VMRay
VMRay Playbook
Detonate File - VMRay
Configure VMRay on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for VMRay.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://cloud.vmray.com)
- API Key
- Use system proxy
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Known Limitations
- Non-ASCII characters in file names will be ignored when uploading.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Submit a sample for analysis: vmray-upload-sample
- Get analysis details for a sample: vmray-get-analysis-by-sample
- Get job details for a sample: vmray-get-job-by-sample
- Get submission results: vmray-get-submission
- Get information for a sample: vmray-get-sample
- Get threat indicators: vmray-get-threat-indicators
- Add a tag to an analysis or submission: vmray-add-tag
- Delete a tag from an analysis or submission: vmray-delete-tag
- Get IOCs for a sample: vmray-get-iocs
- Get information for a job: vmray-get-job-by-id
1. Submit a sample for analysis
Submits a sample to VMRay for analysis.
Base Command
vmray-upload-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| entry_id | Entry ID of the file to submit. | Required |
| document_password | Password of the document. | Optional |
| archive_password | Password of an archive. | Optional |
| sample_type | Force type of the file. | Optional |
| shareable | Whether the file is shareable. | Optional |
| reanalyze | Analyze even if analyses already exist. | Optional |
| max_jobs | Maximum number of jobs to create (number). | Optional |
| tags | A CSV list of tags to add to the sample. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.Job.JobID | Number | ID of a new job |
| VMRay.Job.Created | Date | Timestamp of job creation. |
| VMRay.Job.SampleID | Number | ID of the sample. |
| VMRay.Job.VMName | String | Name of the virtual machine. |
| VMRay.Job.VMID | Number | ID of the virtual machine. |
| VMRay.Sample.SampleID | Number | ID of the sample. |
| VMRay.Sample.Created | Date | Timestamp of sample creation. |
| VMRay.Submission.SubmissionID | Number | Submission ID. |
Command Example
vmray-upload-sample entry_id=79@4 max_jobs=1
Context Example
{
"VMRay.Sample": [
{
"SHA1": "69df095557346b3c136db4378afd5ee7a4839dcc",
"Created": "2019-05-27T07:48:11",
"SampleID": 3902285,
"FileName": "KeePass-2.41-Setup.exe",
"FileSize": 3301376,
"SSDeep": "98304:rk/6KPcsSO9iShSf0UTsj+te5NrYWM+40n3vGJyc:rkCK0UhSfHsKw5z4OvGJL"
}
],
"VMRay.Submission": [
{
"SampleID": 3902285,
"SubmissionID": 4569315
}
],
"VMRay.Job": [
{
"Created": "2019-05-27T07:48:11",
"JobRuleSampleType": "Windows PE (x86)",
"VMID": 20,
"SampleID": 3902285,
"JobID": 3908304,
"VMName": "win10_64_th2"
}
]
}
Human Readable Output
File submitted to VMRay
| Jobs ID | Samples ID | Submissions ID |
|---|---|---|
| 3908304 | 3902285 | 4569315 |
2. Get analysis details for a sample
Retrieves all analysis details for a specified sample.
Base Command
vmray-get-analysis-by-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| sample_id | Analysis sample ID. | Required |
| limit | Maximum number of results to return (number). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.Analysis.AnalysisID | Number | Analysis ID. |
| VMRay.Analysis.SampleID | Number | Sample ID in the analysis. |
| VMRay.Analysis.Severity | String | Severity of the sample (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). |
| VMRay.Analysis.JobCreated | Date | Date when the analysis job started. |
| VMRay.Analysis.MD5 | String | MD5 hash of the sample. |
| VMRay.Analysis.SHA1 | String | SHA1 hash of the sample. |
| VMRay.Analysis.SHA256 | String | SHA256 hash of the sample. |
| VMRay.Analysis.SSDeep | String | ssdeep hash of the sample. |
Command Example
vmray-get-analysis-by-sample sample_id=3902238
Human Readable Output
No analysis found for sample id 3902238
3. Get job details for a sample
Retrieves details for all jobs for a specified sample.
Base Command
vmray-get-job-by-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| sample_id | Job sample ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.Job.JobID | Number | ID of the job. |
| VMRay.Job.SampleID | Number | Sample ID of the job. |
| VMRay.Job.SubmissionID | Number | ID of the submission. |
| VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
| VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
| VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
| VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
| VMRay.Job.VMName | String | Name of the virtual machine. |
| VMRay.Job.VMID | Number | ID of the virtual machine. |
| VMRay.Job.Status | String | Status of the job. |
Command Example
!vmray-get-job-by-sample sample_id=3902238
Context Example
{
"VMRay.Job": {
"JobID": 365547,
"SampleID": 3902238,
"SubmissionID": 4569262,
"SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb",
"SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB",
"SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07",
"MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
"VMName": "windows8.1-x64 sp1",
"VMID": 747112,
}
}
Human Readable Output
4. Get submission results
Retrieves the results of a submission.
