VirusTotal
  • 4 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

VirusTotal

  • Dark
    Light
  • PDF

Overview

VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content

Real-time updates

Malware signatures are updated frequently by VirusTotal as they are distributed by antivirus companies, this ensures that our service uses the latest signature sets. Website scanning is done in some cases by querying vendor databases that have been shared with VirusTotal and stored on our premises and in other cases by API queries to an antivirus company's solution. As such, as soon as a given contributor blacklists a URL it is immediately reflected in user-facing verdicts.

Detailed results

VirusTotal not only tells you whether a given antivirus solution detected a submitted file as malicious, but also displays each engine's detection label (e.g., I-Worm.Allaple.gen). The same is true for URL scanners, most of which will discriminate between malware sites, phishing sites, suspicious sites, etc. Some engines will provide additional information, stating explicitly whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, and so on.

Lookups integrated with VirusTotal

Retrieve URL scan reports

The URL for which you want to retrieve the most recent report

input: A URL for which VirusTotal will retrieve the most recent report on the given URL. You may also specify a scan_id (sha256-timestamp as returned by the URL submission API) to access a specific report.

_fetch $Url from threatsample limit 1
>>_lookup virustotal get_url_report $Url

Sample

image.png

The Lookup call returns output in the following structure for available data

Fields Desdription
$VTURL URL being queried
$VTPermalink Permalink of report stored in VirusTotal
$VTPositive List of scans returning positive detection
$VTNegative List of scans returning negative detection
$VTPositives Count of positive detection
$VTResponseCode If the queried url is present in VirusTotal database it returns 1 ,if absent returns 0 and if the requested item is still queued for analysis it will be -2
$VTTotal Count of positive and negative detections
$VTSystemTstamp Scan Date
  • If the queried url is not present in VirusTotal Data base the lookup call returns the following
Fields Desdription
$VTURL URL being queried
$VTPermalink Permalink of report stored in VirusTotal
$VTResponseCode If the queried url is absent in VirusTotal database it returns 0 and if the requested item is still queued for analysis it will be -2
$VTTotal Count of positive and negative detections
$VTSystemTstamp Scan Date
$VTMessage Verbose message of url being successfully queued up for scan
$VTScanID Provides a scan id which can be later used for quering the report

Retrieve Domain reports

The domain for which you want to retrieve the report
**input **: a domain name.

_fetch $Domain from threatsample limit 1
>>_lookup virustotal get_domain_report $Domain

Sample Output
image.png

The Lookup call returns output in the following structure for available data

Fields Description
$VTURL List of URL processed by VirusTotal and hosted on the domain
$VTCategories Domain category assigned by VirusTotal
$VTWebsenseThreatSeekercategory Domain category assigned by Websense Threat Seeker
$VTDomainList List of domains that lie on the same DNS hierarchical level
$VTSubDomainList List of sub-domains
$VTSiteClass Site-Classification assigned by VirusTotal
$VTWebutationVerdict Webutation Domain verdict
$VTWebutationSafetyScore Webutation Domain score
$VTForcepointThreatSeekerCategory Domain category assigned by Forcepoint Threat Seeker
$VTPassiveDNSReplication The queried domain has been seen to resolve the list of ip address
$VTResponseCode If the queried domain is present in VirusTotal database it returns 1 ,if absent returns 0 and if the requested item is still queued for analysis it will be -2
$VTWHOIS Registered domain owners and meta-data from WHOIS

Retrieve IP address reports

The IP address for which you want to retrieve the report
input : a valid IPv4 address in dotted quad notation, for the time being only IPv4 addresses are supported.

_fetch $SrcIP from threatsample limit 1
>>_lookup virustotal get_ip_report $SrcIP

Sample Output
image.png

The Lookup call returns output in the following structure for available data

Fields Description
$VTOwner Autonomous system owner detail
$VTURL List of latest url hosted on the queried ip address
$VTPassiveDNSReplication Domain resolved to the queried ip address
$VTASN Autonomous system number
$VTCN Country
$VTCommunicatingSamples SHA256 of files that communicate with the queried ip address
$VTDownloadedSamples SHA256 of files that downloaded from the queried ip address
$VTResponseCode If the queried IP address is present in VirusTotal database it returns 1 ,if absent returns 0 and if the submitted IP address is invalid -1.

Retrieve file scan reports by MD5/SHA-1/SHA-256 hash

File report of MD5/SHA-1/SHA-256 hash for which you want to retrieve the most recent antivirus report
input : a md5/sha1/sha256 hash will retrieve the most recent report on a given sample.

_fetch $Filehash from threatsample limit 1
>>_lookup virustotal get_filehash_report $Filehash

Sample Output

The Lookup call returns output in the following structure for available data

Fields Description
$VTmd5 Corresponding MD5 hash of queried hash present in VirusTotal DB
$VTsha1 Corresponding SHA-1 hash of queried hash present in VirusTotal DB
$VTsha256 Corresponding SHA-256 hash of queried hash present in VirusTotal DB
$VTPermalink Permalink of report stored in VirusTotal
$VTPositive List of scans returning positive detection
$VTNegative List of scans returning negative detection
$VTPositives Count of positive detection
$VTResponseCode If the queried item is present in VirusTotal database it returns 1 ,if absent returns 0 and if the requested item is still queued for analysis it will be -2
$VTTotal Count of positive and negative detections
$VTSystemTstamp Scan Date

Using the VirusTotal API and DNIF

The VirusTotal API is found on github at https://github.com/dnif/lookup-virustotal

Getting started with VirusTotal API and DNIF

  • Login to your Datastore, Correlator or A10 container, connect to your docker container.

  • Move to the /dnif/<D-Key>/lookup_plugins folder path.

$ cd /dnif/<D-Key>/lookup_plugins/
  • Clone using the following command,
$ git clone https://github.com/dnif/lookup-virustotal.git virustotal
  • Move to the**/dnif/<D-Key>/lookup_plugins/virustotal/** folder path and open dnifconfig.yml configuration file.

Replace the tag: <Add_your_api_key_here> with your VirusTotal api key.

$ vim dnifconfig.yml

lookup_plugin:
  VT_API_KEY: <Add_your_api_key_here>

Was this article helpful?

What's Next