Reversing Labs

This integration is a series of Components that allow users to do malware analysis with ReversingLabs Spectra Analyze and Spectra Intel. The following apps and actions are available:

• Analyze File with ReversingLabs - The Reversing Labs API lets you submit a supported file type for ReversingLabs analysis. Use this app to automate the submission of new malware files. The app attempts to detect whether a file is in ZIP format and, if it is, automatically unzips the file before sending it to the ReversingLabs API.
• Download ReversingLabs Sample - This app downloads a sample residing on Spectra Analyze. If a sample is in the cloud, you will need to download it to the Spectra Analyze instance that you are using first.
• Get ReversingLabs Summary Report - This app uses hash_value(s) to get a summary classification report and details for a sample or list of samples.

These apps can be found in the ThreatConnect App Catalog under the names: Analyze File with ReversingLabs, Download ReversingLabs Sample, and Get ReversingLabs Summary Report.

This threat intel list includes fresh indicators from not only ransomware but the tools used to gain access and deploy ransomware enabling defenders the opportunity to discover adversaries initial network access and lateral movement before their data is encrypted. Our threat intelligence researchers analyze ransomware attack trends and the security landscape to ensure that only the most up to date and relevant malware families are dissected to create technical indicators. This integration is available for download here on the ThreatConnect Marketplace.

Key Features

• Indicators from multiple stages of typical attacks allow for early detection and the ability to reduce damage associated with IP theft and ransomware attacks
• Aggressive aging of the indicators ensures only relevant indicators are active in the list
• Extensive post processing of indicators eliminates or reduces confidence on indicators likely to produce false positives
• Indicators such as IP, Domain and Hash include tagging to give additional context such as MITRE ATT&CK, network parameters, attack stage and malware family name.

About ReversingLabs

ReversingLabs is the leading provider of explainable threat intelligence solutions that dissect complex file-based threats for enterprises stretched for time and expertise. Its hybrid-cloud Spectra Platform enables digital business resiliency, protects against new modern architecture exposures, and automates manual SOC processes with a transparency that arms analysts to confidently take action and hunt threats.

With this Playbook app, you can automatically detonate, analyze, and submit files in MalwareBazaar from ThreatConnect to understand if they are malicious and return any contextualized telemetry. This all leads to more informed decision-making and more efficient remediation of malicious files through automation.

The following actions are available within the Playbook App:

• Submit File for Analysis - Automate the submission of new malware files.
• Download Sample - Download a sample residing on Spectra Analyze. If a sample is in the cloud, you will need to download it to the Spectra Analyze instance that you are using first.
• Get Extracted Files - Retrieve a list of all extracted files from a sample using the Spectra Core engine.
• Get Summary Report - Retrieve a summary classification report and details for a sample or list of samples based on hash_value(s)
• Get File Reputation - Retrieve Spectra Intel File Reputation results for files stored on the Spectra Analyze instance. The file must be on the Spectra Analyze instance. If it is not, you must first upload it and send it to the cloud.
• Get Report - Retrieve Spectra Core analysis for given sample hash value. The file must be uploaded to the Spectra Analyze instance beforehand.

This app can be found in the ThreatConnect App Catalog under the names: ReversingLabs

• Get ReversingLabs Extracted Files - This app gets a list of all extracted files from a sample using the Spectra Core engine.
• Get ReversingLabs Spectra Core Results - This app gets Spectra Core analysis for given sample hash value. The file must be uploaded to the Spectra Analyze instance beforehand.

The Polarity - ReversingLabs integration quickly searches Hashes and IPs against ReversingLabs' vast malware analysts platform. Enabling analysts to have a complete picture on the supply chain of a file hash.

The Polarity - ReversingLabs integration quickly searches a company's on-prem version of ReversingLabs for Hashes and IPs against ReversingLabs' vast malware analysts platform. Enabling analysts to have a complete picture on the supply chain of a file hash.

The Create Spectra Intel Yara Hunting Ruleset Playbook template allows you to take a YARA rule in ThreatConnect and upload it to ReversingLabs' Spectra Analyze Malware Analysis Platform's YARA Hunting capability.

The Delete ReversingLabs Spectra Intel Yara Hunting Ruleset Playbook template allows users to delete a YARA rule that has been previously uploaded to ReversingLabs' Spectra Analyze Malware Analysis Platform's YARA Hunting capability. Note that if you enter the name of a YARA rule that is not present in Spectra Analyze, the Component will still complete successfully, but will output the message "Failed to delete ruleset. Please see logs for more information".

These Playbook templates can be found in the ThreatConnect App Catalog under the names: Create Spectra Intel Yara Hunting Ruleset and Delete ReversingLabs Spectra Intel Yara Hunting Ruleset