VMRay
VMRay Analyzer Pack.#
This Integration is part of the#
VMRay XSOAR IntegrationThis integration enables users to design playbooks that involve analyzing a file in VMRay and retrieving the analysis results and associated threat intelligence.
The Playbooks accelerate incident response and make security operations more scalable and efficient.
#
Configure VMRay on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for VMRay.
Click Add instance to create and configure a new integration instance.
Parameter Required Server URL (e.g., https://cloud.vmray.com) True API Key True Use system proxy settings False Trust any certificate (not secure) False Click Test to validate the URLs, token, and connection.
#
Known Limitations- Non-ASCII characters in file names will be ignored when uploading.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- vmray-upload-sample: Submit a sample for analysis
- vmray-upload-url: Submit a URL for analysis
- vmray-get-analysis-by-sample: Get analysis details for a sample
- vmray-get-job-by-sample: Get job details for a sample
- vmray-get-submission: Get submission results
- vmray-get-sample: Get information for a sample
- vmray-get-sample-by-hash: Get information for a sample by hash
- vmray-get-threat-indicators: Get threat indicators
- vmray-add-tag: Add a tag to an analysis or submission
- vmray-delete-tag: Delete a tag from an analysis or submission
- vmray-get-iocs: Get IOCs for a sample
- vmray-get-job-by-id: Get information for a job
- vmray-get-summary: Download Summary JSON v2 for an analysis
#
vmray-upload-sampleSubmits a sample to VMRay for analysis.
#
Base Commandvmray-upload-sample
#
InputArgument Name | Description | Required |
---|---|---|
entry_id | Entry ID of the file to submit. | Required |
document_password | Password of the document. | Optional |
archive_password | Password of an archive. | Optional |
sample_type | Force type of the file. | Optional |
shareable | Whether the file is shareable. Possible values are: true, false. | Optional |
max_jobs | Maximum number of jobs to create (number). Default is 1. | Optional |
tags | A CSV list of tags to add to the sample. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.Job.JobID | Number | ID of a new job |
VMRay.Job.Created | Date | Timestamp of job creation. |
VMRay.Job.SampleID | Number | ID of the sample. |
VMRay.Job.VMName | String | Name of the virtual machine. |
VMRay.Job.VMID | Number | ID of the virtual machine. |
VMRay.Sample.SampleID | Number | ID of the sample. |
VMRay.Sample.SampleURL | String | URL to sample page. |
VMRay.Sample.Created | Date | Timestamp of sample creation. |
VMRay.Submission.SubmissionID | Number | Submission ID. |
VMRay.Submission.SubmissionURL | String | URL to submission page. |
#
Command Example#
Context Example#
Human Readable OutputFile submitted to VMRay
Jobs ID | Samples ID | Submissions ID | Sample URL |
---|---|---|---|
3908304 | 3902285 | 4569315 | https://cloud.vmray.com/user/sample/view?id=3902285 |
#
vmray-upload-urlSubmits a URL for analysis.
#
Base Commandvmray-upload-url
#
InputArgument Name | Description | Required |
---|---|---|
url | The URL to analyze. For example: https://demisto.com. . | Required |
shareable | Whether the analysis is shareable. Possible values are: true, false. | Optional |
max_jobs | Maximum number of jobs to create (number). Default is 1. | Optional |
tags | A CSV list of tags to add to the sample. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.Job.JobID | Number | ID of a new job |
VMRay.Job.Created | Date | Timestamp of job creation. |
VMRay.Job.SampleID | Number | ID of the sample. |
VMRay.Job.VMName | String | Name of the virtual machine. |
VMRay.Job.VMID | Number | ID of the virtual machine. |
VMRay.Sample.SampleID | Number | ID of the sample. |
VMRay.Sample.SampleURL | String | URL to sample page. |
VMRay.Sample.Created | Date | Timestamp of sample creation. |
VMRay.Submission.SubmissionID | Number | Submission ID. |
VMRay.Submission.SubmissionURL | String | URL to submission page. |
#
Command Example#
Human Readable OutputURL submitted to VMRay
Jobs ID | Samples ID | Submissions ID |
---|---|---|
3908304 | 3902285 | 4569315 |
#
vmray-get-analysis-by-sampleRetrieves all analysis details for a specified sample.
