Virus Total

Version: 4.1.1

Virustotal can be used to analyze suspicious files and URLs to detect types of malware including viruses, worms, and trojans.

Connect Virustotal with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Virustotal.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • API Key: The API key to connect to the Virustotal.
  4. After you've entered all the details, click Connect.

Actions for Virustotal

Analyze Domain

Retrieves a domain report

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column NameSelect the name of the column in the parent table containing the domain to submit to VirusTotal.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: analysis details
{
  "BitDefender category": "business",
  "domain_siblings": [
    "msg.logichub.com",
    "info.logichub.com",
    "stg.logichub.com"
  ],
  "sophos category": "advertisements",
  "undetected_downloaded_samples": [
    {
      "date": "2019-09-16 16:35:55",
      "positives": 0,
      "total": 70,
      "sha256": "5085cc9e65c2c0c473b7a92d7667a20daf58bef2f8961b4faefafb8d3468a2db"
    }
  ],
  "whois": "Admin City: Scottsdale\nAdmin Country: US\nAdmin Email: [email protected]\nAdmin Organization: Domains By Proxy, LLC\nAdmin Postal Code: 85260\nAdmin State/Province: Arizona\nCreation Date: 2010-03-31T18:05:17Z\nDNSSEC: unsigned\nDomain Name: LOGICHUB.COM\nDomain Name: logichub.com\nDomain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\nDomain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited\nDomain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited\nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\nDomain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\nName Server: NS53.DOMAINCONTROL.COM\nName Server: NS54.DOMAINCONTROL.COM\nRegistrant City: 373f4980ad3d2d01\nRegistrant Country: US\nRegistrant Email: [email protected]\nRegistrant Fax Ext: 3432650ec337c945\nRegistrant Fax: 9fad764be0c7e95d\nRegistrant Name: 80315b2e6ac1a801\nRegistrant Organization: b46a98a26fe2fd9f\nRegistrant Phone Ext: 3432650ec337c945\nRegistrant Phone: d5f66d3a005b000d\nRegistrant Postal Code: b9448b1c75ff534d\nRegistrant State/Province: 30bdd2917a604c83\nRegistrant Street: 037792fd5a6fe619\nRegistrant Street: f38c0adea706dbc3\nRegistrar Abuse Contact Email: [email protected]\nRegistrar Abuse Contact Phone: +1.4806242505\nRegistrar Abuse Contact Phone: 480-624-2505\nRegistrar IANA ID: 146\nRegistrar Registration Expiration Date: 2030-03-31T18:05:17Z\nRegistrar URL: http://www.godaddy.com\nRegistrar WHOIS Server: whois.godaddy.com\nRegistrar: GoDaddy.com, LLC\nRegistry Admin ID: Not Available From Registry\nRegistry Domain ID: 1590984107_DOMAIN_COM-VRSN\nRegistry Expiry Date: 2030-03-31T18:05:17Z\nRegistry Registrant ID: Not Available From Registry\nRegistry Tech ID: Not Available From Registry\nTech City: Scottsdale\nTech Country: US\nTech Email: [email protected]\nTech Organization: Domains By Proxy, LLC\nTech Postal Code: 85260\nTech State/Province: Arizona\nUpdated Date: 2020-04-05T17:12:07Z\nUpdated Date: 2020-04-05T17:12:10Z",
  "detected_downloaded_samples": [
    {
      "date": "2020-05-05 15:52:49",
      "positives": 1,
      "total": 75,
      "sha256": "5085cc9e65c2c0c473b7a92d7667a20daf58bef2f8961b4faefafb8d3468a2db"
    }
  ],
  "response_code": 1,
  "detected_referrer_samples": [],
  "verbose_msg": "Domain found in dataset",
  "Forcepoint ThreatSeeker category": "information technology",
  "undetected_urls": [
    [
      "https://www.logichub.com/",
      "1101a118b616f943e890e9e8e8f49161f4336e0a7815ddee08d8a233e0ba7ff9",
      0,
      80,
      "2020-10-15 18:50:15"
    ]
  ],
  "Comodo Valkyrie Verdict category": "media sharing",
  "undetected_referrer_samples": [
    {
      "date": "2020-04-22 14:21:44",
      "positives": 0,
      "total": 0,
      "sha256": "9388089e4a60d5cd88e2c99a2e060e8fa8cb897b123f5bac62290a925e7a022c"
    }
  ],
  "resolutions": [
    {
      "last_resolved": "2017-02-07 00:00:00",
      "ip_address": "107.180.0.110"
    }
  ],
  "detected_urls": [],
  "lh_report_url": null,
  "error": null,
  "has_error": false
}

