Skip to main content

VMRay

This Integration is part of the VMRay Analyzer Pack.#

VMRay XSOAR Integration#

This integration enables users to design playbooks that involve analyzing a file in VMRay and retrieving the analysis results and associated threat intelligence.

The Playbooks accelerate incident response and make security operations more scalable and efficient.

Configure VMRay in Cortex#

ParameterDescriptionRequired
Source ReliabilityReliability of the source providing the intelligence data.False
Server URL (e.g., https://cloud.vmray.com)True
API Key (Recommended)False
Use system proxy settingsFalse
Trust any certificate (not secure)False
Retry requests when API is rate limitedFalse
API Key (Deprecated)Use the "API Key (Recommended)" parameter instead.False

Known Limitations#

  • Non-ASCII characters in file names will be ignored when uploading.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

vmray-upload-sample#


Submits a sample to VMRay for analysis.

Base Command#

vmray-upload-sample

Input#

Argument NameDescriptionRequired
entry_idEntry ID of the file to submit.Required
document_passwordPassword of the document.Optional
archive_passwordPassword of an archive.Optional
sample_typeForce type of the file.Optional
shareableWhether the file is shareable. Possible values are: true, false.Optional
max_jobsMaximum number of jobs to create (number). Default is 1.Optional
tagsA CSV list of tags to add to the sample.Optional
reanalyzeDeprecated. Analyze even if analyses already exist. To control analysis caching, use the API Key settings instead, which are available via the Analysis Settings page, in the VMRay Web Interface. Possible values are: true, false.Optional
net_scheme_nameThe network scheme to use.Optional

Context Output#

PathTypeDescription
VMRay.Job.JobIDNumberID of a new job
VMRay.Job.CreatedDateTimestamp of job creation.
VMRay.Job.SampleIDNumberID of the sample.
VMRay.Job.VMNameStringName of the virtual machine.
VMRay.Job.VMIDNumberID of the virtual machine.
VMRay.Sample.SampleIDNumberID of the sample.
VMRay.Sample.SampleURLStringURL to sample page.
VMRay.Sample.CreatedDateTimestamp of sample creation.
VMRay.Submission.SubmissionIDNumberSubmission ID.
VMRay.Submission.SubmissionURLStringURL to submission page.

Command Example#

vmray-upload-sample entry_id=79@4 max_jobs=1

Context Example#

{
"VMRay.Sample": [
{
"SHA1": "69df095557346b3c136db4378afd5ee7a4839dcc",
"Created": "2019-05-27T07:48:11",
"SampleID": 3902285,
"SampleURL": "https://cloud.vmray.com/user/sample/view?id=3902285",
"FileName": "KeePass-2.41-Setup.exe",
"FileSize": 3301376,
"SSDeep": "98304:rk/6KPcsSO9iShSf0UTsj+te5NrYWM+40n3vGJyc:rkCK0UhSfHsKw5z4OvGJL"
}
],
"VMRay.Submission": [
{
"SampleID": 3902285,
"SubmissionID": 4569315,
"SubmissionURL": "https://cloud.vmray.com/user/sample/view?id=3902285"
}
],
"VMRay.Job": [
{
"Created": "2019-05-27T07:48:11",
"JobRuleSampleType": "Windows PE (x86)",
"VMID": 20,
"SampleID": 3902285,
"JobID": 3908304,
"VMName": "win10_64_th2"
}
]
}

Human Readable Output#

File submitted to VMRay

Jobs IDSamples IDSubmissions IDSample URL
390830439022854569315https://cloud.vmray.com/user/sample/view?id=3902285

vmray-upload-url#


Submits a URL for analysis.

Base Command#

vmray-upload-url

Input#

Argument NameDescriptionRequired
urlThe URL to analyze. For example: https://demisto.com. .Required
shareableWhether the analysis is shareable. Possible values are: true, false.Optional
max_jobsMaximum number of jobs to create (number). Default is 1.Optional
tagsA CSV list of tags to add to the sample.Optional
net_scheme_nameThe network scheme to use.Optional

Context Output#

PathTypeDescription
VMRay.Job.JobIDNumberID of a new job
VMRay.Job.CreatedDateTimestamp of job creation.
VMRay.Job.SampleIDNumberID of the sample.
VMRay.Job.VMNameStringName of the virtual machine.
VMRay.Job.VMIDNumberID of the virtual machine.
VMRay.Sample.SampleIDNumberID of the sample.
VMRay.Sample.SampleURLStringURL to sample page.
VMRay.Sample.CreatedDateTimestamp of sample creation.
VMRay.Submission.SubmissionIDNumberSubmission ID.
VMRay.Submission.SubmissionURLStringURL to submission page.