#
Base Commandvmray-get-analysis-by-sample
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample ID. | Required |
limit | Maximum number of results to return (number). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.Analysis.AnalysisID | Number | Analysis ID. |
VMRay.Analysis.AnalysisURL | String | URL to analysis page. |
VMRay.Analysis.SampleID | Number | Sample ID in the analysis. |
VMRay.Analysis.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
VMRay.Analysis.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Analysis.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
VMRay.Analysis.JobCreated | Date | Date when the analysis job started. |
VMRay.Analysis.MD5 | String | MD5 hash of the sample. |
VMRay.Analysis.SHA1 | String | SHA1 hash of the sample. |
VMRay.Analysis.SHA256 | String | SHA256 hash of the sample. |
VMRay.Analysis.SSDeep | String | ssdeep hash of the sample. |
#
Command Example#
Context Example#
Human Readable OutputAnalysis results from VMRay for ID 3902238:
AnalysisID | SampleID | Verdict | AnalysisURL |
---|---|---|---|
2779353 | 3902238 | Suspicious | https://cloud.vmray.com/user/sample/view?id=3902238 |
#
vmray-get-job-by-sampleRetrieves details for all jobs for a specified sample.
#
Base Commandvmray-get-job-by-sample
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | Sample ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.Job.JobID | Number | ID of the job. |
VMRay.Job.SampleID | Number | Sample ID of the job. |
VMRay.Job.SubmissionID | Number | ID of the submission. |
VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
VMRay.Job.VMName | String | Name of the virtual machine. |
VMRay.Job.VMID | Number | ID of the virtual machine. |
VMRay.Job.Status | String | Status of the job. |
#
Command Example#
Context Example#
Human Readable OutputJob results for sample id: 3902238
JobID | SampleID | VMName | VMID |
---|---|---|---|
29208 | 3902238 | win7_32_sp1 | 3 |
#
vmray-get-submissionRetrieves the results of a submission.
#
Base Commandvmray-get-submission
#
InputArgument Name | Description | Required |
---|---|---|
submission_id | ID of the submission. Can be obtained by running the 'vmray-upload-sample' or 'vmray-upload-url' command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.Submission.IsFinished | Boolean | Whether the submission is finished (true or false). |
VMRay.Submission.HasErrors | Boolean | Whether there are any errors in the submission (true or false). |
VMRay.Submission.SubmissionID | Number | ID of the sample in the submission. |
VMRay.Submission.SubmissionURL | String | URL of submission page. |
VMRay.Submission.MD5 | String | MD5 hash of the sample in the submission. |
VMRay.Submission.SHA1 | String | SHA1 hash of the sample in the submission. |
VMRay.Submission.SHA256 | String | SHA256 hash of the sample in the submission. |
VMRay.Submission.SSDeep | String | ssdeep hash of the sample in the submission. |
VMRay.Submission.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
VMRay.Submission.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Submission.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
VMRay.Submission.SampleID | Number | ID of the sample in the submission. |
#
Command Example#
Context Example#
Human Readable OutputSubmission results from VMRay for ID 3902238 with verdict of Malicious
Attribute | Value |
---|---|
IsFinished | true |
Verdict | Malicious |
HasErrors | true |
MD5 | 2e0499dc90c2d715a53e05b1890e0442 |
SHA1 | 868a53c394f29f8d3aac7b0a20a371999045b6ed |
SHA256 | b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66 |
SSDeep | 1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH |
SubmissionURL | https://cloud.vmray.com/user/sample/view?id=3902238 |
#
vmray-get-sampleRetrieves a sample using the sample ID.
