LIVEHUNT: HOOK INTO VIRUSTOTAL'S FILE FLUX

YARA rules uploaded to Malware Hunting are applied to all files sent to VirusTotal from all around the world, live. Whenever there is a rule match you get an immediate notification. Notifications can be viewed via the web interface, email alerts or retrieved through a REST API.

GENERATE IOCS VIA API

Build programmatic workloads that combine this capability with other VT Enterprise features such as sandboxing or static analysis in order to generate a feed of indicators of compromise to power-up your security defenses.

RETROHUNT: YARA BACK IN TIME

Create a YARA rule and apply it back in time to the existing dataset in order to discover early versions attacks that you might have recently discovered. Understand how an attacker has evolved over time.

DOWNLOAD MATCHES FOR OFFLINE STUDY

Files matching your rules can be downloaded for further offline study, the entire process can be automated with a REST API.

MAP OUT CAMPAIGNS IN VT GRAPH

A simple click transfers all retrohunt matches into VT GRAPH in order to visually lay out a threat campaign in a nodes graph, allowing you to understand commonalities and threat infrastructure.

Filter out the noise from VirusTotal's file uploads, focus on malware families that target you, download every new variant and pump them into your dedicated analysis infrastructure.

RICH HUNTING SYNTAX

Different kinds of strings

Condition terms can rely on hexadecimal strings, text strings or regular expressions.

Multiple conditions

String counting, string offsets or virtual addresses, match length, file size, executable entry point, data at a given position, iteration, etc.

Extensible

Leverage te power of certain modules such as the PE or Cuckoo modules in order to combine file content specific rules with behavior or structural conditions.

VirusTotal specific externals

Add conditions that are exclusive to the data generated by VirusTotal for a file, e.g. tags, antivirus detections, etc.

DETAILED PICTURE

This is some of the additional information available for files matching your search criteria:

Submission metadata

First seen and last seen dates, number of submissions, submission file names, submission countries, submission dates, ciphered submitter identifier, submission interface, number of distinct submitters, etc.

Static information

Sigcheck, packer information, PE structure, Exif attributes, ELF structure, package contents, OLE VBA Macro code stream, suspicious PDF properties, embedded file icons, etc.

Dynamic information

Behavior characterization through sandbox execution for major operating systems: Windows, Android, OS X and Linux.

Complete scanning information

All reports on a given sample, not only the latest snapshot. Understand how threat detections evolve over time, discover the in-the-wild lifespan of malware.

Telemetry metadata

Partner tools contribute rich end-user PC metadata to our dataset, e.g. Windows registry keys in which an executable is registered for autolaunch upon reboot, creation date on end-user machine, full name and path of the file.

Goodware and whitelisting information

Goodware index, VirusTotal Community voting, aggregation of publicly available goodware databases as well as legitimate software whitelisting details shared by top partners and ingested from VirusTotal Monitor.

DIVERSE SOURCES

Global origins

Files submitted from 232 unique ISO country codes, which includes almost 3M distinct sources in the last year.

Structural clustering of polymorphic variants

198,000 clusters generated per day during an average month. About 35% of all files with a feature hash are clustered in the top 200 collections.

File types

Over 100 identified file types seen per day, on average. Examples: Win32 DLL, Win32, EXE, HTML, Java Bytecode, Android, PDF, Text, Mach-O, ZIP, PNG, XML, MS Word, JPEG, ELF, RAR, Office Open XML, C++, C, GZIP, JAR, DOS, EXE, MS Excel, MP3, Python, 7ZIP, Windows, GIF, Email

ITW file origin

More than 400M files with origin information; more than 100M portable executables from distinct URLs; more than 200M files with rich telemetry data; more than 5M emails for rich contextual information.

LARGE VOLUMES OF DATA

2.4B

More than 2.4B files in the dataset

Many files with strong signals to help security researches identify malware

2M<>8M

Between 2M and 8M URLs analysed per day

Approximately 300k per day are distinct and detected by more than 5 URL scanners

1.8M

File feeds with approximately 1.8M file analyses per day

Files included for download, with all raw data available. Feed includes rescans of files with updated information

Powered by Google infrastructure

With the data security, reliability and computation power of the Google infrastructure

‍