Command Example#

{
"VMRay.Sample": [
{
"SHA1": "884a2738124be5dae95e685fb8c919b1460734c5",
"Created": "2019-05-27T07:48:11",
"SampleID": 3902285,
"SampleURL": "https://cloud.vmray.com/user/sample/view?id=3902285",
"FileName": "https://demisto.com",
"FileSize": 20,
"SSDeep": "3:N8W2K:2W2K"
}
],
"VMRay.Submission": [
{
"SampleID": 3902285,
"SubmissionID": 4569315,
"SubmissionURL": "https://cloud.vmray.com/user/sample/view?id=3902285"
}
],
"VMRay.Job": [
{
"Created": "2019-05-27T07:48:11",
"JobRuleSampleType": "Windows PE (x86)",
"VMID": 20,
"SampleID": 3902285,
"JobID": 3908304,
"VMName": "win10_64_th2"
}
]
}

Human Readable Output#

URL submitted to VMRay

Jobs IDSamples IDSubmissions ID
390830439022854569315

vmray-get-analysis-by-sample#


Retrieves all analysis details for a specified sample.

Base Command#

vmray-get-analysis-by-sample

Input#

Argument NameDescriptionRequired
sample_idSample ID.Required
limitMaximum number of results to return (number).Optional

Context Output#

PathTypeDescription
VMRay.Analysis.AnalysisIDNumberAnalysis ID.
VMRay.Analysis.AnalysisURLStringURL to analysis page.
VMRay.Analysis.SampleIDNumberSample ID in the analysis.
VMRay.Analysis.VerdictStringVerdict for the sample (Malicious, Suspicious, Clean, Not Available).
VMRay.Analysis.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Analysis.SeverityStringSeverity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated.
VMRay.Analysis.JobCreatedDateDate when the analysis job started.
VMRay.Analysis.MD5StringMD5 hash of the sample.
VMRay.Analysis.SHA1StringSHA1 hash of the sample.
VMRay.Analysis.SHA256StringSHA256 hash of the sample.
VMRay.Analysis.SSDeepStringssdeep hash of the sample.

Command Example#

!vmray-get-analysis-by-sample sample_id=3902238

Context Example#

{
"VMRay.Analysis": [
{
"SampleID": 3902238,
"SampleURL": "https://cloud.vmray.com/user/sample/view?id=3902238",
"SHA1": "868a53c394f29f8d3aac7b0a20a371999045b6ed",
"SHA256": "b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66",
"JobCreated": "2021-06-14T12:17:07",
"AnalysisID": 2779353,
"Verdict": "Suspicious",
"VerdictReason": null,
"Severity": "Suspicious",
"MD5": "2e0499dc90c2d715a53e05b1890e0442"
}
]
}

Human Readable Output#

Analysis results from VMRay for ID 3902238:

AnalysisIDSampleIDVerdictAnalysisURL
27793533902238Suspicioushttps://cloud.vmray.com/user/sample/view?id=3902238

vmray-get-job-by-sample#


Retrieves details for all jobs for a specified sample.

Base Command#

vmray-get-job-by-sample

Input#

Argument NameDescriptionRequired
sample_idSample ID.Required

Context Output#

PathTypeDescription
VMRay.Job.JobIDNumberID of the job.
VMRay.Job.SampleIDNumberSample ID of the job.
VMRay.Job.SubmissionIDNumberID of the submission.
VMRay.Job.MD5StringMD5 hash of the sample in the job.
VMRay.Job.SHA1StringSHA1 hash of the sample in the job.
VMRay.Job.SHA256StringSHA256 hash of the sample in the job.
VMRay.Job.SSDeepStringssdeep hash of the sample in the job.
VMRay.Job.VMNameStringName of the virtual machine.
VMRay.Job.VMIDNumberID of the virtual machine.
VMRay.Job.StatusStringStatus of the job.

Command Example#

!vmray-get-job-by-sample sample_id=3902238

Context Example#

{
"VMRay.Job": [
{
"VMName": "win7_32_sp1",
"SampleID": 3902238,
"SHA1": "868a53c394f29f8d3aac7b0a20a371999045b6ed",
"SubmissionID": 18950,
"SHA256": "b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66",
"SSDeep": "1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH",
"Status": "inwork",
"VMID": 3,
"JobID": 29208,
"MD5": "2e0499dc90c2d715a53e05b1890e0442"
}
]
}

Human Readable Output#

Job results for sample id: 3902238

JobIDSampleIDVMNameVMID
292083902238win7_32_sp13

vmray-get-submission#


Retrieves the results of a submission.