#
Base Commandvmray-get-sample
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | ID of the sample. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.Sample.SampleID | Number | ID of the sample. |
VMRay.Sample.SampleURL | String | URL to sample page. |
VMRay.Sample.FileName | String | File name of the sample. |
VMRay.Sample.MD5 | String | MD5 hash of the sample. |
VMRay.Sample.SHA1 | String | SHA1 hash of the sample. |
VMRay.Sample.SHA256 | String | SHA256 hash of the sample. |
VMRay.Sample.SSDeep | String | ssdeep hash of the sample. |
VMRay.Sample.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
VMRay.Sample.Type | String | File type. |
VMRay.Sample.Created | Date | Timestamp of sample creation. |
VMRay.Sample.Classifications | String | Classifications of the sample. |
VMRay.Sample.ChildSampleIDs | Number | List of child sample IDs. |
VMRay.Sample.ParentSampleIDs | Number | List of parent sample IDs. |
#
Command Example#
Context Example#
Human Readable OutputResults for sample id: 3902238 with verdict Malicious
Attribute | Value |
---|---|
FileName | pafish.exe |
Type | Windows Exe (x86-32) |
MD5 | 2e0499dc90c2d715a53e05b1890e0442 |
SHA1 | 868a53c394f29f8d3aac7b0a20a371999045b6ed |
SHA256 | b8a4b647e56cb71773d0086b51906b902a7ccafe699f4068da4cb5cd234d9d66 |
SSDeep | 1536:Hg8ktOZtz+PZvpJyrOM1GhFNkYL2BxNRjWW:H/kY0Z3yrOMGTkrNRjH |
SampleURL | https://cloud.vmray.com/user/sample/view?id=3902238 |
#
vmray-get-sample-by-hashRetrieves sample information by hash.
#
Base Commandvmray-get-sample-by-hash
#
InputArgument Name | Description | Required |
---|---|---|
hash | MD5, SHA1 or SHA256 hash of the sample. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Name | String | The full file name (including file extension). |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
VMRay.Sample.SampleID | Number | ID of the sample. |
VMRay.Sample.SampleURL | String | URL to sample page. |
VMRay.Sample.FileName | String | File name of the sample. |
VMRay.Sample.MD5 | String | MD5 hash of the sample. |
VMRay.Sample.SHA1 | String | SHA1 hash of the sample. |
VMRay.Sample.SHA256 | String | SHA256 hash of the sample. |
VMRay.Sample.SSDeep | String | ssdeep hash of the sample. |
VMRay.Sample.Verdict | String | Verdict for the sample (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.Severity | String | Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown). Deprecated. |
VMRay.Sample.Type | String | File type. |
VMRay.Sample.Created | Date | Timestamp of sample creation. |
VMRay.Sample.Classifications | String | Classifications of the sample. |
VMRay.Sample.ChildSampleIDs | Number | List of child sample IDs. |
VMRay.Sample.ParentSampleIDs | Number | List of parent sample IDs. |
#
Command Example#
Context Example#
Human Readable OutputResults for sha1 hash 124f46228d1e220d88ae5e9a24d6e713039a64f9:
Attribute | Value |
---|---|
SampleID | 5948 |
FileName | pafish.exe |
Type | Windows Exe (x86-32) |
Verdict | Malicious |
SampleURL | https://cloud.vmray.com/user/sample/view?id=5948 |
#
vmray-get-threat-indicatorsRetrieves threat indicators (VTI).
#
Base Commandvmray-get-threat-indicators
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | ID of the sample. Can be obtained from the 'VMRay.Sample.ID' output. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.ThreatIndicator.AnalysisID | Number | List of connected analysis IDs. |
VMRay.ThreatIndicator.Category | String | Category of threat indicators. |
VMRay.ThreatIndicator.Classification | String | Classifications of threat indicators. |
VMRay.ThreatIndicator.ID | Number | ID of a threat indicator. |
VMRay.ThreatIndicator.Operation | String | Operation the indicators caused. |
#
Command Example#
Context OutputOmitted for brevity.
#
Human Readable OutputOmitted for brevity.
