionRequired
fileFile hash (md5, sha1, sha256).Required
only_statsPrint only Sigma analysis summary stats.Optional

Context Output#

PathTypeDescription
VirusTotal.SigmaAnalysis.data.attributes.last_modification_dateNumberDate of the last update in epoch format.
VirusTotal.SigmaAnalysis.data.attributes.analysis_dateNumberDate of the last update in epoch format.
VirusTotal.SigmaAnalysis.data.attributes.stats.rule_matches.match_contextStringMatched strings from the log file.
VirusTotal.SigmaAnalysis.data.attributes.stats.rule_matches.rule_authorStringRule authors separated by commas.
VirusTotal.SigmaAnalysis.data.attributes.stats.rule_matches.rule_descriptionStringBrief summary about what the rule detects.
VirusTotal.SigmaAnalysis.data.attributes.stats.rule_matches.rule_idStringRule ID in VirusTotal's database.
VirusTotal.SigmaAnalysis.data.attributes.stats.rule_matches.rule_levelStringRule severity. Can be "low", "medium", "high" or "critical".
VirusTotal.SigmaAnalysis.data.attributes.stats.rule_matches.rule_sourceStringRuleset where the rule belongs.
VirusTotal.SigmaAnalysis.data.attributes.stats.rule_matches.rule_titleStringRule title.
VirusTotal.SigmaAnalysis.data.attributes.stats.severity_stats.criticalNumberNumber of matched rules having a "critical" severity.
VirusTotal.SigmaAnalysis.data.attributes.stats.severity_stats.highNumberNumber of matched rules having a "high" severity.
VirusTotal.SigmaAnalysis.data.attributes.stats.severity_stats.lowNumberNumber of matched rules having a "low" severity.
VirusTotal.SigmaAnalysis.data.attributes.stats.severity_stats.mediumNumberNumber of matched rules having a "medium" severity.
VirusTotal.SigmaAnalysis.data.attributes.stats.source_severity_statsunknownSame as severity_stats but grouping stats by ruleset. Keys are ruleset names as string and values are stats in a dictionary.
VirusTotal.SigmaAnalysis.data.idStringID of the analysis.

Command Example#

!vt-file-sigma-analysis file=f912398cb3542ab704fe917af4a60d4feee21ac577535b10453170f10c6fd6de

Context Example#

{
"VirusTotal": {
"SigmaAnalysis": {
"meta": {
"count": 1
},
"data": {
"attributes": {
"last_modification_date": 1650970667,
"analysis_date": 1650968852,
"rule_matches": [
{
"match_context": "$EventID: '1117'",
"rule_level": "high",
"rule_description": "Detects all actions taken by Windows Defender malware detection engines",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Windows Defender Threat Detected",
"rule_id": "cf90b923dcb2c8192e6651425886607684aac6680bf25b20c39ae3f8743aebf1",
"rule_author": "Ján Trenčanský"
},
{
"match_context": "$EventID: '2002'",
"rule_level": "low",
"rule_description": "Setting have been change in Windows Firewall",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Setting Change in Windows Firewall with Advanced Security",
"rule_id": "693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1",
"rule_author": "frack113"
}
],
"source_severity_stats": {
"Sigma Integrated Rule Set (GitHub)": {
"high": 1,
"medium": 0,
"critical": 0,
"low": 1
},
},
"severity_stats": {
"high": 1,
"medium": 0,
"critical": 0,
"low": 1
}
},
"type": "sigma_analysis",
"id": "f912398cb3542ab704fe917af4a60d4feee21ac577535b10453170f10c6fd6de",
"links": {
"self": "https://www.virustotal.com/api/v3/sigma_analyses/f912398cb3542ab704fe917af4a60d4feee21ac577535b10453170f10c6fd6de"
}
},
"links": {
"self": "https://www.virustotal.com/api/v3/files/f912398cb3542ab704fe917af4a60d4feee21ac577535b10453170f10c6fd6de/sigma_analysis"
}
}
}
}

Human Readable Output#

Last Sigma analysis results#

MatchContextRuleLevelRuleDescriptionRuleSourceRuleTitleRuleIdRuleAuthor
$EventID: '1117'highDetects all actions taken by Windows Defender malware detection enginesSigma Integrated Rule Set (GitHub)Windows Defender Threat Detected693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1Ján Trenčanský

vt-privatescanning-file#


Checks the file reputation of the specified private hash.