Base Command#

vmray-get-submission

Input#

Argument NameDescriptionRequired
submission_idID of the submission. Can be obtained by running the 'vmray-upload-sample' or 'vmray-upload-url' command.Required

Context Output#

PathTypeDescription
VMRay.Submission.IsFinishedBooleanWhether the submission is finished (true or false).
VMRay.Submission.HasErrorsBooleanWhether there are any errors in the submission (true or false).
VMRay.Submission.SubmissionIDNumberID of the sample in the submission.
VMRay.Submission.SubmissionURLStringURL of submission page.
VMRay.Submission.MD5StringMD5 hash of the sample in the submission.
VMRay.Submission.SHA1StringSHA1 hash of the sample in the submission.
VMRay.Submission.SHA256StringSHA256 hash of the sample in the submission.
VMRay.Submission.SSDeepStringssdeep hash of the sample in the submission.
VMRay.Submission.VerdictStringVerdict for the sample (Malicious, Suspicious, Clean, Not Available).
VMRay.Submission.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Submission.SeverityStringSeverity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated.
VMRay.Submission.SampleIDNumberID of the sample in the submission.

Command Example#

vmray-get-submission submission_id=4569262

Context Example#

{
"DBotScore": [
{
"Indicator": "2e0499dc90c2d715a53e05b1890e0442",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "868a53c394f29f8d3aac7b0a20a371999045b6ed",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
}
],
"VMRay.Submission": {
"SampleID": 3902238,
"SHA1": "868a53c394f29f8d3aac7b0a20a371999045b6ed",
"HasErrors": true,
"SubmissionID": 4569262,
"SubmissionURL": "https://cloud.vmray.com/user/sample/view?id=3902238",
"SHA256": "b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66",
"SSDeep": "1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH",
"Verdict": "Malicious",
"IsFinished": true,
"VerdictReason": null,
"Severity": "Malicious",
"MD5": "2e0499dc90c2d715a53e05b1890e0442"
}
}

Human Readable Output#

Submission results from VMRay for ID 3902238 with verdict of Malicious

AttributeValue
IsFinishedtrue
VerdictMalicious
HasErrorstrue
MD52e0499dc90c2d715a53e05b1890e0442
SHA1868a53c394f29f8d3aac7b0a20a371999045b6ed
SHA256b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66
SSDeep1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH
SubmissionURLhttps://cloud.vmray.com/user/sample/view?id=3902238

vmray-get-sample#


Retrieves a sample using the sample ID.

Base Command#

vmray-get-sample

Input#

Argument NameDescriptionRequired
sample_idID of the sample.Required

Context Output#

PathTypeDescription
VMRay.Sample.SampleIDNumberID of the sample.
VMRay.Sample.SampleURLStringURL to sample page.
VMRay.Sample.FileNameStringFile name of the sample.
VMRay.Sample.MD5StringMD5 hash of the sample.
VMRay.Sample.SHA1StringSHA1 hash of the sample.
VMRay.Sample.SHA256StringSHA256 hash of the sample.
VMRay.Sample.SSDeepStringssdeep hash of the sample.
VMRay.Sample.VerdictStringVerdict for the sample (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.SeverityStringSeverity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated.
VMRay.Sample.TypeStringFile type.
VMRay.Sample.CreatedDateTimestamp of sample creation.
VMRay.Sample.ClassificationsStringClassifications of the sample.
VMRay.Sample.ChildSampleIDsNumberList of child sample IDs.
VMRay.Sample.ParentSampleIDsNumberList of parent sample IDs.

Command Example#

!vmray-get-sample sample_id=3902238

Context Example#

{
"DBotScore": [
{
"Indicator": "2e0499dc90c2d715a53e05b1890e0442",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "868a53c394f29f8d3aac7b0a20a371999045b6ed",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
}
],
"VMRay.Sample": {
"SampleID": 3902238,
"SampleURL": "https://cloud.vmray.com/user/sample/view?id=3902238",
"SHA1": "868a53c394f29f8d3aac7b0a20a371999045b6ed",
"Classification": [],
"SHA256": "b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66",
"FileName": "pafish.exe",
"Created": "2018-03-20T15:06:49",
"SSDeep": "1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH",
"Verdict": "Malicious",
"Type": "Windows Exe (x86-32)",
"VerdictReason": null,
"Severity": "Malicious",
"MD5": "2e0499dc90c2d715a53e05b1890e0442",
"ChildSampleIDs": [20, 21, 22],
"ParentSampleIDs": [18]
}
}

Human Readable Output#

Results for sample id: 3902238 with verdict Malicious

AttributeValue
FileNamepafish.exe
TypeWindows Exe (x86-32)
MD52e0499dc90c2d715a53e05b1890e0442
SHA1868a53c394f29f8d3aac7b0a20a371999045b6ed
SHA256b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66
SSDeep1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH
SampleURLhttps://cloud.vmray.com/user/sample/view?id=3902238

vmray-get-sample-by-hash#


Retrieves sample information by hash.

