Reversing Labs

This integration is a series of Components that allow users to do malware analysis with ReversingLabs A1000 and TiCloud. The following apps and actions are available:

• Analyze File with ReversingLabs - The Reversing Labs API lets you submit a supported file type for ReversingLabs analysis. Use this app to automate the submission of new malware files. The app attempts to detect whether a file is in ZIP format and, if it is, automatically unzips the file before sending it to the ReversingLabs API.
• Download ReversingLabs Sample - This app downloads a sample residing on A1000. If a sample is in the cloud, you will need to download it to the A1000 instance that you are using first.
• Get ReversingLabs Summary Report - This app uses hash_value(s) to get a summary classification report and details for a sample or list of samples.

These apps can be found in the ThreatConnect App Catalog under the names: Analyze File with ReversingLabs, Download ReversingLabs Sample, and Get ReversingLabs Summary Report.

This threat intel list includes fresh indicators from not only ransomware but the tools used to gain access and deploy ransomware enabling defenders the opportunity to discover adversaries initial network access and lateral movement before their data is encrypted. Our threat intelligence researchers analyze ransomware attack trends and the security landscape to ensure that only the most up to date and relevant malware families are dissected to create technical indicators. This integration is available for download here on the ThreatConnect Marketplace.

Key Features

• Indicators from multiple stages of typical attacks allow for early detection and the ability to reduce damage associated with IP theft and ransomware attacks
• Aggressive aging of the indicators ensures only relevant indicators are active in the list
• Extensive post processing of indicators eliminates or reduces confidence on indicators likely to produce false positives
• Indicators such as IP, Domain and Hash include tagging to give additional context such as MITRE ATT&CK, network parameters, attack stage and malware family name.

About ReversingLabs

ReversingLabs is the leading provider of explainable threat intelligence solutions that dissect complex file-based threats for enterprises stretched for time and expertise. Its hybrid-cloud Titanium Platform enables digital business resiliency, protects against new modern architecture exposures, and automates manual SOC processes with a transparency that arms analysts to confidently take action and hunt threats.

• Submit File for Analysis - Automate the submission of new malware files.
• Download Sample - Download a sample residing on a1000. If a sample is in the cloud, you will need to download it to the a1000 instance that you are using first.
• Get Extracted Files - Retrieve a list of all extracted files from a sample using the TitaniumCore engine.
• Get Summary Report - Retrieve a summary classification report and details for a sample or list of samples based on hash_value(s)
• Get File Reputation - Retrieve TitaniumCloud File Reputation results for files stored on the a1000 instance. The file must be on the a1000 instance. If it is not, you must first upload it and send it to the cloud.
• Get Report - Retrieve TitaniumCore analysis for given sample hash value. The file must be uploaded to the a1000 instance beforehand.'

• Get ReversingLabs Extracted Files - This app gets a list of all extracted files from a sample using the TitaniumCore engine.
• Get ReversingLabs TitaniumCore Results - This app gets TitaniumCore analysis for given sample hash value. The file must be uploaded to the A1000 instance beforehand.

The Create TitaniumCloud Yara Hunting Ruleset Playbook template allows you to take a YARA rule in ThreatConnect and upload it to ReversingLabs' A1000 Malware Analysis Platform's YARA Hunting capability.

The Delete ReversingLabs TitaniumCloud Yara Hunting Ruleset Playbook template allows users to delete a YARA rule that has been previously uploaded to ReversingLabs' A1000 Malware Analysis Platform's YARA Hunting capability. Note that if you enter the name of a YARA rule that is not present in A1000, the Component will still complete successfully, but will output the message "Failed to delete ruleset. Please see logs for more information".

These Playbook templates can be found in the ThreatConnect App Catalog under the names: Create TitaniumCloud Yara Hunting Ruleset and Delete ReversingLabs TitaniumCloud Yara Hunting Ruleset