See files through the eyes of VirusTotal without uploading them to the main threat corpus, keeping them entirely private. Static, dynamic, network and similarity analysis included, as well as automated threat intel enrichment, but NOT multi-antivirus analysis.

Base Command#

vt-privatescanning-file

Input#

Argument NameDescriptionRequired
fileFile hash (md5, sha1, sha256).Required

Context Output#

PathTypeDescription
VirusTotal.File.attributes.type_descriptionStringDescription of the type of the file.
VirusTotal.File.attributes.tlshStringThe locality-sensitive hashing.
VirusTotal.File.attributes.exiftool.MIMETypeStringMIME type of the file.
VirusTotal.File.attributes.namesStringNames of the file.
VirusTotal.File.attributes.javascript_info.tagsStringTags of the JavaScript.
VirusTotal.File.attributes.exiftool.FileTypeStringThe file type.
VirusTotal.File.attributes.exiftool.WordCountNumberTotal number of words in the file.
VirusTotal.File.attributes.exiftool.LineCountNumberTotal number of lines in file.
VirusTotal.File.attributes.exiftool.MIMEEncodingStringThe MIME encoding.
VirusTotal.File.attributes.exiftool.FileTypeExtensionStringThe file type extension.
VirusTotal.File.attributes.exiftool.NewlinesNumberNumber of newlines signs.
VirusTotal.File.attributes.crowdsourced_ids_stats.infoNumberNumber of IDS that marked the file as "info".
VirusTotal.File.attributes.crowdsourced_ids_stats.highNumberNumber of IDS that marked the file as "high".
VirusTotal.File.attributes.crowdsourced_ids_stats.mediumNumberNumber of IDS that marked the file as "medium".
VirusTotal.File.attributes.crowdsourced_ids_stats.lowNumberNumber of IDS that marked the file as "low".
VirusTotal.File.attributes.trid.file_typeStringThe TrID file type.
VirusTotal.File.attributes.trid.probabilityNumberThe TrID probability.
VirusTotal.File.attributes.crowdsourced_yara_results.descriptionStringDescription of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.sourceStringSource of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.authorStringAuthor of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_nameStringRule set name of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.rule_nameStringName of the YARA rule.
VirusTotal.File.attributes.crowdsourced_yara_results.ruleset_idStringID of the YARA rule.
VirusTotal.File.attributes.namesStringName of the file.
VirusTotal.File.attributes.type_tagStringTag of the type.
VirusTotal.File.attributes.sizeNumberSize of the file.
VirusTotal.File.attributes.sha256StringSHA-256 hash of the file.
VirusTotal.File.attributes.type_extensionStringExtension of the type.
VirusTotal.File.attributes.tagsStringFile tags.
VirusTotal.File.attributes.last_analysis_dateNumberLast analysis date in epoch format.
VirusTotal.File.attributes.ssdeepStringSSDeep hash of the file.
VirusTotal.File.attributes.md5StringMD5 hash of the file.
VirusTotal.File.attributes.sha1StringSHA-1 hash of the file.
VirusTotal.File.attributes.magicStringIdentification of file by the magic number.
VirusTotal.File.attributes.meaningful_nameStringMeaningful name of the file.
VirusTotal.File.attributes.threat_severity.threat_severity_levelStringThreat severity level of the file.
VirusTotal.File.attributes.threat_severity.threat_severity_data.popular_threat_categoryStringPopular threat category of the file.
VirusTotal.File.attributes.threat_verdictStringThreat verdict of the file.
VirusTotal.File.typeStringType of the file.
VirusTotal.File.idStringID of the file.
VirusTotal.File.links.selfStringLink to the response.