Base Command#

vmray-get-sample-by-hash

Input#

Argument NameDescriptionRequired
hashMD5, SHA1 or SHA256 hash of the sample.Required

Context Output#

PathTypeDescription
File.NameStringThe full file name (including file extension).
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SSDeepStringThe SSDeep hash of the file.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
VMRay.Sample.SampleIDNumberID of the sample.
VMRay.Sample.SampleURLStringURL to sample page.
VMRay.Sample.FileNameStringFile name of the sample.
VMRay.Sample.MD5StringMD5 hash of the sample.
VMRay.Sample.SHA1StringSHA1 hash of the sample.
VMRay.Sample.SHA256StringSHA256 hash of the sample.
VMRay.Sample.SSDeepStringssdeep hash of the sample.
VMRay.Sample.VerdictStringVerdict for the sample (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.SeverityStringSeverity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated.
VMRay.Sample.TypeStringFile type.
VMRay.Sample.CreatedDateTimestamp of sample creation.
VMRay.Sample.ClassificationsStringClassifications of the sample.
VMRay.Sample.ChildSampleIDsNumberList of child sample IDs.
VMRay.Sample.ParentSampleIDsNumberList of parent sample IDs.

Command Example#

!vmray-get-sample-by-hash hash=124f46228d1e220d88ae5e9a24d6e713039a64f9

Context Example#

{
"DBotScore": [
{
"Indicator": "9159edb64c4a21d8888d088bf2db23f3",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "124f46228d1e220d88ae5e9a24d6e713039a64f9",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
},
{
"Indicator": "1536:tI05L48IVDAQVzZpJyrOM1GhFNkYL2BxNRj:tI05LBIDAuztyrOMGTkrNRj",
"Score": 3,
"Type": "hash",
"Vendor": "VMRay"
}
],
"VMRay.Sample": [
{
"ParentSampleIDs": [],
"SampleID": 6822,
"SHA1": "124f46228d1e220d88ae5e9a24d6e713039a64f9",
"SampleURL": "https://cloud.vmray.com/user/sample/view?id=6822",
"Classification": [],
"SHA256": "2180f4a13add5e346e8cf6994876a9d2f5eac3fcb695db8569537010d24cd6d5",
"FileName": "pafish.exe",
"Created": "2021-06-24T15:06:04",
"SSDeep": "1536:tI05L48IVDAQVzZpJyrOM1GhFNkYL2BxNRj:tI05LBIDAuztyrOMGTkrNRj",
"ChildSampleIDs": [],
"Verdict": "Malicious",
"Type": "Windows Exe (x86-32)",
"VerdictReason": null,
"Severity": "Malicious",
"MD5": "9159edb64c4a21d8888d088bf2db23f3"
}
]
}

Human Readable Output#

Results for sha1 hash 124f46228d1e220d88ae5e9a24d6e713039a64f9:

AttributeValue
SampleID5948
FileNamepafish.exe
TypeWindows Exe (x86-32)
VerdictMalicious
SampleURLhttps://cloud.vmray.com/user/sample/view?id=5948

vmray-get-threat-indicators#


Retrieves threat indicators (VTI).

Base Command#

vmray-get-threat-indicators

Input#

Argument NameDescriptionRequired
sample_idID of the sample. Can be obtained from the 'VMRay.Sample.ID' output.Required

Context Output#

PathTypeDescription
VMRay.ThreatIndicator.AnalysisIDNumberList of connected analysis IDs.
VMRay.ThreatIndicator.CategoryStringCategory of threat indicators.
VMRay.ThreatIndicator.ClassificationStringClassifications of threat indicators.
VMRay.ThreatIndicator.IDNumberID of a threat indicator.
VMRay.ThreatIndicator.OperationStringOperation the indicators caused.

Command Example#

!vmray-get-threat-indicators sample_id=3902238

Context Output#

Omitted for brevity.

Human Readable Output#

Omitted for brevity.

vmray-add-tag#


Adds a tag to an analysis and/or a submission.

Base Command#

vmray-add-tag

Input#

Argument NameDescriptionRequired
submission_idID of the submission to which to add tags.Optional
analysis_idID of the analysis from which to add tags.Optional
tagTag to add.Optional

Context Output#

There is no context output for this command.

Command Example#

!vmray-add-tag submission_id=4569262 tag=faulty

Human Readable Output#

Tags: faulty has been added to submission: 4569262

vmray-delete-tag#


Deletes tags from an analysis and/or a submission.

Base Command#

vmray-delete-tag

Input#

Argument NameDescriptionRequired
analysis_idID of the analysis from which to delete a tag.Optional
submission_idID of the submission from which to delete a tag.Optional
tagTag to delete.Optional

Context Output#

There is no context output for this command.

Command Example#

!vmray-delete-tag submission_id=4569262 tag=faulty

Human Readable Output#

Tags: faulty has been removed from submission: 4569262

vmray-get-iocs#


Retrieves Indicators of Compromise for a specified sample.