#
vmray-add-tagAdds a tag to an analysis and/or a submission.
#
Base Commandvmray-add-tag
#
InputArgument Name | Description | Required |
---|---|---|
submission_id | ID of the submission to which to add tags. | Optional |
analysis_id | ID of the analysis from which to add tags. | Optional |
tag | Tag to add. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example#
Human Readable Output#
vmray-delete-tagDeletes tags from an analysis and/or a submission.
#
Base Commandvmray-delete-tag
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | ID of the analysis from which to delete a tag. | Optional |
submission_id | ID of the submission from which to delete a tag. | Optional |
tag | Tag to delete. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example#
Human Readable Output#
vmray-get-iocsRetrieves Indicators of Compromise for a specified sample.
#
Base Commandvmray-get-iocs
#
InputArgument Name | Description | Required |
---|---|---|
sample_id | ID of the sample. | Required |
all_artifacts | Whether all artifacts should be returned or only Indicators of Compromise. Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Domain.Name | String | The domain name |
IP.Address | String | IP address |
URL.Data | String | The URL |
Email.Address | String | The Email address |
File.Path | String | The full file path. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
VMRay.Sample.IOC.Domain.AnalysisID | Number | IDs of other analyses that contain the domain. |
VMRay.Sample.IOC.Domain.Countries | String | Countries associated with the domain. |
VMRay.Sample.IOC.Domain.CountryCodes | String | ISO 3166-1 two-letter country codes associated with the domain. |
VMRay.Sample.IOC.Domain.Domain | String | Domain. |
VMRay.Sample.IOC.Domain.ID | Number | ID of the domain. (deprecated; is always 0) |
VMRay.Sample.IOC.Domain.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.Domain.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.Domain.IpAddresses | String | IP addresses associated with the domain. |
VMRay.Sample.IOC.Domain.OriginalDomains | String | Original domains associated with the domain. |
VMRay.Sample.IOC.Domain.ParentProcesses | String | Full commandline of processes where the domain was used. |
VMRay.Sample.IOC.Domain.ParentProcessesNames | String | Names of processes where the domain was used. |
VMRay.Sample.IOC.Domain.Protocols | String | The protocols used for the domain in a request. |
VMRay.Sample.IOC.Domain.Sources | String | The sources where the domain was obtained from. |
VMRay.Sample.IOC.Domain.Type | String | Type of domain. |
VMRay.Sample.IOC.Domain.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.Domain.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.EmailAddress.AnalysisID | Number | IDs of other analyses that contain the email address. |
VMRay.Sample.IOC.EmailAddress.Classifications | String | The classifications of the email address. |
VMRay.Sample.IOC.EmailAddress.EmailAddress | String | The email address. |
VMRay.Sample.IOC.EmailAddress.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.EmailAddress.IsRecipient | Boolean | Indicates whether this email address was used as a recipient email. |
VMRay.Sample.IOC.EmailAddress.IsSender | Boolean | Indicates whether this email address was used as a sender email. |
VMRay.Sample.IOC.EmailAddress.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.EmailAddress.Subjects | String | Email subjects this email address was used in. |
VMRay.Sample.IOC.EmailAddress.ThreatNames | String | The threat names of the email address. |
VMRay.Sample.IOC.EmailAddress.Type | String | Type of email address. |
VMRay.Sample.IOC.EmailAddress.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.EmailAddress.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.Email.AnalysisID | Number | IDs of other analyses that contain the email. |
VMRay.Sample.IOC.Email.AttachmentTypes | String | MIME types of attachments found in this email. |
VMRay.Sample.IOC.Email.Classifications | String | The classifications of the email. |