Analyze File Hash

Retrieves a file hash report

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column NameName of the column in the parent table containing file hash to submit to VirusTotal.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: analysis details
{
  "scans": {
    "Alibaba": {
      "detected": true,
      "version": "0.3.0.5",
      "result": "Backdoor:Win32/Nepoe.530869dc",
      "update": "20190527"
    },
    "Cybereason": {
      "detected": true,
      "version": "1.2.449",
      "result": "malicious.69043a",
      "update": "20190616"
    }
  },
  "scan_id": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
  "sha1": "5b63d3bf46aec2126932d8a683ca971c56f7d717",
  "resource": "cbed16069043a0bf3c92fff9a99cccdc",
  "response_code": 1,
  "scan_date": "2020-10-30 00:34:19",
  "permalink": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
  "verbose_msg": "Scan finished, information embedded",
  "total": 72,
  "positives": 63,
  "sha256": "b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962",
  "md5": "cbed16069043a0bf3c92fff9a99cccdc",
  "lh_report_url": "https://www.virustotal.com/gui/file/b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962/detection/f-b018706f57937136a2f61421c5a7a9f4ce8c89c3670ae4814491473184545962-1604018059",
  "error": null,
  "has_error": false
}

Analyze IP Address

Retrieves an IP address report

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column NameName of the column in the parent table containing IP address to submit to VirusTotal.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: analysis details
{
  "asn": 7922,
  "undetected_urls": [
    [
      "http://cet-nat.comcastcntr.pa.bo.comcast.net/",
      "2521651e23393ea13e2817a4afee4847b3d35f4d2df2b5917ca332294b5aafd2",
      0,
      70,
      "2019-07-11 10:00:22"
    ]
  ],
  "undetected_downloaded_samples": [],
  "country": "US",
  "response_code": 1,
  "as_owner": "Comcast Cable Communications, LLC",
  "detected_referrer_samples": [],
  "verbose_msg": "IP address in dataset",
  "detected_downloaded_samples": [],
  "undetected_referrer_samples": [
    {
      "date": "2020-04-22 23:08:01",
      "positives": 0,
      "total": 75,
      "sha256": "7206af0ae424df1f3eddf9198a38e24facfa3fb87fd0cff1d3991141efc1e7b7"
    }
  ],
  "detected_urls": [],
  "resolutions": [
    {
      "last_resolved": "2019-07-11 10:03:20",
      "hostname": "cet-nat.comcastcntr.pa.bo.comcast.net"
    }
  ],
  "error": null,
  "has_error": false
}

Analyze URL

Analyze URL by VirusTotal

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Action TypeSelect an action type.Required
Column NameSelect the name of the column in the parent table containing the domain to submit to VirusTotal.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: analysis details
{
  "permalink": "https://www.virustotal.com/gui/url/34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553/detection/u-34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
  "resource": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
  "url": "https://playground.dev.logichub.com/",
  "response_code": 1,
  "scan_date": "2020-10-02 12:28:26",
  "scan_id": "34fd16559c0caee40f3941c391900a36de23a3031c3ebddc52c1986145724553-1601641706",
  "verbose_msg": "Scan finished, scan information embedded in this object",
  "has_error": false,
  "error": null,
  "filescan_id": null,
  "positives": 0,
  "total": 79,
  "scans": {
    "MalwareDomainList": {
      "detected": false,
      "result": "clean site",
      "detail": "http://www.malwaredomainlist.com/mdl.php?search=playground.dev.logichub.com"
    },
    "Web Security Guard": {
      "detected": false,
      "result": "clean site"
    },
    "OpenPhish": {
      "detected": false,
      "result": "clean site"
    }
  }
}

Analyze File

Analyze File by VirusTotal

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Action TypeSelect an action type.Required
Column NameSelect the name of the column in the parent table containing the domain to submit to VirusTotal.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: analysis details
{
  "scans": {
    "Kaspersky": {
      "detected": false,
      "version": "15.0.1.13",
      "result": null,
      "update": "20201120"
    },
    "MaxSecure": {
      "detected": false,
      "version": "1.0.0.1",
      "result": null,
      "update": "20201119"
    },
    "AVG": {
      "detected": false,
      "version": "20.10.5736.0",
      "result": null,
      "update": "20201120"
    }
  },
  "scan_id": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
  "sha1": "714c804de08df5f6852a6470773f4edba31c83d9",
  "resource": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
  "response_code": 1,
  "scan_date": "2020-11-20 10:12:25",
  "permalink": "https://www.virustotal.com/gui/file/32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231/detection/f-32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
  "verbose_msg": "Scan finished, information embedded",
  "total": 61,
  "positives": 0,
  "sha256": "32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231",
  "md5": "c9cd2d0f3cee5961b579e7a5e9fd123e",
  "lh_report_url": "https://www.virustotal.com/gui/file/32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231/detection/f-32d3638fc2a2b8c5ad85839e5ea4dffbab701c08f7cb8c305f11e51189d81231-1605867145",
  "error": null,
  "has_error": false
}

Intelligence Search

Search for files (the action is data-heavy, so please try to reduce the limit or increase action timeout in case of timeout error).

Input

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Argument NameDescriptionRequired
Search QueryJinja-Templated text containing the Search Query. Example: {{query}}Required
LimitNumber of results to return (Default is 100000)Optional

Output

A JSON object containing multiple rows of result.