Command Example#

!vt-privatescanning-file file=example-file-hash

Context Example#

{
"VirusTotal": {
"File": {
"attributes": {
"type_description": "ELF",
"tlsh": "Example tlsh",
"vhash": "Example vhash",
"exiftool": {
"MIMEType": "application/octet-stream",
"CPUByteOrder": "Little endian",
"ObjectFileType": "Executable file",
"CPUArchitecture": "32 bit",
"CPUType": "i386",
"FileType": "ELF executable"
},
"trid": [
{
"file_type": "ELF Executable and Linkable format (Linux)",
"probability": 55
},
{
"file_type": "ELF Executable and Linkable format (generic)",
"probability": 45
}
],
"crowdsourced_yara_results": [
{
"description": "Detects a suspicious ELF binary with UPX compression",
"source": "https://www.example.com",
"author": "Author X",
"ruleset_name": "gen_elf_file_anomalies",
"rule_name": "SUSP_ELF_LNX_UPX_Compressed_File",
"ruleset_id": "0224a54ba7"
}
],
"threat_severity": {
"threat_severity_level": "SEVERITY_HIGH",
"threat_severity_data": {
"has_dropped_files_with_detections": true,
"type_tag": "elf",
"has_execution_parents_with_detections": true,
"can_be_detonated": true,
"popular_threat_category": "trojan"
},
"last_analysis_date": "1681045097",
"version": 1
},
"names": [
"private",
"/usr/lib/sample.so",
"private_sample.bin",
],
"owner": "virustotal",
"type_tag": "elf",
"elf_info": {
"header": {
"hdr_version": "1 (current)",
"type": "EXEC (Executable file)",
"obj_version": "0x1",
"data": "2's complement, little endian",
"machine": "Intel 80386",
"num_section_headers": 0,
"os_abi": "UNIX - Linux",
"abi_version": 0,
"entrypoint": 4633,
"num_prog_headers": 2,
"class": "ELF32"
},
"packers": [
"upx"
],
"segment_list": [
{
"segment_type": "LOAD"
}
]
},
"size": 255510,
"type_extension": "so",
"threat_verdict": "VERDICT_MALICIOUS",
"detectiteasy": {
"filetype": "ELF32",
"values": [
{
"info": "EXEC 386-32",
"version": "3.05",
"type": "Packer",
"name": "UPX"
}
]
},
"crowdsourced_ids_stats": {
"high": 0,
"info": 0,
"medium": 1,
"low": 1
},
"type_tags": [
"executable",
"linux",
"elf"
],
"sandbox_verdicts": {
"Zenbox Linux": {
"category": "malicious",
"confidence": 81,
"sandbox_name": "Zenbox Linux",
"malware_classification": [
"MALWARE",
"TROJAN",
"EVADER"
],
"malware_names": [
"MalwareName"
]
}
},
"sha256": "Example_sha256",
"tags": [
"elf",
"upx"
],
"crowdsourced_ids_results": [
{
"rule_category": "Misc Attack",
"alert_severity": "medium",
"rule_msg": "Known Compromised or Hostile Host Traffic",
"rule_raw": "alert ip [8.8.8.8] any -> $HOME_NET any"
},
{
"rule_category": "Misc Attack",
"alert_severity": "low",
"rule_msg": "Poor Reputation IP",
"rule_raw": "alert ip [1.1.1.1] any -> $HOME_NET any)"
},
],
"last_analysis_date": 1681386314,
"ssdeep": "Example ssdeep",
"packers": {
"Gandelf": "upx"
},
"md5": "Example_md5",
"sha1": "Example_sha1",
"magic": "ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped",
"meaningful_name": "private"
},
"type": "private_file",
"id": "Example_sha256",
"links": {
"self": "https://www.virustotal.com/api/v3/private/files/Example_sha256"
}
}
}
}

Human Readable Output#

Results of file hash Example_sha256#

Sha1Sha256Md5Meaningful NameThreat Severity LevelPopular Threat CategoryThreat Verdict
Example_sha1Example_sha256Example_md5privateHIGHtrojanMALICIOUS

vt-privatescanning-file-scan#


Submits a file for private scanning. Use the vt-privatescanning-analysis-get command to get the scan results.

Base Command#

vt-privatescanning-file-scan

Input#

Argument NameDescriptionRequired
entryIDThe file entry ID to submit.Required

Context Output#

PathTypeDescription
VirusTotal.Submission.typeStringThe type of the submission (analysis).
VirusTotal.Submission.idStringThe ID of the submission.
VirusTotal.Submission.EntryIDStringThe entry ID of the file detonated.
VirusTotal.Submission.ExtensionStringFile extension.
VirusTotal.Submission.InfoStringFile info.
VirusTotal.Submission.MD5StringMD5 hash of the file.
VirusTotal.Submission.NameStringName of the file.
VirusTotal.Submission.SHA1StringSHA-1 of the file.
VirusTotal.Submission.SHA256StringSHA-256 of the file.
VirusTotal.Submission.SHA512StringSHA-512 of the file.
VirusTotal.Submission.SSDeepStringSSDeep of the file.
VirusTotal.Submission.SizeStringSize of the file.
VirusTotal.Submission.TypeStringType of the file.