VMRay.Sample.IOC.Email.Hashes.MD5 | String | MD5 of given email. |
VMRay.Sample.IOC.Email.Hashes.SSDeep | String | SSDeep of given email. |
VMRay.Sample.IOC.Email.Hashes.SHA256 | String | SHA256 of given email. |
VMRay.Sample.IOC.Email.Hashes.SHA1 | String | SHA1 of given email. |
VMRay.Sample.IOC.Email.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.Email.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.Email.NrAttachments | Number | Number of attachments found in the email. |
VMRay.Sample.IOC.Email.NrLinks | Number | Number of links found in the email. |
VMRay.Sample.IOC.Email.Recipients | String | The email recipients. |
VMRay.Sample.IOC.Email.Sender | String | Sender of the email. |
VMRay.Sample.IOC.Email.Subject | String | Subject of the email. |
VMRay.Sample.IOC.Email.ThreatNames | String | The threat names of the email. |
VMRay.Sample.IOC.Email.Type | String | Type of email. |
VMRay.Sample.IOC.Email.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.Email.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.Filename.AnalysisID | Number | IDs of other analyses that contain the filename. |
VMRay.Sample.IOC.Filename.Categories | String | The filename categories. |
VMRay.Sample.IOC.Filename.Classifications | String | The classifications of the filename. |
VMRay.Sample.IOC.Filename.Filename | String | The filename. |
VMRay.Sample.IOC.Filename.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.Filename.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.Filename.Operations | String | The filename operations that were performed, e.g., access, create, read, write, and delete. |
VMRay.Sample.IOC.Filename.ThreatNames | String | The threat names of the filename. |
VMRay.Sample.IOC.Filename.Type | String | Type of filename. |
VMRay.Sample.IOC.Filename.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.Filename.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.File.AnalysisID | Number | IDs of other analyses that contain the file. |
VMRay.Sample.IOC.File.Categories | String | The file categories. |
VMRay.Sample.IOC.File.Classifications | String | The classifications of the file. |
VMRay.Sample.IOC.File.FileSize | Number | The original size of the file in bytes. |
VMRay.Sample.IOC.File.Filename | String | Name of the file. |
VMRay.Sample.IOC.File.Filenames | String | All known names of the file. |
VMRay.Sample.IOC.File.Hashes.MD5 | String | MD5 hash of the file. |
VMRay.Sample.IOC.File.Hashes.SSDeep | String | SSDeep hash of the file. |
VMRay.Sample.IOC.File.Hashes.SHA256 | String | SHA256 hash of the file. |
VMRay.Sample.IOC.File.Hashes.SHA1 | String | SHA1 hash of the file. |
VMRay.Sample.IOC.File.ID | Number | ID of the file. (deprecated; is always 0) |
VMRay.Sample.IOC.File.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.File.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.File.MIMEType | String | The MIME type of the file. |
VMRay.Sample.IOC.File.Name | String | Same as Filename. |
VMRay.Sample.IOC.File.NormFilename | String | Normalized name of the file. |
VMRay.Sample.IOC.File.Operation | String | Same as Operations, left in for backwards compatibility. |
VMRay.Sample.IOC.File.Operations | String | The file operations which were performed, e.g., access, create, read, write, and delete. |
VMRay.Sample.IOC.File.ParentFiles | String | Files where this file was contained in. |
VMRay.Sample.IOC.File.ParentProcesses | String | Full commandline of processes where the file was referenced. |
VMRay.Sample.IOC.File.ParentProcessesNames | String | Names of processes where the file was referenced. |
VMRay.Sample.IOC.File.ResourceURL | String | URL of where the file was downloaded. |
VMRay.Sample.IOC.File.ThreatNames | String | The threat names of the file. |
VMRay.Sample.IOC.File.Type | String | Type of file. |
VMRay.Sample.IOC.File.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.File.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.IP.AnalysisID | Number | IDs of other analyses that contain the IP address. |
