You are missing a necessary layer in your defense-in-depth security strategy.VirusTotal is your saving grace. Extremely useful to find what dropper was used for any specific malware. VirusTotal's developers hub, the place to learn about VirusTotal's public and private APIs in order to programmatically scan files, check URLs, discover malicious domains, etc. Unfortunately there is no silver bullet against that, but there are several good practices we can follow to minimize our exposure. Referrer files: Any file that contains the given URL on its strings. The issue is that sometimes VirusTotal does not have full context for a specific individual file in terms of sandbox reports, in-the-wild sightings, relationships, etc. VirusTotal multisandbox project welcomes Sangfor ZSand. There are many situations where similarity becomes useful. Through the “have” search modifier we then narrowed down our searches to identify phishing emails used by the attackers, distribution URLs, additional network infrastructure such as CnCs and context shared by other threat researchers. Extensive and in-depth analysis -- Designed by cyber-security specialists and AI specialists, zSand is able to dynamically detect elusive and concealed malicious behavior, vulnerability exploits, malware persistence, and privilege escalation, at low levels. [!NOTE] This library is intended to be used with the public VirusTotal APIs. Another valuable source of information, as the communication between samples and Command and Control servers can shed light on the artifacts used by attackers once having a foothold in the victim. baad6807d751aa8b44bd464b3302a6ad4c200dc27b22b3845b0397cf366e3f4c. Maybe we can even use. To sum up, once we understand the value of using similarity for our threat hunting, it is very important to have all the options available depending on our needs. Right from the Details panel in the sample report there are several hashes that correspond to the output of different similarity algorithms: vhash, authentihash, imphash, rich PE header hash, ssdeep and TLSH, Clicking on any of the hashes shown in the report will return all similar samples. Overlay children: Files that are contained as overlay in another sample. A final reminder: you can automate dealing with all this data to make your hunting experience even smoother using API v3. For example, in this particular case we learn about additional distribution URLs:This other case helps us understand that this first stage is EMOTET and allows us to jump into a pastebin dump with further context about the campaign in terms of related hashes and network infrastructure: The “have” modifier accepts many other values, some of the more representative ones are: VirusTotal aggregates orthogonal means to cluster together groups of related files. High runtime performance -- By optimising the configuration of TDP and reducing the number of VMExit events, zSand minimizes monitoring overhead and resource utilization. It is a pretty massive database, so we have been working hard to find every single clue we could to relate different items for you to complete your puzzle. Maybe we can even use similarity to find potentially related samples from the same actor. All these together give a reliable and consistent result reified as a rapid scanner with minimal impact on resources and no conflict with other software.”. API v3 | v2; Use Cases ; VirusTotal Bot . Crowdsourced sigma rules already warn that something fishy might be going on. within your network and you want to find some context. VTSubmitter-Maltego accepts a hash and extracts basic, useful information about its VirusTotal submitters. In this case, visual similarity returns 3,390 new files by clicking on the icon above. TL;DR: VirusTotal allows you to search for similar files according to different orthogonal notions (structure, visual layout, icons, execution behaviour, etc.). In this blogpost we will discuss some interesting ideas of what can be done with similarity in VirusTotal. It could help to find the malicious infrastructure used by attackers, but also hacked sites used as watering holes for example. How do I contain it? by blocking a command-and-control domain in the network perimeter, as well as artefacts that can be used for proactive threat hunting purposes, to determine whether there has been a breach and what is its scope. It is built on several automated systems that perform different methods of static and dynamic analysis. Even better, we integrate multiple sandboxes, offering us different options. Technical documentation. In this case, the pieces of the puzzle will be Indicators of Compromise (IOCs), usually hashes, domains and IPs. But we cannot apply similarity without any data to compare. Your SIEM describes their internal sightings and actions but fails to transmit the bigger picture. Access to many more features than the ones provided by the v2 API such as Live Hunt, Retro Hunt, Zip Files, Relationships, etc. Start by adding all the known observables to a new VT Graph. VirusTotal was founded in 2004 as a free service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. from pprint import pprint domain = "virustotal.com" # v2 example resp = vtotal. Who is behind it? This post was authored by Emiliano Martinez. Welcome to VirusTotal. There are many ways to figure it out. Uncovering threat infrastructure via URL, domain and IP address advanced pivots a.k.a. Malware in the end is a piece of software, built from frameworks, code and libraries, and takes some time and expertise to create. We can do this similarity search either by selecting it in the multiple similarity button, or in the Behavior tab. Building towards the richest and most interconnect... Building towards the richest and most interconnected malware ecosystem, 