ThreatConnect and VirusTotal: Enable YARA Hunting and Better Malware Analysis

ThreatConnect and VirusTotal have improved our collaboration with a new Playbook App! This app will allow you to send malware to a sandbox to be further examined and retrieve the results from VirusTotal.  Leveraging this App, you will be able to perform Phishing Email Triage, Endpoint Investigation, and Malware Hunting. This all leads to more informed decision making and more efficient remediation through automation. 

VirusTotal Playbook Template – Submit File

The VirusTotal Playbook App will enable you to: 

  • Use ThreatConnect’s Playbooks, coupled with VirusTotal Intelligence’s hunting capability, to create and deploy YARA rulesets for more accurate detection of previously unknown malicious files. File hashes can easily be changed, but leveraging YARA analysts can perform searches based on the file behavior leading to less chance for false positives.
  • Build a composite of knowledge for malware variants by overlaying VirusTotal’s analysis results on top of open-source or premium intelligence information.
  • Mine for potential IOCs in the form of C2 nodes, Registry Keys, etc. to gain a more holistic understanding of the potential threat by discovering how and where the malware operates.
  • Leverage VirusTotal to detonate potentially malicious files as part of an investigation such as phishing email triage, or performing further host-based analysis and remediation.
  • Make EDR and SIEM workflows smarter and more efficient by triaging potentially malicious files early on instead of wasting precious time hunting for false positives.

The following actions are available with this Playbook App:

  • Submit File
  • Get File Results
  • Parse File Results

Together, ThreatConnect and VirusTotal help you to automate remediation tasks and protect your network from sophisticated attacks. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on utilizing the VirusTotal App. If you’re not yet a customer and are interested in ThreatConnect and this integration, contact us at sales@threatconnect.com.

About the Author
Jeff Quist

Jeff Quist, Product Marketing Manager at ThreatConnect, has 9 years of experience in Sales, Marketing, Product Management, and Product Marketing, mainly in technology and financial services. His professional experience and empathy for customers and partners help him to develop engaging marketing content and empower sales teams. Jeff lives in New York City and in his free time, he enjoys sketching, reading sci-fi novels, and supporting the Boston Bruins.