VMRay.Sample.IOC.IP.Countries | String | Countries associated with the IP address. |
VMRay.Sample.IOC.IP.CountryCodes | String | ISO 3166-1 two-letter country codes associated with the IP address. |
VMRay.Sample.IOC.IP.Domains | String | Domains associated with the IP address. |
VMRay.Sample.IOC.IP.IP | String | The IP address. |
VMRay.Sample.IOC.IP.ID | Number | ID of the IP address. (deprecated; is always 0) |
VMRay.Sample.IOC.IP.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.IP.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.IP.Operation | String | Deprecated, always empty. |
VMRay.Sample.IOC.IP.ParentProcesses | String | Full commandline of processes where the IP address was referenced. |
VMRay.Sample.IOC.IP.ParentProcessesNames | String | Names of processes where the IP address was referenced. |
VMRay.Sample.IOC.IP.Protocols | String | Protocols used in communication with this IP. |
VMRay.Sample.IOC.IP.Sources | String | The sources where the IP address was obtained from. |
VMRay.Sample.IOC.IP.Type | String | Type of IP address. |
VMRay.Sample.IOC.IP.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.IP.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.Mutex.AnalysisID | Number | IDs of other analyses that contain the mutex. |
VMRay.Sample.IOC.Mutex.Classifications | String | The mutex classifications. |
VMRay.Sample.IOC.Mutex.ID | Number | ID of the mutex. (deprecated; is always 0) |
VMRay.Sample.IOC.Mutex.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.Mutex.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.Mutex.Name | String | Name of the mutex. |
VMRay.Sample.IOC.Mutex.Operation | String | Same as Operations, left in for backwards compatibility. |
VMRay.Sample.IOC.Mutex.Operation | String | The mutex operations that were performed, e.g., access, create, read, write, and delete. |
VMRay.Sample.IOC.Mutex.ParentProcesses | String | Full commandline of processes where the mutex was used. |
VMRay.Sample.IOC.Mutex.ParentProcessesNames | unknown | Names of processes where the mutex was used. |
VMRay.Sample.IOC.Mutex.ThreatNames | String | The threat names of the mutex. |
VMRay.Sample.IOC.Mutex.Type | String | Type of mutex. |
VMRay.Sample.IOC.Mutex.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.Mutex.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.Process.AnalysisID | Number | IDs of other analyses that contain the process. |
VMRay.Sample.IOC.Process.Classifications | String | The process classifications. |
VMRay.Sample.IOC.Process.CmdLine | String | Command line of the process. |
VMRay.Sample.IOC.Process.ImageNames | String | Names of the process executable. |
VMRay.Sample.IOC.Process.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.Process.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.Process.ParentProcesses | String | Full commandline of parent processes. |
VMRay.Sample.IOC.Process.ParentProcessesNames | String | Names of parent processes. |
VMRay.Sample.IOC.Process.ProcessNames | String | Names of the processes. |
VMRay.Sample.IOC.Process.ThreatNames | String | The threat names of the process. |
VMRay.Sample.IOC.Process.Type | String | Type of process. |
VMRay.Sample.IOC.Process.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.Process.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.Registry.AnalysisID | Number | IDs of other analyses that contain the registry key. |
VMRay.Sample.IOC.Registry.Classifications | String | The registry key classifications. |
VMRay.Sample.IOC.Registry.ID | Number | ID of the registry key. (deprecated; is always 0) |
VMRay.Sample.IOC.Registry.IsIOC | Boolean | Whether this artifact is an Indicator of Compromise (IOC). |
VMRay.Sample.IOC.Registry.IOCType | String | Type of IOC. |
VMRay.Sample.IOC.Registry.Name | String | The normalized registry key name. |
VMRay.Sample.IOC.Registry.Operation | String | Same as Operations, left in for backwards compatibility. |
VMRay.Sample.IOC.Registry.Operation | String | The registry operations that were performed, e.g., access, create, read, write, and delete. |