Base Command#

vmray-get-iocs

Input#

Argument NameDescriptionRequired
sample_idID of the sample.Required
all_artifactsWhether all artifacts should be returned or only Indicators of Compromise. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NameStringThe domain name
IP.AddressStringIP address
URL.DataStringThe URL
Email.AddressStringThe Email address
File.PathStringThe full file path.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SSDeepStringThe SSDeep hash of the file.
VMRay.Sample.IOC.Domain.AnalysisIDNumberIDs of other analyses that contain the domain.
VMRay.Sample.IOC.Domain.CountriesStringCountries associated with the domain.
VMRay.Sample.IOC.Domain.CountryCodesStringISO 3166-1 two-letter country codes associated with the domain.
VMRay.Sample.IOC.Domain.DomainStringDomain.
VMRay.Sample.IOC.Domain.IDNumberID of the domain. (deprecated; is always 0)
VMRay.Sample.IOC.Domain.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.Domain.IOCTypeStringType of IOC.
VMRay.Sample.IOC.Domain.IpAddressesStringIP addresses associated with the domain.
VMRay.Sample.IOC.Domain.OriginalDomainsStringOriginal domains associated with the domain.
VMRay.Sample.IOC.Domain.ParentProcessesStringFull commandline of processes where the domain was used.
VMRay.Sample.IOC.Domain.ParentProcessesNamesStringNames of processes where the domain was used.
VMRay.Sample.IOC.Domain.ProtocolsStringThe protocols used for the domain in a request.
VMRay.Sample.IOC.Domain.SourcesStringThe sources where the domain was obtained from.
VMRay.Sample.IOC.Domain.TypeStringType of domain.
VMRay.Sample.IOC.Domain.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.Domain.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.EmailAddress.AnalysisIDNumberIDs of other analyses that contain the email address.
VMRay.Sample.IOC.EmailAddress.ClassificationsStringThe classifications of the email address.
VMRay.Sample.IOC.EmailAddress.EmailAddressStringThe email address.
VMRay.Sample.IOC.EmailAddress.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.EmailAddress.IsRecipientBooleanIndicates whether this email address was used as a recipient email.
VMRay.Sample.IOC.EmailAddress.IsSenderBooleanIndicates whether this email address was used as a sender email.
VMRay.Sample.IOC.EmailAddress.IOCTypeStringType of IOC.
VMRay.Sample.IOC.EmailAddress.SubjectsStringEmail subjects this email address was used in.
VMRay.Sample.IOC.EmailAddress.ThreatNamesStringThe threat names of the email address.
VMRay.Sample.IOC.EmailAddress.TypeStringType of email address.
VMRay.Sample.IOC.EmailAddress.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.EmailAddress.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.Email.AnalysisIDNumberIDs of other analyses that contain the email.
VMRay.Sample.IOC.Email.AttachmentTypesStringMIME types of attachments found in this email.
VMRay.Sample.IOC.Email.ClassificationsStringThe classifications of the email.
VMRay.Sample.IOC.Email.Hashes.MD5StringMD5 of given email.
VMRay.Sample.IOC.Email.Hashes.SSDeepStringSSDeep of given email.
VMRay.Sample.IOC.Email.Hashes.SHA256StringSHA256 of given email.
VMRay.Sample.IOC.Email.Hashes.SHA1StringSHA1 of given email.
VMRay.Sample.IOC.Email.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.Email.IOCTypeStringType of IOC.
VMRay.Sample.IOC.Email.NrAttachmentsNumberNumber of attachments found in the email.
VMRay.Sample.IOC.Email.NrLinksNumberNumber of links found in the email.
VMRay.Sample.IOC.Email.RecipientsStringThe email recipients.
VMRay.Sample.IOC.Email.SenderStringSender of the email.
VMRay.Sample.IOC.Email.SubjectStringSubject of the email.
VMRay.Sample.IOC.Email.ThreatNamesStringThe threat names of the email.
VMRay.Sample.IOC.Email.TypeStringType of email.
VMRay.Sample.IOC.Email.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.Email.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.Filename.AnalysisIDNumberIDs of other analyses that contain the filename.
VMRay.Sample.IOC.Filename.CategoriesStringThe filename categories.
VMRay.Sample.IOC.Filename.ClassificationsStringThe classifications of the filename.
VMRay.Sample.IOC.Filename.FilenameStringThe filename.
VMRay.Sample.IOC.Filename.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.Filename.IOCTypeStringType of IOC.
VMRay.Sample.IOC.Filename.OperationsStringThe filename operations that were performed, e.g., access, create, read, write, and delete.
VMRay.Sample.IOC.Filename.ThreatNamesStringThe threat names of the filename.
VMRay.Sample.IOC.Filename.TypeStringType of filename.
VMRay.Sample.IOC.Filename.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.Filename.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.File.AnalysisIDNumberIDs of other analyses that contain the file.
VMRay.Sample.IOC.File.CategoriesStringThe file categories.
VMRay.Sample.IOC.File.ClassificationsStringThe classifications of the file.
VMRay.Sample.IOC.File.FileSizeNumberThe original size of the file in bytes.
VMRay.Sample.IOC.File.FilenameStringName of the file.
VMRay.Sample.IOC.File.FilenamesStringAll known names of the file.
VMRay.Sample.IOC.File.Hashes.MD5StringMD5 hash of the file.
VMRay.Sample.IOC.File.Hashes.SSDeepStringSSDeep hash of the file.
VMRay.Sample.IOC.File.Hashes.SHA256StringSHA256 hash of the file.
VMRay.Sample.IOC.File.Hashes.SHA1StringSHA1 hash of the file.
VMRay.Sample.IOC.File.IDNumberID of the file. (deprecated; is always 0)
VMRay.Sample.IOC.File.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.File.IOCTypeStringType of IOC.
VMRay.Sample.IOC.File.MIMETypeStringThe MIME type of the file.
VMRay.Sample.IOC.File.NameStringSame as Filename.
VMRay.Sample.IOC.File.NormFilenameStringNormalized name of the file.
VMRay.Sample.IOC.File.OperationStringSame as Operations, left in for backwards compatibility.
VMRay.Sample.IOC.File.OperationsStringThe file operations which were performed, e.g., access, create, read, write, and delete.
VMRay.Sample.IOC.File.ParentFilesStringFiles where this file was contained in.
VMRay.Sample.IOC.File.ParentProcessesStringFull commandline of processes where the file was referenced.
VMRay.Sample.IOC.File.ParentProcessesNamesStringNames of processes where the file was referenced.