Base Command
vmray-get-submission
Input
| Argument Name | Description | Required |
|---|---|---|
| submission_id | ID of the submission. Can be obtained by running the vmray-upload-sample command. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.Submission.IsFinished | Boolean | Whether the submission is finished (true or false). |
| VMRay.Submission.HasErrors | Boolean | Whether there are any errors in the submission (true or false). |
| VMRay.Submission.SubmissionID | Number | ID of the sample in the submission. |
| VMRay.Submission.MD5 | String | MD5 hash of the sample in the submission. |
| VMRay.Submission.SHA1 | String | SHA1 hash of the sample in the submission. |
| VMRay.Submission.SHA256 | String | SHA256 hash of the sample in the submission. |
| VMRay.Submission.SSDeep | String | ssdeep hash of the sample in the submission. |
| VMRay.Submission.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). |
| VMRay.Submission.SampleID | Number | ID of the sample in the submission. |
Command Example
vmray-get-submission submission_id=4569262
Context Example
{
"DBotScore": [
{
"Vendor": "VMRay",
"Indicator": "e24992f83bb3d0ed12b3e8cd7c35888f",
"Score": 0,
"Type": "hash"
},
{
"Vendor": "VMRay",
"Indicator": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07",
"Score": 0,
"Type": "hash"
},
{
"Vendor": "VMRay",
"Indicator": "b94951a9dde256624289abe8b9744d0f61fab8bb",
"Score": 0,
"Type": "hash"
},
{
"Vendor": "VMRay",
"Indicator": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB",
"Score": 0,
"Type": "hash"
}
],
"VMRay.Submission": {
"SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb",
"HasErrors": false,
"Severity": "Unknown",
"IsFinished": true,
"SampleID": 3902238,
"SubmissionID": 4569262,
"SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB",
"SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07",
"MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
}
}
Human Readable Output
Submission results from VMRay for ID 4569262 with severity of Unknown
| IsFinished | Severity | HasErrors | MD5 | SHA1 | SHA256 | SSDeep |
|---|---|---|---|---|---|---|
| true | Unknown | false | e24992f83bb3d0ed12b3e8cd7c35888f | b94951a9dde256624289abe8b9744d0f61fab8bb | 543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07 | 192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB |
5. Get information for a sample
Retrieves a sample using the sample ID.
Base Command
vmray-get-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| sample_id | ID of the sample. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.Sample.SampleID | Number | ID of the sample. |
| VMRay.Sample.FileName | String | File name of the sample. |
| VMRay.Sample.MD5 | String | MD5 hash of the sample. |
| VMRay.Sample.SHA1 | String | SHA1 hash of the sample. |
| VMRay.Sample.SHA256 | String | SHA256 hash of the sample. |
| VMRay.Sample.SSDeep | String | ssdeep hash of the sample. |
| VMRay.Sample.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). |
| VMRay.Sample.Type | String | File type. |
| VMRay.Sample.Created | Date | Timestamp of sample creation. |
| VMRay.Sample.Classifications | String | Classifications of the sample. |
Command Example
vmray-get-sample sample_id=3902238
Context Example
{
"DBotScore": [
{
"Vendor": "VMRay",
"Indicator": "e24992f83bb3d0ed12b3e8cd7c35888f",
"Score": 0,
"Type": "hash"
},
{
"Vendor": "VMRay",
"Indicator": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07",
"Score": 0,
"Type": "hash"
},
{
"Vendor": "VMRay",
"Indicator": "b94951a9dde256624289abe8b9744d0f61fab8bb",
"Score": 0,
"Type": "hash"
},
{
"Vendor": "VMRay",
"Indicator": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB",
"Score": 0,
"Type": "hash"
}
],
"VMRay.Sample": {
"SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb",
"Severity": "Unknown",
"Classification": [],
"Created": "2019-05-27T07:28:08",
"SampleID": 3902238,
"FileName": "[TEST][COFENCE]_CASO_1_EMAIL_DA_SISTEMA_COFENCE__ZIP PASSWORD.msg",
"SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB",
"SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07",
"Type": "CDFV2 Microsoft Outlook Message",
"MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
}
}
Human Readable Output
Results for sample id: 3902238 with severity Unknown
| Type | MD5 | SHA1 | SHA256 | SSDeep |
|---|---|---|---|---|
| CDFV2 Microsoft Outlook Message | e24992f83bb3d0ed12b3e8cd7c35888f | b94951a9dde256624289abe8b9744d0f61fab8bb | 543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07 | 192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB |
6. Get threat indicators
Retrieves threat indicators (VTI).