VMRay.Sample.IOC.Registry.ParentProcesses | String | Full commandline of processes where the registry key was referenced. |
VMRay.Sample.IOC.Registry.ParentProcessesNames | String | Names of processes where the registry key was referenced. |
VMRay.Sample.IOC.Registry.ThreatNames | String | The threat names of the registry key. |
VMRay.Sample.IOC.Registry.Type | String | Type of registry key. |
VMRay.Sample.IOC.Registry.ValueTypes | String | The registry key value type. |
VMRay.Sample.IOC.Registry.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.Registry.VerdictReason | String | Description of the Verdict Reason. |
VMRay.Sample.IOC.URL.AnalysisID | Number | IDs of other analyses that contain the given URL. |
VMRay.Sample.IOC.URL.Categories | String | The URL categories. |
VMRay.Sample.IOC.URL.ContentTypes | String | Content types associated with the URL. |
VMRay.Sample.IOC.URL.Countries | String | Countries associated with the URL. |
VMRay.Sample.IOC.URL.CountryCodes | String | ISO 3166-1 two-letter country codes associated with the URL. |
VMRay.Sample.IOC.URL.ID | Number | ID of the URL. (deprecated; is always 0) |
VMRay.Sample.IOC.URL.IPAddresses | String | IP addresses associated with the URL. |
VMRay.Sample.IOC.URL.Methods | String | Methods of HTTP requests directed at this URL. |
VMRay.Sample.IOC.URL.Operation | String | Deprecated, always empty. |
VMRay.Sample.IOC.URL.OriginalURLs | String | The origin URLs the malware used in the artifact operation. |
VMRay.Sample.IOC.URL.ParentFiles | String | Names of files where the URL was referenced. |
VMRay.Sample.IOC.URL.ParentProcesses | String | Full commandline of processes where the URL was referenced. |
VMRay.Sample.IOC.URL.ParentProcessesNames | String | Names of processes where the URL was referenced. |
VMRay.Sample.IOC.URL.Referrers | String | Other URLs that referred to this URL. |
VMRay.Sample.IOC.URL.Source | String | The sources where the URL was obtained from. |
VMRay.Sample.IOC.URL.Type | String | Type of the URL. |
VMRay.Sample.IOC.URL.URL | String | The URL. |
VMRay.Sample.IOC.URL.UserAgents | String | User agents used to connect to this URL. |
VMRay.Sample.IOC.URL.Verdict | String | Verdict for the artifact (Malicious, Suspicious, Clean, Not Available). |
VMRay.Sample.IOC.URL.VerdictReason | String | Description of the Verdict Reason. |
#
Command Example#
Context ExampleOmitted for brevity.
#
Human Readable OutputOmitted for brevity.
#
vmray-get-job-by-idRetrieves a job by job ID.
#
Base Commandvmray-get-job-by-id
#
InputArgument Name | Description | Required |
---|---|---|
job_id | ID of a job. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
VMRay.Job.JobID | Number | ID of the job. |
VMRay.Job.SampleID | Number | Sample ID of the job. |
VMRay.Job.SubmissionID | Number | ID of the submission. |
VMRay.Job.MD5 | String | MD5 hash of the sample in the job. |
VMRay.Job.SHA1 | String | SHA1 hash of the sample in the job. |
VMRay.Job.SHA256 | String | SHA256 hash of the sample in the job. |
VMRay.Job.SSDeep | String | ssdeep hash of the sample in the job. |
VMRay.Job.VMName | String | Name of the virtual machine. |
VMRay.Job.VMID | Number | ID of the virtual machine. |
VMRay.Job.Status | String | Status of the job. |
#
Command Example#
Context Example#
Human Readable OutputJob results for job id: 365547
Attribute | Value |
---|---|
JobID | 365547 |
SampleID | 3902238 |
VMName | win7_32_sp1 |
VMID | 3 |
#
vmray-get-summaryRetrieves the Summary JSON v2 for a specific analysis.
#
Base Commandvmray-get-summary
#
InputArgument Name | Description | Required |
---|---|---|
analysis_id | ID of the analysis from which to retrieve the Summary JSON v2 from (analysis ID is returned e.g. from vmray-get-analysis-by-sample). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
InfoFile.Name | string | Filename |
InfoFile.EntryID | string | The EntryID of the Summary JSON v2 |
InfoFile.Size | number | The file size of the Summary JSON v2 |
InfoFile.Info | string | MIME type of the Summary JSON v2 |