2804184381e9c1c51a213bdcd703ae0a9a16c6abc39b43cd44619365d5914934, 12305f7314b7b3c13657d7da48b73a2d10a2303cc23e76d6954ea909ac74e997, a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b, 1230725a4b8cbfa70c19c9eaa925b945511374da1cce787ea2854c2a2303f1b6, https://www.virustotal.com/gui/url/a118c67740832dae1943f023be375260d4385a6a214b3ddd77b23cbbc0c841d6/relations, Using similarity to expand context and map out threat campaigns, we have also done a webinar that can be viewed on-demand, main_icon_dhash:23232b2b00010000 AND have:email_parents, main_icon_dhash:23232b2b00010000 AND have:itw, main_icon_dhash:23232b2b00010000 AND have:behaviour_network, main_icon_dhash:23232b2b00010000 AND have:comments, Why is similarity so relevant when investigating attacks, Keep your friends close; keep ransomware closer. @RISK Newsletter for February 04, 2021 The consensus security vulnerability alert. Below you can find all the fresh new relationships specific for files: Dropped files: Interesting files written to disk during sandbox execution. Similar to the cases above where we want to find the parent of the malware, this time hiding in a different place. VirusTotal è un sito web che permette l'analisi gratuita di files e/o URLs per scovarne virus o malwares all'interno. VirusTotal's developers hub, the place to learn about VirusTotal's public and private APIs in order to programmatically scan files, check URLs, discover malicious domains, etc. So when starting the investigation with only a few pieces... how to find the rest in VirusTotal? Clicking on any of the hashes shown in the report will return all similar samples. Threat reputation allows you to perform an immediate first assessment (alert triage), but other than that there is little context in terms of remediation IoCs and hunting artifacts. At the same time, the Gridinsoft Scan24 engine fills with new processing patterns. request ("domain/report", params = {"domain": domain}) print (resp. You can use the have: modifier with the newly added relationships for your searches in the following format have:name_of_relationship. This will result in an immediate notification, allowing us tracking any new IOCs we can use to protect our system. This gives us unparalleled visibility into the campaign. We can click in any of these indicators to find their respective clusters. In the words of the company: “Gridinsoft provides an autonomous multi-layered malware detection engine based on a powerful malware-analyzing laboratory. We can narrow down the search above to match exclusively those files that have been seen as an attachment in some email uploaded to VirusTotal:main_icon_dhash:23232b2b00010000 AND have:email_parents(Note that you can also use tag:attachment instead of have:email_parents)We can now run through the matching files, open up their Relations tab and jump into the pertinent email parent, so as to understand the deception techniques being used in the campaign:This particular instance poses as some kind of World Health Organization report on COVID. The result is that two different malware files built from the same developer using the same pieces will look alike. All of this is tactical intelligence that can be fed into network perimeter defenses, but also context that can be operationalized and digested into TTPs in order to characterize threat actors. Maltego Transforms. Investigations on malicious activity usually start with small pieces of a puzzle we don't know how big and complex it will be. Let’s filter down the search to focus exclusively on those files that exhibited network communications when executed in a dynamic analysis sandbox:main_icon_dhash:23232b2b00010000 AND have:behaviour_networkMost of the matching files have been analysed by several sandboxes participating in our multi-sandbox effort. We can click in any of these indicators to find their respective clusters. Similar to the cases above where we want to find the parent of the malware, this time hiding in a different place. Does it communicate with a command-and-control?The next step in an incident response engagement - and this is what most analysts fail to do - is to jump into the file’s cluster (its family/framework/campaign) in order to expand context and surface IoCs. The concept of similarity is pretty straightforward: are two files similar? It is! For instance, you can use the following … They gather threat patterns, classifying and replenishing the database with rising threats. Now, why is this useful? But as a small, resource-constrained company, that can sometimes be … We can look at the, . Finally, this blog post presented an incident response scenario but the very same logic can be applied to threat actor tracking or campaign monitoring use cases. I have a feed of new files that I can upload, I want free API quota to do so. The sooner we detect a campaign the faster we can perform actions to shut it down. One idea at this point would be finding similar files: maybe the attacker used similar malware in other campaigns than the one under investigation, and maybe these files will tell more about the infection chain and infrastructure. Banners that look like BIG GREEN DOWNLOAD ARROWS are usually MALWARE. Let’s ask VirusTotal whether any of the files in the cluster have associated in-the-wild URLs:main_icon_dhash:23232b2b00010000 AND have:itwWe can now jump into the Relations tab in order to export these additional IoCs:There are over 3K files with in-the-wild URLs, note that we can automate all of this via the API. Let’s jump to other similar files based on the document’s visual layout by clicking on “Similar by icon/thumbnail” or on the thumbnail itself, located in the top right: main_icon_dhash:23232b2b00010000.There are too many matches, we would have to iterate over every single one in order to surface particular patterns