VMRay.Sample.IOC.File.ResourceURLStringURL of where the file was downloaded.
VMRay.Sample.IOC.File.ThreatNamesStringThe threat names of the file.
VMRay.Sample.IOC.File.TypeStringType of file.
VMRay.Sample.IOC.File.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.File.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.IP.AnalysisIDNumberIDs of other analyses that contain the IP address.
VMRay.Sample.IOC.IP.CountriesStringCountries associated with the IP address.
VMRay.Sample.IOC.IP.CountryCodesStringISO 3166-1 two-letter country codes associated with the IP address.
VMRay.Sample.IOC.IP.DomainsStringDomains associated with the IP address.
VMRay.Sample.IOC.IP.IPStringThe IP address.
VMRay.Sample.IOC.IP.IDNumberID of the IP address. (deprecated; is always 0)
VMRay.Sample.IOC.IP.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.IP.IOCTypeStringType of IOC.
VMRay.Sample.IOC.IP.OperationStringDeprecated, always empty.
VMRay.Sample.IOC.IP.ParentProcessesStringFull commandline of processes where the IP address was referenced.
VMRay.Sample.IOC.IP.ParentProcessesNamesStringNames of processes where the IP address was referenced.
VMRay.Sample.IOC.IP.ProtocolsStringProtocols used in communication with this IP.
VMRay.Sample.IOC.IP.SourcesStringThe sources where the IP address was obtained from.
VMRay.Sample.IOC.IP.TypeStringType of IP address.
VMRay.Sample.IOC.IP.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.IP.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.Mutex.AnalysisIDNumberIDs of other analyses that contain the mutex.
VMRay.Sample.IOC.Mutex.ClassificationsStringThe mutex classifications.
VMRay.Sample.IOC.Mutex.IDNumberID of the mutex. (deprecated; is always 0)
VMRay.Sample.IOC.Mutex.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.Mutex.IOCTypeStringType of IOC.
VMRay.Sample.IOC.Mutex.NameStringName of the mutex.
VMRay.Sample.IOC.Mutex.OperationStringSame as Operations, left in for backwards compatibility.
VMRay.Sample.IOC.Mutex.OperationStringThe mutex operations that were performed, e.g., access, create, read, write, and delete.
VMRay.Sample.IOC.Mutex.ParentProcessesStringFull commandline of processes where the mutex was used.
VMRay.Sample.IOC.Mutex.ParentProcessesNamesUnknownNames of processes where the mutex was used.
VMRay.Sample.IOC.Mutex.ThreatNamesStringThe threat names of the mutex.
VMRay.Sample.IOC.Mutex.TypeStringType of mutex.
VMRay.Sample.IOC.Mutex.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.Mutex.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.Process.AnalysisIDNumberIDs of other analyses that contain the process.
VMRay.Sample.IOC.Process.ClassificationsStringThe process classifications.
VMRay.Sample.IOC.Process.CmdLineStringCommand line of the process.
VMRay.Sample.IOC.Process.ImageNamesStringNames of the process executable.
VMRay.Sample.IOC.Process.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.Process.IOCTypeStringType of IOC.
VMRay.Sample.IOC.Process.ParentProcessesStringFull commandline of parent processes.
VMRay.Sample.IOC.Process.ParentProcessesNamesStringNames of parent processes.
VMRay.Sample.IOC.Process.ProcessNamesStringNames of the processes.
VMRay.Sample.IOC.Process.ThreatNamesStringThe threat names of the process.
VMRay.Sample.IOC.Process.TypeStringType of process.
VMRay.Sample.IOC.Process.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.Process.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.Registry.AnalysisIDNumberIDs of other analyses that contain the registry key.
VMRay.Sample.IOC.Registry.ClassificationsStringThe registry key classifications.
VMRay.Sample.IOC.Registry.IDNumberID of the registry key. (deprecated; is always 0)
VMRay.Sample.IOC.Registry.IsIOCBooleanWhether this artifact is an Indicator of Compromise (IOC).
VMRay.Sample.IOC.Registry.IOCTypeStringType of IOC.
VMRay.Sample.IOC.Registry.NameStringThe normalized registry key name.
VMRay.Sample.IOC.Registry.OperationStringSame as Operations, left in for backwards compatibility.
VMRay.Sample.IOC.Registry.OperationStringThe registry operations that were performed, e.g., access, create, read, write, and delete.
VMRay.Sample.IOC.Registry.ParentProcessesStringFull commandline of processes where the registry key was referenced.
VMRay.Sample.IOC.Registry.ParentProcessesNamesStringNames of processes where the registry key was referenced.
VMRay.Sample.IOC.Registry.ThreatNamesStringThe threat names of the registry key.
VMRay.Sample.IOC.Registry.TypeStringType of registry key.
VMRay.Sample.IOC.Registry.ValueTypesStringThe registry key value type.
VMRay.Sample.IOC.Registry.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.Registry.VerdictReasonStringDescription of the Verdict Reason.
VMRay.Sample.IOC.URL.AnalysisIDNumberIDs of other analyses that contain the given URL.
VMRay.Sample.IOC.URL.CategoriesStringThe URL categories.
VMRay.Sample.IOC.URL.ContentTypesStringContent types associated with the URL.
VMRay.Sample.IOC.URL.CountriesStringCountries associated with the URL.
VMRay.Sample.IOC.URL.CountryCodesStringISO 3166-1 two-letter country codes associated with the URL.
VMRay.Sample.IOC.URL.IDNumberID of the URL. (deprecated; is always 0)
VMRay.Sample.IOC.URL.IPAddressesStringIP addresses associated with the URL.
VMRay.Sample.IOC.URL.MethodsStringMethods of HTTP requests directed at this URL.
VMRay.Sample.IOC.URL.OperationStringDeprecated, always empty.
VMRay.Sample.IOC.URL.OriginalURLsStringThe origin URLs the malware used in the artifact operation.
VMRay.Sample.IOC.URL.ParentFilesStringNames of files where the URL was referenced.
VMRay.Sample.IOC.URL.ParentProcessesStringFull commandline of processes where the URL was referenced.
VMRay.Sample.IOC.URL.ParentProcessesNamesStringNames of processes where the URL was referenced.
VMRay.Sample.IOC.URL.ReferrersStringOther URLs that referred to this URL.
VMRay.Sample.IOC.URL.SourceStringThe sources where the URL was obtained from.
VMRay.Sample.IOC.URL.TypeStringType of the URL.
VMRay.Sample.IOC.URL.URLStringThe URL.
VMRay.Sample.IOC.URL.UserAgentsStringUser agents used to connect to this URL.
VMRay.Sample.IOC.URL.VerdictStringVerdict for the artifact (Malicious, Suspicious, Clean, Not Available).
VMRay.Sample.IOC.URL.VerdictReasonStringDescription of the Verdict Reason.

