Virus Total
Version: 4.1.1
Virustotal can be used to analyze suspicious files and URLs to detect types of malware including viruses, worms, and trojans.
Connect Virustotal with LogicHub
- Navigate to Automations > Integrations.
- Search for Virustotal.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API Key: The API key to connect to the Virustotal.
- After you've entered all the details, click Connect.
Actions for Virustotal
Analyze Domain
Retrieves a domain report
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Column Name | Select the name of the column in the parent table containing the domain to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: analysis details
{
"BitDefender category": "business",
"domain_siblings": [
"msg.logichub.com",
"info.logichub.com",
"stg.logichub.com"
],
"sophos category": "advertisements",
"undetected_downloaded_samples": [
{
"date": "2019-09-16 16:35:55",
"positives": 0,
"total": 70,
"sha256": "5085cc9e65c2c0c473b7a92d7667a20daf58bef2f8961b4faefafb8d3468a2db"
}
],
"whois": "Admin City: Scottsdale\nAdmin Country: US\nAdmin Email: [email protected]\nAdmin Organization: Domains By Proxy, LLC\nAdmin Postal Code: 85260\nAdmin State/Province: Arizona\nCreation Date: 2010-03-31T18:05:17Z\nDNSSEC: unsigned\nDomain Name: LOGICHUB.COM\nDomain Name: logichub.com\nDomain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\nDomain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited\nDomain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited\nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\nDomain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\nName Server: NS53.DOMAINCONTROL.COM\nName Server: NS54.DOMAINCONTROL.COM\nRegistrant City: 373f4980ad3d2d01\nRegistrant Country: US\nRegistrant Email: [email protected]\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: 9fad764be0c7e95d\nRegistrant Name: 80315b2e6ac1a801\nRegistrant Organization: b46a98a26fe2fd9f\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: d5f66d3a005b000d\nRegistrant Postal Code: b9448b1c75ff534d\nRegistrant State/Province: 30bdd2917a604c83\nRegistrant Street: 037792fd5a6fe619\nRegistrant Street: f38c0adea706dbc3\nRegistrar Abuse Contact Email: [email protected]\nRegistrar Abuse Contact Phone: +1.4806242505\nRegistrar Abuse Contact Phone: 480-624-2505\nRegistrar IANA ID: 146\nRegistrar Registration Expiration Date: 2030-03-31T18:05:17Z\nRegistrar URL: http://www.godaddy.com\nRegistrar WHOIS Server: whois.godaddy.com\nRegistrar: GoDaddy.com, LLC\nRegistry Admin ID: Not Available From Registry\nRegistry Domain ID: 1590984107_DOMAIN_COM-VRSN\nRegistry Expiry Date: 2030-03-31T18:05:17Z\nRegistry Registrant ID: Not Available From Registry\nRegistry Tech ID: Not Available From Registry\nTech City: Scottsdale\nTech Country: US\nTech Email: [email protected]\nTech Organization: Domains By Proxy, LLC\nTech Postal Code: 85260\nTech State/Province: Arizona\nUpdated Date: 2020-04-05T17:12:07Z\nUpdated Date: 2020-04-05T17:12:10Z",
"detected_downloaded_samples": [
{
"date": "2020-05-05 15:52:49",
"positives": 1,
"total": 75,
"sha256": "5085cc9e65c2c0c473b7a92d7667a20daf58bef2f8961b4faefafb8d3468a2db"
}
],
"response_code": 1,
"detected_referrer_samples": [],
"verbose_msg": "Domain found in dataset",
"Forcepoint ThreatSeeker category": "information technology",
"undetected_urls": [
[
"https://www.logichub.com/",
"1101a118b616f943e890e9e8e8f49161f4336e0a7815ddee08d8a233e0ba7ff9",
0,
80,
"2020-10-15 18:50:15"
]
],
"Comodo Valkyrie Verdict category": "media sharing",
"undetected_referrer_samples": [
{
"date": "2020-04-22 14:21:44",
"positives": 0,
"total": 0,
"sha256": "9388089e4a60d5cd88e2c99a2e060e8fa8cb897b123f5bac62290a925e7a022c"
}
],
"resolutions": [
{
"last_resolved": "2017-02-07 00:00:00",
"ip_address": "107.180.0.110"
}
],
"detected_urls": [],
"lh_report_url": null,
"error": null,
"has_error": false
}
Analyze File Hash
Retrieves a file hash report
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Column Name | Name of the column in the parent table containing file hash to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: analysis details
{
"scans": {
"Alibaba": {
"detected": true,
"version": "0.3.0.5",
"result": "Backdoor:Win32/Nepoe.530869dc",
"update": "20190527"
},
"Cybereason": {
"detected": true,
"version": "1.2.449",
"result": "malicious.69043a",
"update": "20190616"
}
},
"scan_id": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
"sha1": "5b63d3bf46aec2126932d8a683ca971c56f7d717",
"resource": "cbed16069043a0bf3c92fff9a99cccdc",