that may allow us to understand the campaign. Below you can find all the fresh new relationships specific for. We do our best to detonate in a sandbox every file we receive in VirusTotal. How can I help you? So when starting the investigation with only a few pieces... how to find the rest in VirusTotal? Spear phishing is still the most popular method employed by attackers to distribute malware. VirusTotal's developers hub, the place to learn about VirusTotal's public and private APIs in order to programmatically scan files, check URLs, discover malicious domains, etc. In this case, vhash returns 57 additional files, imphash finds no other hits and, (we can spot potential non-malicious files adding the search operator, We have used clustering hashes (both static/structural and behavioural), but are there concrete features that we could pivot on? Any that could impact us in the future? If you are a premium customer you can use VT Graph extensively, its consumption won’t count against your API quota. As a bonus point, pivoting to other campaign files that have sandbox behaviour reports allows us to shed more light into other TTPs that we might be tracking via MITRE ATT&CK (e.g. The next step is to understand whether any of the machines in our corporate fleet are beaconing out to infrastructure tied to this campaign. API V2 third party scripts and client libraries. Below we will review what kind of relationships you can find in VirusTotal. Hi there. Learn about premium services. We combine the most relevant file inspection methods with an effective interaction of our development and analyst teams. If you have never used VirusTotal before, watch this video to learn how to upload a file to https://www.virustotal.com and copy the link to the analysis report. As a result, you can now find the following records for domain resolutions in VirusTotal: The example below shows in VirusTotal Graph all these DNS records for a given suspicious domain. This kind of phishing attacks where legitimate logos, domains and brand images are used to bait victims into executing malware can hurt a company's reputation, not to speak of being used against the company itself. API v3 | v2; Use Cases ; VirusTotal Bot . PE Resource children: PE files contained into another file as a resource. This engine is specialized in Android and reinforces the participation of Bitdefender that already had two engines in our service, their multi-platform scanner (BitDefender) and a 100% machine learning engine (BitDefenderTheta). I have a feed of new files that I can upload, I want free API quota to do so. Attackers need tools for their attacks, basically malware. When we run out of indicators, similarity to the rescue! Netloc Intelligence, I did not know you could do X, Y, Z with VirusTotal, Revamping in-house dynamic analysis with VirusTotal Jujubox Sandbox. 12304478f1c50f9d10497bc8afea771bd1e3bd5bd3beaa0370090f727f3713a1. modifier with the newly added relationships for your searches in the following format. Right from the Details panel in the sample report there are several hashes that correspond to the output of different similarity algorithms: vhash, authentihash, imphash, rich PE header hash, ssdeep and TLSH: It is important to understand that different similarity algorithms provide different results. json ()) # v3 example resp = vtotal. We started off with a single IoC for which we had little context, neither did VirusTotal, beyond basic threat reputation. 21, Num. What does it do? You can check a www.VirusTotal.com analysis of this site by clicking here and of Lame_v3.99.3_for_Windows.exe HERE, and of ffmpeg-win-2.2.2.exe here. Additionally, understanding what legitimate files communicate with a given URL can also provide a valuable insight, for instance for detecting suspicious supply chain activity. virustotalx is a VirusTotal API (version 3) wrapper for Ruby. Imagine you are investigating some attack and you find some suspicious file. At the same time, we will probably want to block the CnC and exfiltration points in order to mitigate the impact of historical undetected breaches. Comprehensive monitoring -- zSand retrieves detailed malware behavioral events and associated states of hardware including CPU, memory, disks, and network interfaces. It could help to find the malicious infrastructure used by attackers, but also hacked sites used as watering holes for example. data) Running the tests. This is how we know how the malware was distributed. Cmdlet Synopsis; Get-PoshVTVersion: Checks the version of the module installed versus the version on GitHub: Get-VTAPIKeyInfo : Get information on the Virus Total API key. For an attacker it is easy to evade a single sandbox, it is far more complex to do so for 17+ of them at the same time. This helps us understand what files were distributed from some malicious infrastructure or compromised website. response_code) pprint (resp. We can use this data to pivot and find other malware having the same mutexes when detonated on our sandboxes. has expressed its commitment to follow the. Welcome to VirusTotal. This is specially useful for suspicious documents distributed by attackers, but it also works for executables sharing similar icons. installation, actions on objectives, etc.). Specifically, let's try to find some pivotable features (or clues) among the million files caught by rich PE header hash using the VT Enterprise query [rich_pe_header_hash:640b9fb49577f39427b39125155c2425 have:clue_rule]. , shows interesting dropped files, registry keys set and DNS resolutions in the Details panel. by AV-Comparatives, an AMTSO-member tester. Choosing the right similarity many times depends on the samples we are working with, that's why sometimes it is just easier to check them all at the same time and take a look at the results.