Command Example#

!vmray-get-iocs sample_id=3902238

Context Example#

Omitted for brevity.

Human Readable Output#

Omitted for brevity.

vmray-get-job-by-id#


Retrieves a job by job ID.

Base Command#

vmray-get-job-by-id

Input#

Argument NameDescriptionRequired
job_idID of a job.Required

Context Output#

PathTypeDescription
VMRay.Job.JobIDNumberID of the job.
VMRay.Job.SampleIDNumberSample ID of the job.
VMRay.Job.SubmissionIDNumberID of the submission.
VMRay.Job.MD5StringMD5 hash of the sample in the job.
VMRay.Job.SHA1StringSHA1 hash of the sample in the job.
VMRay.Job.SHA256StringSHA256 hash of the sample in the job.
VMRay.Job.SSDeepStringssdeep hash of the sample in the job.
VMRay.Job.VMNameStringName of the virtual machine.
VMRay.Job.VMIDNumberID of the virtual machine.
VMRay.Job.StatusStringStatus of the job.

Command Example#

!vmray-get-job-by-id job_id=365547

Context Example#

{
"VMRay.Job": {
"VMName": "win7_32_sp1",
"SampleID": 3902238,
"SHA1": "868a53c394f29f8d3aac7b0a20a371999045b6ed",
"SubmissionID": 4569262,
"SHA256": "b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66",
"SSDeep": "1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH",
"Status": "inwork",
"VMID": 3,
"JobID": 365547,
"MD5": "2e0499dc90c2d715a53e05b1890e0442"
}
}

Human Readable Output#

Job results for job id: 365547

AttributeValue
JobID365547
SampleID3902238
VMNamewin7_32_sp1
VMID3

vmray-get-summary#


Retrieves the Summary JSON v2 for a specific analysis.