{
  "attributes": {
    "creation_date": 51351,
    "downloadable": true,
    "exiftool": {
      "Trapped": "False",
    },
    "first_submission_date": 1638251100,
    "last_analysis_date": 1638257416,
    "last_analysis_results": "some_object",
    "last_modification_date": 1638258704,
    "last_submission_date": 1638257416,
    "magic": "PDF document, version 1.7",
    "md5": "md5_hash",
    "meaningful_name": "/tmp/meaning.tmp",
    "names": "name_array",
    "pdf_info": "info_object",
    "reputation": 0,
    "sha1": "sha1_example",
    "sha256": "sha256_example",
    "size": 2303072,
    "ssdeep": "example",
    "tags": [
      "pdf",
      "autoaction"
    ],
    "times_submitted": 2,
    "tlsh": "some_text",
    "total_votes": {
      "harmless": 0,
      "malicious": 0
    },
  "links": {
    "self": "https://www.virustotal.com/api/v3/files/sample_id"
  },
  "has_error": false,
  "id": "sample_id",
  "error": null,
  "type": "file"
}

Additional Information

  • If you face a timeout error please increase the Action Timeout (Default is 360 seconds).

File Behavior Reports

Get all behavioural information from each sandbox about the file.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
File HashJinja-templated text containing the File HashRequired

Output

JSON containing the following items:

{
  "data": [
        {
            "attributes": {
                "verdicts": [
                    "UNKNOWN_VERDICT"
                ],
                "has_pcap": false,
                "analysis_date": 1669409515,
                "processes_tree": [
                    {
                        "process_id": "2248",
                        "name": "%windir%\\System32\\svchost.exe -k WerSvcGroup"
                    },
                    {
                        "process_id": "2940",
                        "name": "wmiadap.exe /F /T /R"
                    },
                    {
                        "process_id": "2988",
                        "name": "%windir%\\system32\\wbem\\wmiprvse.exe"
                    },
                    {
                        "process_id": "2676",
                        "name": "%SAMPLEPATH%"
                    }
                ],
                "sandbox_name": "C2AE",
                "has_html_report": false,
                "processes_terminated": [
                    "%windir%\\System32\\svchost.exe -k WerSvcGroup",
                    "wmiadap.exe /F /T /R"
                ],
                "behash": "7eb58e30b74038daa9b31b5d9df78cf2",
                "has_evtx": false,
                "last_modification_date": 1669495931,
                "has_memdump": false
            },
            "type": "file_behaviour",
            "id": "hash",
            "links": {
                "self": "https://www.virustotal.com/api/v3/file_behaviours/{hash}}"
            }
        },
    ],
    "links": {
        "self": "https://www.virustotal.com/api/v3/files/{hash}/behaviours?limit=10"
    }
}

Summarise File Behavior Reports

Get a summary with behavioural information about the file. The summary consists in merging together the reports produced by the multiple sandboxes we have integrated in VirusTotal.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
File HashJinja-templated text containing the File HashRequired

Output

JSON containing the following items:

{
    "data": {
        "calls_highlighted": [
            "GetTickCount"
        ],
        "files_opened": [
            "C:\\WINDOWS\\system32\\winime32.dll",
            "C:\\WINDOWS\\system32\\lpk.dll",
            "C:\\WINDOWS\\system32\\usp10.dll",
            "C:\\WINDOWS\\WinSxS\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\\comctl32.dll",
            "C:\\WINDOWS\\system32\\winmm.dll",
            "C:\\WINDOWS\\system32\\winspool.drv",
            "C:\\WINDOWS\\WindowsShell.Manifest",
 
        ],
        "modules_loaded": [
            "comctl32.dll",
            "C:\\WINDOWS\\system32\\ws2_32.dll",
            "version.dll",
            "USER32.dll",
            "IMM32.dll",
            "C:\\WINDOWS\\system32\\user32.dll"
        ],
        "mutexes_created": [
            "CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
            "CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500",
            "CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500",
            "MSCTF.Shared.MUTEX.EBH"
        ],
        "mutexes_opened": [
            "ShimCacheMutex"
        ],
        "processes_terminated": [
            "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\EB93A6\\996E.exe"
        ],
        "processes_tree": [
            {
                "name": "****.exe",
                "process_id": "1036"
            },
            {
                "name": "9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91.exe",
                "process_id": "2340"
            }
        ],
        "registry_keys_opened": [
            "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\996E.exe",
            "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled",
            "\\REGISTRY\\USER\\S-1-5-21-1482476501-1645522239-1417001333-500\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers",
            "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\COMCTL32.dll",
            "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SHELL32.dll",
            "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\wave5"
        ],
        "tags": [
            "DIRECT_CPU_CLOCK_ACCESS",
            "RUNTIME_MODULES"
        ],
        "text_highlighted": [
            "&Open",
            "&Cancel",
            "&About",
            "Cate&gory:",
            "Host &Name (or IP address)",
            "&Port",
            "22",
            "Connection type:",
            "Ra&w",
            "&Telnet",
            "Rlog&in"
        ]
    }
}

Release Notes

  • v4.1.1 - Added 2 new actionsFile Behavior Reports and Summarise File Behavior Reports.
  • v4.0.0 - Updated architecture to support IO via filesystem

© Devo Technology Inc. All Rights Reserved.