VirusTotal

VirusTotal provides a system for deploying YARA rules to hunt for files among the ones submitted for scanning. This can produce a large number of notifications. The VirusTotal Hunting integration provides a process and automation for paring this flow of notifications down to ones that are of highest confidence and priority. The malware samples that are most important are automatically downloaded and made available in the ThreatConnect malware vault for further analysis. It can optionally tag samples for analysis by any of the automated malware system integrations available in ThreatConnect. With Playbooks Apps & Templates, users can take the following automated actions

• Detonate with VirusTotal - this app sends a file to VirusTotal for analysis
• Get VirusTotal Behavior Report - this app gets file behavior report results from VirusTotal
• Get VirusTotal File Report - this app gets file report results from VirusTotal

This app can be found in the ThreatConnect App Catalog under VirusTotal.

The Polarity - VirusTotal integration automates the lookups of hashes, ips, domains and urls in VirusTotals vast database. Enabling users to quickly get the full scope of the indicators and know if they are potentially malicious or not and get information on the scanner results and more!

Examples

Detections

• Hash Summary Info: The Polarity summary tags for hashes are the number of scanners the hash was found malicous in and the top detections that were found in the scanners.
• Score Graphic: This is a quick visual representation showing the number of scanners that returned malicious information on the indicator. This allows analysts to quickly get a picture of how malicious the indicator in question is.
• Community Score: A score provided by the VirusTotal community. The community score is a signal of much activity the indicator in question might be getting from the community.
• Summary: This is a quick overview of everything that is happening for an indicator. Allowing the analyst to skim this reference and easily make a determination.
• Positive Detections: Positive detections lists all of the scanners that had a positive detection for the indication, here you can also reference the type of detection from the scanner.

Behavior Summary

• IP/Domain Summary Info: Quickly know if the IP or domain is related to malware and if it is suspicious or malicious.
• Files Referring: For IPs and domains you can see what files that are related to them to quickly know if they are doing and executing malicious information.
• Whois: Get historical Whois information related to the IPs and domains.