Base Command#

vmray-get-summary

Input#

Argument NameDescriptionRequired
analysis_idID of the analysis from which to retrieve the Summary JSON v2 from (analysis ID is returned e.g. from vmray-get-analysis-by-sample).Required

Context Output#

PathTypeDescription
InfoFile.NamestringFilename
InfoFile.EntryIDstringThe EntryID of the Summary JSON v2
InfoFile.SizenumberThe file size of the Summary JSON v2
InfoFile.InfostringMIME type of the Summary JSON v2

Command Example#

!vmray-get-summary analysis_id=2779353

Context Example#

{
"InfoFile": {
"EntryID": "407@21232f297a57a5a743894a0e4a801fc3$&$9c7fe1a0-4045-4b69-8257-08ef3306318a",
"Extension": "json",
"Info": "application/json",
"Name": "summary_v2.json",
"Size": 37630,
"Type": "ASCII text, with very long lines"
}
}

Human Readable Output#

Returned file: summary_v2.json Download

vmray-get-screenshots#


Retrieves screenshots taken during a specific dynamic analysis. The screenshots are stored with file names like 'analysis_5_screenshot_2.png'. In this example, '5' represents the analysis ID from which the screenshot came, and '2' indicates that it's the third screenshot taken during the analysis, in chronological order.

Base Command#

vmray-get-screenshots

Input#

Argument NameDescriptionRequired
analysis_idID of the analysis from which to retrieve the screenshots from (analysis ID is returned e.g. from vmray-get-analysis-by-sample).Required

Context Output#

PathTypeDescription
InfoFile.NamestringFilename
InfoFile.EntryIDstringThe EntryID of the file
InfoFile.SizenumberThe file size of the file
InfoFile.InfostringMIME type of the file

Command example#

!vmray-get-screenshots analysis_id="50615"

Context Example#

{
"InfoFile": [
{
"EntryID": "488@b7d0844f-d230-402a-81de-154dc1c57cc9",
"Extension": "png",
"Info": "image/png",
"Name": "analysis_50615_screenshot_0.png",
"Size": 753660,
"Type": "PNG image data, 800 x 600, 8-bit/color RGB, non-interlaced"
},
{
"EntryID": "489@b7d0844f-d230-402a-81de-154dc1c57cc9",
"Extension": "png",
"Info": "image/png",
"Name": "analysis_50615_screenshot_1.png",
"Size": 412598,
"Type": "PNG image data, 800 x 600, 8-bit/color RGB, non-interlaced"
}
]
}

vmray-get-license-usage-verdicts#


Gets the usage of verdicts from VMRay.

Base Command#

vmray-get-license-usage-verdicts

Input#

There is no input for this command.

Context Output#

PathTypeDescription
VMRay.VerdictQuota.PeriodEndDatestringLicense end date.
VMRay.VerdictQuota.VerdictQuotanumberTotal number of available verdicts (per month).
VMRay.VerdictQuota.VerdictRemainingnumberRemaining number of verdicts (per month).
VMRay.VerdictQuota.VerdictUsagenumberPercentages used.

Command Example#

vmray-get-license-usage-verdicts

Context Example#

{
"VMRay.VerdictQuota": {
"PeriodEndDate": "2024-02-03 14:12 (UTC+1)",
"VerdictQuota": 100,
"VerdictRemaining": 90,
"VerdictUsage": 10
}
}

Human Readable Output#

| VerdictQuota | 100 | | VerdictRemaining | 90 | | VerdictUsage | 10.0 | | PeriodEndDate | 2024-02-03 14:12 (UTC+1) |

vmray-get-license-usage-reports#


Gets the usage of reports from VMRay.

Base Command#

vmray-get-license-usage-reports

Input#

There is no input for this command.

Context Output#

PathTypeDescription
VMRay.ReportQuota.PeriodEndDatestringLicense end date.
VMRay.ReportQuota.VerdictQuotanumberTotal number of available reports (per month).
VMRay.ReportQuota.VerdictRemainingnumberRemaining number of reports (per month).
VMRay.ReportQuota.VerdictUsagenumberPercentages used.

Context Example#

{
"VMRay.ReportsQuota": {
"PeriodEndDate": "2024-02-03 14:12 (UTC+1)",
"ReportQuota": 100,
"ReportRemaining": 90,
"ReportUsage": 10
}
}

Command Example#

vmray-get-license-usage-reports

Human Readable Output#

| ReportQuota | 100 | | ReportRemaining | 90 | | ReportUsage | 10.0 | | PeriodEndDate | 2024-02-03 14:12 (UTC+1) |