Base Command
vmray-get-threat-indicators
Input
| Argument Name | Description | Required |
|---|---|---|
| sample_id | ID of the sample. Can be obtained from the VMRay.Sample.ID output. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.ThreatIndicator.AnalysisID | Number | List of connected analysis IDs. |
| VMRay.ThreatIndicator.Category | String | Category of threat indicators. |
| VMRay.ThreatIndicator.Classification | String | Classifications of threat indicators. |
| VMRay.ThreatIndicator.ID | Number | ID of a threat indicator. |
| VMRay.ThreatIndicator.Operation | String | Operation the indicators caused. |
Command Example
vmray-get-threat-indicators sample_id=3902238
Human Readable Output
No threat indicators for sample ID: 3902238
7. Add a tag to an analysis or submission
Adds a tag to an analysis and/or a submission.
Base Command
vmray-add-tag
Input
| Argument Name | Description | Required |
|---|---|---|
| submission_id | ID of the submission to which to add tags. | Optional |
| analysis_id | ID of the analysis from which to delete tags. | Optional |
| tag | Tag to add. | Optional |
Context Output
There is no context output for this command.
Command Example
vmray-add-tag submission_id=4569262 tag=faulty
Human Readable Output
Tags: faulty has been added to submission: 4569262
8. Delete a tag from an analysis or submission
Deletes tags from an analysis and/or a submission.
Base Command
vmray-delete-tag
Input
| Argument Name | Description | Required |
|---|---|---|
| analysis_id | ID of the analysis from which to delete a tag. | Optional |
| submission_id | ID of the submission from which to delete a tag. | Optional |
| tag | Tag to delete. | Optional |
Context Output
There is no context output for this command.
Command Example
vmray-delete-tag submission_id=4569262 tag=faulty
Human Readable Output
Tags: faulty has been added to submission: 4569262
9. Get IOCs for a sample
Retrieves indicators of compropmise for a specified sample.
Base Command
vmray-get-iocs
Input
| Argument Name | Description | Required |
|---|---|---|
| sample_id | ID of the sample. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.Sample.IOC.URL.AnalysisID | Number | IDs of other analyses that contain the given URL. |
| VMRay.Sample.IOC.URL.URL | String | URL. |
| VMRay.Sample.IOC.URL.Operation | String | Operation of the specified URL. |
| VMRay.Sample.IOC.URL.ID | Number | ID of the URL. |
| VMRay.Sample.IOC.URL.Type | String | Type of URL. |
| VMRay.Sample.IOC.Domain.AnalysisID | Number | IDs of other analyses that contain the given domain. |
| VMRay.Sample.IOC.Domain.Domain | String | Domain. |
| VMRay.Sample.IOC.Domain.ID | Number | ID of the domain. |
| VMRay.Sample.IOC.Domain.Type | String | Type of domain. |
| VMRay.Sample.IOC.IP.AnalysisID | Number | IDs of other analyses that contain the given IP address. |
| VMRay.Sample.IOC.IP.IP | String | IP address. |
| VMRay.Sample.IOC.IP.Operation | String | Operation of the given IP. |
| VMRay.Sample.IOC.IP.ID | Number | ID of the IP address. |
| VMRay.Sample.IOC.IP.Type | String | Type of IP address. |
| VMRay.Sample.IOC.Mutex.AnalysisID | Number | IDs of other analyses that contains the given IP. |
| VMRay.Sample.IOC.Mutex.Name | String | Name of the mutex. |
| VMRay.Sample.IOC.Mutex.Operation | String | Operation of given mutex |
| VMRay.Sample.IOC.Mutex.ID | Number | ID of the mutex. |
| VMRay.Sample.IOC.Mutex.Type | String | Type of mutex. |
Command Example
vmray-get-iocs sample_id=3902238
Context Example
{
"VMRay.Sample": {
"URL": [],
"IP": [],
"Domain": [],
"Mutex": [],
"Registry": []
}
}
Human Readable Output
No IOCs found in sample 3902238
10. Get information for a job
Retrieves a job by job ID.
Base Command
vmray-get-job-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| job_id | ID of a job. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VMRay.Job.JobID | Number | ID of the job. |
| VMRay.Job.SampleID | Number | Sample ID of the job. |
| VMRay.Job.SubmissionID | Number | ID of the submission. |
| VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
| VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
| VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
| VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
| VMRay.Job.VMName | String | Name of the virtual machine. |
| VMRay.Job.VMID | Number | ID of the virtual machine. |
| VMRay.Job.Status | String | Status of the job. |
Command Example
!vmray-get-job-by-id job_id=365547
Context Example
{
"VMRay.Job": {
"JobID": 365547,
"SampleID": 3902238,
"SubmissionID": 4569262,
"SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb",
"SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB",
"SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07",
"MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
"VMName": "windows8.1-x64 sp1",
"VMID": 747112,
}
}