VMRay
VMRay Playbook
Detonate File - VMRay
Configure VMRay on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for VMRay.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://cloud.vmray.com)
- API Key
- Use system proxy
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Known Limitations
- Non-ASCII characters in file names will be ignored when uploading.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Submit a sample for analysis: vmray-upload-sample
- Get analysis details for a sample: vmray-get-analysis-by-sample
- Get job details for a sample: vmray-get-job-by-sample
- Get submission results: vmray-get-submission
- Get information for a sample: vmray-get-sample
- Get threat indicators: vmray-get-threat-indicators
- Add a tag to an analysis or submission: vmray-add-tag
- Delete a tag from an analysis or submission: vmray-delete-tag
- Get IOCs for a sample: vmray-get-iocs
- Get information for a job: vmray-get-job-by-id
1. Submit a sample for analysis
Submits a sample to VMRay for analysis.
Base Command
vmray-upload-sample
Input
Argument Name | Description | Required |
---|---|---|
entry_id | Entry ID of the file to submit. | Required |
document_password | Password of the document. | Optional |
archive_password | Password of an archive. | Optional |
sample_type | Force type of the file. | Optional |
shareable | Whether the file is shareable. | Optional |
reanalyze | Analyze even if analyses already exist. | Optional |
max_jobs | Maximum number of jobs to create (number). | Optional |
tags | A CSV list of tags to add to the sample. | Optional |
Context Output
Path | Type | Description |
---|---|---|
VMRay.Job.JobID | Number | ID of a new job |
VMRay.Job.Created | Date | Timestamp of job creation. |
VMRay.Job.SampleID | Number | ID of the sample. |
VMRay.Job.VMName | String | Name of the virtual machine. |
VMRay.Job.VMID | Number | ID of the virtual machine. |
VMRay.Sample.SampleID | Number | ID of the sample. |
VMRay.Sample.Created | Date | Timestamp of sample creation. |
VMRay.Submission.SubmissionID | Number | Submission ID. |
Command Example
vmray-upload-sample entry_id=79@4 max_jobs=1
Context Example
{ "VMRay.Sample": [ { "SHA1": "69df095557346b3c136db4378afd5ee7a4839dcc", "Created": "2019-05-27T07:48:11", "SampleID": 3902285, "FileName": "KeePass-2.41-Setup.exe", "FileSize": 3301376, "SSDeep": "98304:rk/6KPcsSO9iShSf0UTsj+te5NrYWM+40n3vGJyc:rkCK0UhSfHsKw5z4OvGJL" } ], "VMRay.Submission": [ { "SampleID": 3902285, "SubmissionID": 4569315 } ], "VMRay.Job": [ { "Created": "2019-05-27T07:48:11", "JobRuleSampleType": "Windows PE (x86)", "VMID": 20, "SampleID": 3902285, "JobID": 3908304, "VMName": "win10_64_th2" } ] }
Human Readable Output
File submitted to VMRay
Jobs ID | Samples ID | Submissions ID |
---|---|---|
3908304 | 3902285 | 4569315 |
2. Get analysis details for a sample
Retrieves all analysis details for a specified sample.
Base Command
vmray-get-analysis-by-sample
Input
Argument Name | Description | Required |
---|---|---|
sample_id | Analysis sample ID. | Required |
limit | Maximum number of results to return (number). | Optional |
Context Output
Path | Type | Description |
---|---|---|
VMRay.Analysis.AnalysisID | Number | Analysis ID. |
VMRay.Analysis.SampleID | Number | Sample ID in the analysis. |
VMRay.Analysis.Severity | String | Severity of the sample (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). |
VMRay.Analysis.JobCreated | Date | Date when the analysis job started. |
VMRay.Analysis.MD5 | String | MD5 hash of the sample. |
VMRay.Analysis.SHA1 | String | SHA1 hash of the sample. |
VMRay.Analysis.SHA256 | String | SHA256 hash of the sample. |
VMRay.Analysis.SSDeep | String | ssdeep hash of the sample. |
Command Example
vmray-get-analysis-by-sample sample_id=3902238
Human Readable Output
No analysis found for sample id 3902238
3. Get job details for a sample
Retrieves details for all jobs for a specified sample.
Base Command
vmray-get-job-by-sample
Input
Argument Name | Description | Required |
---|---|---|
sample_id | Job sample ID. | Required |
Context Output
Path | Type | Description |
---|---|---|
VMRay.Job.JobID | Number | ID of the job. |
VMRay.Job.SampleID | Number | Sample ID of the job. |
VMRay.Job.SubmissionID | Number | ID of the submission. |
VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
VMRay.Job.VMName | String | Name of the virtual machine. |
VMRay.Job.VMID | Number | ID of the virtual machine. |
VMRay.Job.Status | String | Status of the job. |
Command Example
!vmray-get-job-by-sample sample_id=3902238
Context Example
{ "VMRay.Job": { "JobID": 365547, "SampleID": 3902238, "SubmissionID": 4569262, "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f" "VMName": "windows8.1-x64 sp1", "VMID": 747112, } }
Human Readable Output
4. Get submission results
Retrieves the results of a submission.