Command Example#

!vt-privatescanning-file-scan entryID=example-entry-id

Context Example#

{
"VirusTotal": {
"Submission": {
"type": "private_analysis",
"id": "example-analysis-id",
"EntryID": "example-entry-id",
"Extension": "txt",
"Info": "ASCII text, with no line terminators",
"MD5": "Example_md5",
"Name": "Testing.txt",
"SHA1": "Example_sha1",
"SHA256": "Example_sha256",
"SHA512": "Example_sha512",
"SSDeep": "Example ssdeep",
"Size": "71 bytes",
"Type": "text/plain; charset=utf-8"
}
}
}

Human Readable Output#

The file has been submitted "Testing.txt"#

idEntryIDMD5SHA1SHA256
example-analysis-idexample-entry-idExample_md5Example_sha1Example_sha256

vt-privatescanning-analysis-get#


Get analysis of a private file submitted to VirusTotal.

Base Command#

vt-privatescanning-analysis-get

Input#

Argument NameDescriptionRequired
idID of the analysis.Required

Context Output#

PathTypeDescription
VirusTotal.Analysis.data.attributes.dateNumberDate of the analysis in epoch format.
VirusTotal.Analysis.data.attributes.statusStringStatus of the analysis.
VirusTotal.Analysis.data.attributes.threat_severity_levelStringThreat severity level of the private file.
VirusTotal.Analysis.data.attributes.popular_threat_categoryStringPopular threat category of the private file.
VirusTotal.Analysis.data.attributes.threat_verdictStringThreat verdict of the private file.
VirusTotal.Analysis.data.idStringID of the analysis.
VirusTotal.Analysis.data.typeStringType of object (analysis).
VirusTotal.Analysis.meta.file_info.sha256StringSHA-256 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.sha1StringSHA-1 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.md5StringMD5 hash of the file (if it is a file).
VirusTotal.Analysis.meta.file_info.sizeNumberSize of the file (if it is a file).
VirusTotal.Analysis.idStringThe analysis ID.

Command Example#

!vt-privatescanning-analysis-get id=example-analysis-id

Context Example#

{
"VirusTotal": {
"Analysis": {
"id": "example-analysis-id",
"meta": {
"file_info": {
"sha256": "Example_sha256",
"sha1": "Example_sha1",
"md5": "Example_md5",
"size": 48
}
},
"data": {
"attributes": {
"date": 1681461324,
"status": "completed",
"threat_severity_level": "SEVERITY_HIGH",
"popular_threat_category": "trojan",
"threat_verdict": "VERDICT_MALICIOUS",
},
"type": "private_analysis",
"id": "example-analysis-id"
}
}
}
}

Human Readable Output#

Analysis results#

IdThreat Severity LevelPopular Threat CategoryThreat VerdictStatus
example-analysis-idHIGHtrojanMALICIOUScompleted

VT indicator fields#

3 indicator fields have been added to all indicator types:

  • VT Engine Detections. Number. Number of VT vendors that flagged the indicator as malicious.
  • VT Engine Vendors. Array. VT vendors who flagged the indicator as malicious.
  • VT Engine Detection Names. Array. VT detection names that flagged the indicator as malicious.

To display the new fields in indicators:

  1. Navigate to Settings > Objects Setup > Indicators > Types.
  2. Select the desired indicator type, for example, File.
  3. Click Edit and, under Custom Fields, choose the desired field and add the corresponding path. For instance, if you select the VT Engine Detections field for the File indicator type, add the path File.VTVendors.EngineDetections. This will enable the field to be populated in the indicator data.

Note that the field will not automatically appear in the indicator's layout. To make it visible:

  1. Navigate to Settings > Objects Setup > Indicators > Layouts.
  2. Select the desired layout (e.g., File Indicator).
  3. Click Detach if needed, and then edit the layout to include the new field.