"response_code": 1,
"scan_date": "2020-10-30 00:34:19",
"permalink": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
"verbose_msg": "Scan finished, information embedded",
"total": 72,
"positives": 63,
"sha256": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962",
"md5": "cbed16069043a0bf3c92fff9a99cccdc",
"lh_report_url": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
"error": null,
"has_error": false
}
Analyze IP Address
Retrieves an IP address report
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Column Name | Name of the column in the parent table containing IP address to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: analysis details
{
"asn": 7922,
"undetected_urls": [
[
"http://cet-nat.comcastcntr.pa.bo.comcast.net/",
"2521651e23393ea13e2817a4afee4847b3d35f4d2df2b5917ca332294b5aafd2",
0,
70,
"2019-07-11 10:00:22"
]
],
"undetected_downloaded_samples": [],
"country": "US",
"response_code": 1,
"as_owner": "Comcast Cable Communications, LLC",
"detected_referrer_samples": [],
"verbose_msg": "IP address in dataset",
"detected_downloaded_samples": [],
"undetected_referrer_samples": [
{
"date": "2020-04-22 23:08:01",
"positives": 0,
"total": 75,
"sha256": "7206af0ae424df1f3eddf9198a38e24facfa3fb87fd0cff1d3991141efc1e7b7"
}
],
"detected_urls": [],
"resolutions": [
{
"last_resolved": "2019-07-11 10:03:20",
"hostname": "cet-nat.comcastcntr.pa.bo.comcast.net"
}
],
"error": null,
"has_error": false
}
Analyze URL
Analyze URL by VirusTotal
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Action Type | Select an action type. | Required |
| Column Name | Select the name of the column in the parent table containing the domain to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: analysis details
{
"permalink": "https://www.virustotal.com/gui/url/34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553/detection/u-34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
"resource": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
"url": "https://playground.dev.logichub.com/",
"response_code": 1,
"scan_date": "2020-10-02 12:28:26",
"scan_id": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
"verbose_msg": "Scan finished, scan information embedded in this object",
"has_error": false,
"error": null,
"filescan_id": null,
"positives": 0,
"total": 79,
"scans": {
"MalwareDomainList": {
"detected": false,
"result": "clean site",
"detail": "http://www.malwaredomainlist.com/mdl.php?search=playground.dev.logichub.com"
},
"Web Security Guard": {
"detected": false,
"result": "clean site"
},
"OpenPhish": {
"detected": false,
"result": "clean site"
}
}
}
Analyze File
Analyze File by VirusTotal
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Action Type | Select an action type. | Required |
| Column Name | Select the name of the column in the parent table containing the domain to submit to VirusTotal. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: analysis details
{
"scans": {
"Kaspersky": {
"detected": false,
"version": "15.0.1.13",
"result": null,
"update": "20201120"
},
"MaxSecure": {
"detected": false,
"version": "1.0.0.1",
"result": null,
"update": "20201119"
},
"AVG": {
"detected": false,
"version": "20.10.5736.0",
"result": null,
"update": "20201120"
}
},
"scan_id": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
"sha1": "714c804de08df5f6852a6470773f4edba31c83d9",
"resource": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
"response_code": 1,
"scan_date": "2020-11-20 10:12:25",
"permalink": "https://www.virustotal.com/gui/file/32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231/detection/f-32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
"verbose_msg": "Scan finished, information embedded",
"total": 61,
"positives": 0,
"sha256": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231",
"md5": "c9cd2d0f3cee5961b579e7a5e9fd123e",
"lh_report_url": "https://www.virustotal.com/gui/file/32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231/detection/f-32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
"error": null,
"has_error": false
}
Intelligence Search
Search for files (the action is data-heavy, so please try to reduce the limit or increase action timeout in case of timeout error).
Input
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Argument Name | Description | Required |
|---|---|---|
| Search Query | Jinja-Templated text containing the Search Query. Example: {{query}} | Required |
| Limit | Number of results to return (Default is 100000) | Optional |
Output
A JSON object containing multiple rows of result.