Base Command
vmray-get-submission
Input
Argument Name | Description | Required |
---|---|---|
submission_id | ID of the submission. Can be obtained by running the vmray-upload-sample command. | Required |
Context Output
Path | Type | Description |
---|---|---|
VMRay.Submission.IsFinished | Boolean | Whether the submission is finished (true or false). |
VMRay.Submission.HasErrors | Boolean | Whether there are any errors in the submission (true or false). |
VMRay.Submission.SubmissionID | Number | ID of the sample in the submission. |
VMRay.Submission.MD5 | String | MD5 hash of the sample in the submission. |
VMRay.Submission.SHA1 | String | SHA1 hash of the sample in the submission. |
VMRay.Submission.SHA256 | String | SHA256 hash of the sample in the submission. |
VMRay.Submission.SSDeep | String | ssdeep hash of the sample in the submission. |
VMRay.Submission.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). |
VMRay.Submission.SampleID | Number | ID of the sample in the submission. |
Command Example
vmray-get-submission submission_id=4569262
Context Example
{ "DBotScore": [ { "Vendor": "VMRay", "Indicator": "e24992f83bb3d0ed12b3e8cd7c35888f", "Score": 0, "Type": "hash" }, { "Vendor": "VMRay", "Indicator": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", "Score": 0, "Type": "hash" }, { "Vendor": "VMRay", "Indicator": "b94951a9dde256624289abe8b9744d0f61fab8bb", "Score": 0, "Type": "hash" }, { "Vendor": "VMRay", "Indicator": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", "Score": 0, "Type": "hash" } ], "VMRay.Submission": { "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", "HasErrors": false, "Severity": "Unknown", "IsFinished": true, "SampleID": 3902238, "SubmissionID": 4569262, "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f" } }
Human Readable Output
Submission results from VMRay for ID 4569262 with severity of Unknown
IsFinished | Severity | HasErrors | MD5 | SHA1 | SHA256 | SSDeep |
---|---|---|---|---|---|---|
true | Unknown | false | e24992f83bb3d0ed12b3e8cd7c35888f | b94951a9dde256624289abe8b9744d0f61fab8bb | 543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07 | 192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB |
5. Get information for a sample
Retrieves a sample using the sample ID.
Base Command
vmray-get-sample
Input
Argument Name | Description | Required |
---|---|---|
sample_id | ID of the sample. | Required |
Context Output
Path | Type | Description |
---|---|---|
VMRay.Sample.SampleID | Number | ID of the sample. |
VMRay.Sample.FileName | String | File name of the sample. |
VMRay.Sample.MD5 | String | MD5 hash of the sample. |
VMRay.Sample.SHA1 | String | SHA1 hash of the sample. |
VMRay.Sample.SHA256 | String | SHA256 hash of the sample. |
VMRay.Sample.SSDeep | String | ssdeep hash of the sample. |
VMRay.Sample.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). |
VMRay.Sample.Type | String | File type. |
VMRay.Sample.Created | Date | Timestamp of sample creation. |
VMRay.Sample.Classifications | String | Classifications of the sample. |
Command Example
vmray-get-sample sample_id=3902238
Context Example
{ "DBotScore": [ { "Vendor": "VMRay", "Indicator": "e24992f83bb3d0ed12b3e8cd7c35888f", "Score": 0, "Type": "hash" }, { "Vendor": "VMRay", "Indicator": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", "Score": 0, "Type": "hash" }, { "Vendor": "VMRay", "Indicator": "b94951a9dde256624289abe8b9744d0f61fab8bb", "Score": 0, "Type": "hash" }, { "Vendor": "VMRay", "Indicator": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", "Score": 0, "Type": "hash" } ], "VMRay.Sample": { "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", "Severity": "Unknown", "Classification": [], "Created": "2019-05-27T07:28:08", "SampleID": 3902238, "FileName": "[TEST][COFENCE]_CASO_1_EMAIL_DA_SISTEMA_COFENCE__ZIP PASSWORD.msg", "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", "Type": "CDFV2 Microsoft Outlook Message", "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f" } }
Human Readable Output
Results for sample id: 3902238 with severity Unknown
Type | MD5 | SHA1 | SHA256 | SSDeep |
---|---|---|---|---|
CDFV2 Microsoft Outlook Message | e24992f83bb3d0ed12b3e8cd7c35888f | b94951a9dde256624289abe8b9744d0f61fab8bb | 543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07 | 192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB |
6. Get threat indicators
Retrieves threat indicators (VTI).
