VMRay

The VMRay Platform (formerly Analyzer) Playbook App simplifies and automates submitting files and URLs for analysis by VMRay’s TotalInsight and FinalVerdict solutions, and processing the results from analysis reports as new Indicators, like File Hash, IP Address, Domain, and URLs, and Tags directly into TI Ops, along with the full analysis report. The App supports a variety of actions like:

• Submit File
• Get File Results
• Parse File Results
• Submit URL
• Get URL Results
• Parse URL Results

This App can be found in the App Catalog in ThreatConnect TI Ops under the name: VMRay Analyzer. Playbook templates for the App can be found under Downloads on this page.

The VMRay Threat Intelligence Job App automates the ingestion of threat intel from files and URLs analyzed by VMRay TotalInsight and FinalVerdict. Malicious IOCs are continuously fed from VMRay to ThreatConnect as a feed, ensuring CTI and security operations analysts have the latest intel from attacks against their organization, and can leverage that intel for proactive defense.

The Polarity - VMRay integration enables analysts to have complete insights on hashes and if they are malicious or not. Enabling analysts to know if the hash in their environment was determined to be malicious or not. The Polarity - VMRay integration also enables analysts to understand the attack techniques used when the file runs and even allows analysts to upload a file to check and see if the file has been run through VMRay.

Examples

Data Overview - Hash Overview

When running a search against VMRay, analysts will quickly get an overview of the hash. Learning if the sample is malicious, when it was submitted and the file associated with it.

Data Overview - Sample Details

When an analyst navigates to the details tab they will quickly be able to see the associated hashes with the sample, copy them out to search or add to a report and even see the file size of the submitted file.

Data Overview - File Summary

When an analyst clicks on the Summary tab in the details pain of the overlay window, they will be able to get the full analysis details of the file. Learning information on what was malicious or not about the file, what threats were identified and more.

Data Overview - Known ATT&CKs

When clicking on the ATT&CK tag analysts will be able to quickly see what ATT&CKS VMRay has identified and associated with the file. Allowing the analyst to have a better idea on how the threat actor is deploying to file to attack their network. Quickly enabling faster response and triage.

Data Overview - Associated IOCs

When an analyst clicks on the IOCs tab they will quickly be able to see any associated indicators of compromise that VMRay has associated with the file. Analysts can then quickly pivot on those IOC's to look them up in Polarity to see if they have been seen in their environment.

Data Overview - File Check

When an analyst is on the File Check tab in the integration they can quickly upload a file to check if that file has an associated sample in VMRay already. Polarity will translate the file into a hash and then look up that hash in VMRay enabling the analyst to see if it was submitted and if it was not they can quickly pivot to VMRay to add the file for submission.