{
"attributes": {
"creation_date": 51351,
"downloadable": true,
"exiftool": {
"Trapped": "False",
},
"first_submission_date": 1638251100,
"last_analysis_date": 1638257416,
"last_analysis_results": "some_object",
"last_modification_date": 1638258704,
"last_submission_date": 1638257416,
"magic": "PDF document, version 1.7",
"md5": "md5_hash",
"meaningful_name": "/tmp/meaning.tmp",
"names": "name_array",
"pdf_info": "info_object",
"reputation": 0,
"sha1": "sha1_example",
"sha256": "sha256_example",
"size": 2303072,
"ssdeep": "example",
"tags": [
"pdf",
"autoaction"
],
"times_submitted": 2,
"tlsh": "some_text",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"links": {
"self": "https://www.virustotal.com/api/v3/files/sample_id"
},
"has_error": false,
"id": "sample_id",
"error": null,
"type": "file"
}
Additional Information
- If you face a timeout error please increase the Action Timeout (Default is 360 seconds).
File Behavior Reports
Get all behavioural information from each sandbox about the file.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| File Hash | Jinja-templated text containing the File Hash | Required |
Output
JSON containing the following items:
{
"data": [
{
"attributes": {
"verdicts": [
"UNKNOWN_VERDICT"
],
"has_pcap": false,
"analysis_date": 1669409515,
"processes_tree": [
{
"process_id": "2248",
"name": "%windir%\\System32\\svchost.exe -k WerSvcGroup"
},
{
"process_id": "2940",
"name": "wmiadap.exe /F /T /R"
},
{
"process_id": "2988",
"name": "%windir%\\system32\\wbem\\wmiprvse.exe"
},
{
"process_id": "2676",
"name": "%SAMPLEPATH%"
}
],
"sandbox_name": "C2AE",
"has_html_report": false,
"processes_terminated": [
"%windir%\\System32\\svchost.exe -k WerSvcGroup",
"wmiadap.exe /F /T /R"
],
"behash": "7eb58e30b74038daa9b31b5d9df78cf2",
"has_evtx": false,
"last_modification_date": 1669495931,
"has_memdump": false
},
"type": "file_behaviour",
"id": "hash",
"links": {
"self": "https://www.virustotal.com/api/v3/file_behaviours/{hash}}"
}
},
],
"links": {
"self": "https://www.virustotal.com/api/v3/files/{hash}/behaviours?limit=10"
}
}
Summarise File Behavior Reports
Get a summary with behavioural information about the file. The summary consists in merging together the reports produced by the multiple sandboxes we have integrated in VirusTotal.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| File Hash | Jinja-templated text containing the File Hash | Required |
Output
JSON containing the following items:
{
"data": {
"calls_highlighted": [
"GetTickCount"
],
"files_opened": [
"C:\\WINDOWS\\system32\\winime32.dll",
"C:\\WINDOWS\\system32\\lpk.dll",
"C:\\WINDOWS\\system32\\usp10.dll",
"C:\\WINDOWS\\WinSxS\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\\comctl32.dll",
"C:\\WINDOWS\\system32\\winmm.dll",
"C:\\WINDOWS\\system32\\winspool.drv",
"C:\\WINDOWS\\WindowsShell.Manifest",
],
"modules_loaded": [
"comctl32.dll",
"C:\\WINDOWS\\system32\\ws2_32.dll",
"version.dll",
"USER32.dll",
"IMM32.dll",
"C:\\WINDOWS\\system32\\user32.dll"
],
"mutexes_created": [
"CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
"CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
"CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500",
"MSCTF.Shared.MUTEX.EBH"
],
"mutexes_opened": [
"ShimCacheMutex"
],
"processes_terminated": [
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
],
"processes_tree": [
{
"name": "****.exe",
"process_id": "1036"
},
{
"name": "9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91.exe",
"process_id": "2340"
}
],
"registry_keys_opened": [
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\996E.exe",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled",
"\\REGISTRY\\USER\\S-1-5-21-1482476501-1645522239-1417001333-500\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers",
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\COMCTL32.dll",
"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SHELL32.dll",
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\wave5"
],
"tags": [
"DIRECT_CPU_CLOCK_ACCESS",
"RUNTIME_MODULES"
],
"text_highlighted": [
"&Open",
"&Cancel",
"&About",
"Cate&gory:",
"Host &Name (or IP address)",
"&Port",
"22",
"Connection type:",
"Ra&w",
"&Telnet",
"Rlog&in"
]
}
}
Release Notes
v4.1.1- Added 2 new actionsFile Behavior ReportsandSummarise File Behavior Reports.v4.0.0- Updated architecture to support IO via filesystem
Updated 9 months ago