Base Command
vmray-get-threat-indicators
Input
Argument Name | Description | Required |
---|---|---|
sample_id | ID of the sample. Can be obtained from the VMRay.Sample.ID output. | Required |
Context Output
Path | Type | Description |
---|---|---|
VMRay.ThreatIndicator.AnalysisID | Number | List of connected analysis IDs. |
VMRay.ThreatIndicator.Category | String | Category of threat indicators. |
VMRay.ThreatIndicator.Classification | String | Classifications of threat indicators. |
VMRay.ThreatIndicator.ID | Number | ID of a threat indicator. |
VMRay.ThreatIndicator.Operation | String | Operation the indicators caused. |
Command Example
vmray-get-threat-indicators sample_id=3902238
Human Readable Output
No threat indicators for sample ID: 3902238
7. Add a tag to an analysis or submission
Adds a tag to an analysis and/or a submission.
Base Command
vmray-add-tag
Input
Argument Name | Description | Required |
---|---|---|
submission_id | ID of the submission to which to add tags. | Optional |
analysis_id | ID of the analysis from which to delete tags. | Optional |
tag | Tag to add. | Optional |
Context Output
There is no context output for this command.
Command Example
vmray-add-tag submission_id=4569262 tag=faulty
Human Readable Output
Tags: faulty has been added to submission: 4569262
8. Delete a tag from an analysis or submission
Deletes tags from an analysis and/or a submission.
Base Command
vmray-delete-tag
Input
Argument Name | Description | Required |
---|---|---|
analysis_id | ID of the analysis from which to delete a tag. | Optional |
submission_id | ID of the submission from which to delete a tag. | Optional |
tag | Tag to delete. | Optional |
Context Output
There is no context output for this command.
Command Example
vmray-delete-tag submission_id=4569262 tag=faulty
Human Readable Output
Tags: faulty has been added to submission: 4569262
9. Get IOCs for a sample
Retrieves indicators of compropmise for a specified sample.
Base Command
vmray-get-iocs
Input
Argument Name | Description | Required |
---|---|---|
sample_id | ID of the sample. | Required |
Context Output
Path | Type | Description |
---|---|---|
VMRay.Sample.IOC.URL.AnalysisID | Number | IDs of other analyses that contain the given URL. |
VMRay.Sample.IOC.URL.URL | String | URL. |
VMRay.Sample.IOC.URL.Operation | String | Operation of the specified URL. |
VMRay.Sample.IOC.URL.ID | Number | ID of the URL. |
VMRay.Sample.IOC.URL.Type | String | Type of URL. |
VMRay.Sample.IOC.Domain.AnalysisID | Number | IDs of other analyses that contain the given domain. |
VMRay.Sample.IOC.Domain.Domain | String | Domain. |
VMRay.Sample.IOC.Domain.ID | Number | ID of the domain. |
VMRay.Sample.IOC.Domain.Type | String | Type of domain. |
VMRay.Sample.IOC.IP.AnalysisID | Number | IDs of other analyses that contain the given IP address. |
VMRay.Sample.IOC.IP.IP | String | IP address. |
VMRay.Sample.IOC.IP.Operation | String | Operation of the given IP. |
VMRay.Sample.IOC.IP.ID | Number | ID of the IP address. |
VMRay.Sample.IOC.IP.Type | String | Type of IP address. |
VMRay.Sample.IOC.Mutex.AnalysisID | Number | IDs of other analyses that contains the given IP. |
VMRay.Sample.IOC.Mutex.Name | String | Name of the mutex. |
VMRay.Sample.IOC.Mutex.Operation | String | Operation of given mutex |
VMRay.Sample.IOC.Mutex.ID | Number | ID of the mutex. |
VMRay.Sample.IOC.Mutex.Type | String | Type of mutex. |
Command Example
vmray-get-iocs sample_id=3902238
Context Example
{ "VMRay.Sample": { "URL": [], "IP": [], "Domain": [], "Mutex": [], "Registry": [] } }
Human Readable Output
No IOCs found in sample 3902238
10. Get information for a job
Retrieves a job by job ID.
Base Command
vmray-get-job-by-id
Input
Argument Name | Description | Required |
---|---|---|
job_id | ID of a job. | Required |
Context Output
Path | Type | Description |
---|---|---|
VMRay.Job.JobID | Number | ID of the job. |
VMRay.Job.SampleID | Number | Sample ID of the job. |
VMRay.Job.SubmissionID | Number | ID of the submission. |
VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
VMRay.Job.VMName | String | Name of the virtual machine. |
VMRay.Job.VMID | Number | ID of the virtual machine. |
VMRay.Job.Status | String | Status of the job. |
Command Example
!vmray-get-job-by-id job_id=365547
Context Example
{ "VMRay.Job": { "JobID": 365547, "SampleID": 3902238, "SubmissionID": 4569262, "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f" "VMName": "windows8.1-x64 sp1", "VMID": 747112, } }