We’re making a change to the IP address for www.virustotal.com. If you’re currently whitelisting our IP address in your firewall or proxy, you’ll need to update your rules to maintain access to VirusTotal. Starting November 25th, we’ll be gradually transitioning…
Category: VirusTotal Blog
Important Update: IP Address Change for VirusTotal
We’re making a change to the IP address for www.virustotal.com. If you’re currently whitelisting our IP address in your firewall or proxy, you’ll need to update your rules to maintain access to VirusTotal. Starting November 25th, we’ll be gradually transitioning…
Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal
VirusTotal has incorporated a powerful new tool to fight against malware: JA4 client fingerprinting. This feature allows security researchers to track and identify malicious files based on the unique characteristics of their TLS client communications. JA4: A More Robust Successor…
Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal
VirusTotal has incorporated a powerful new tool to fight against malware: JA4 client fingerprinting. This feature allows security researchers to track and identify malicious files based on the unique characteristics of their TLS client communications. JA4: A More Robust Successor…
VirusTotal AI-Generated Conversations: Threat Intel Made Easy
At VirusTotal, we’re constantly exploring new ways to make threat intelligence more digestible and available to a wider audience. Our latest effort leverages the power of AI to create easily understood audio discussions from technical information. Using Google NotebookLM’s innovative…
Leveraging LLMs for Malware Analysis: Insights and Future Directions
By Gerardo Fernández, Joseliyo Sánchez and Vicente Díaz Malware analysis is (probably) the most expert-demanding and time-consuming activity for any security professional. Unfortunately automation for static analysis has always been challenging for the security industry. The sheer volume and complexity…
Exploring the VirusTotal Dataset | An Analyst’s Guide to Effective Threat Research
By Aleksandar Milenkoski (SentinelOne) and Jose Luis Sánchez Martínez VirusTotal stores a vast collection of files, URLs, domains, and IPs submitted by users worldwide. It features a variety of functionalities and integrates third-party detection engines and tools to analyze the…
VirusTotal += Huorong
We welcome Huorong anti-malware engine to VirusTotal. In the words of the company: “Huorong is a Chinese information security company founded in 2011, which has been committed to the research and development of endpoint security products. Huorong anti-malware engine utilizes…
We Made It, Together: 20 Years of VirusTotal!
Hi Everyone, We can hardly believe it, but VirusTotal is turning 20 on June 1st! As we sit down to write this, we’re filled with a mix of pride and gratitude. It’s been an incredible journey, and we wouldn’t be…
Tracking Threat Actors Using Images and Artifacts
When tracking adversaries, we commonly focus on the malware they employ in the final stages of the kill chain and infrastructure, often overlooking samples used in the initial ones. In this post, we will explore some ideas to track adversary…
YARA is dead, long live YARA-X
For over 15 years, YARA has been growing and evolving until it became an indispensable tool in every malware researcher’s toolbox. Throughout this time YARA has seen numerous updates, with new features added and countless bugs fixed. But today, I’m…
Crowdsourced AI += ByteDefend
We are pleased to announce the integration of a new solution into our Crowdsourced AI initiative. This model, developed by Dr. Ran Dubin from the Department of Computer Science at Ariel University and head of ByteDefend Cyber Lab at the…
VirusTotal’s Mission Continues: Sharing Knowledge, Protecting Together
With the recent announcement of Google Threat Intelligence, I want to take this opportunity, as VirusTotal’s founder, to directly address our community and reiterate our unwavering commitment to our core mission. . First and foremost, I want to assure our…
Analyzing Malware in Binaries and Executables with AI
In a recent post titled “From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis”, published on the Google Cloud Security blog, we explore the capabilities of Gemini 1.5 Pro, which enhances malware analysis by processing up…
Mastering VirusTotal: Certification Course
We are pleased to announce the partnership with The SOC Academy, a new startup dedicated to providing cybersecurity education, debuting with a VirusTotal Certification course. Founded by Laura, a passionate entrepreneur and especially a cybersecurity enthusiast, The SOC Academy aims…
Know your enemies: An approach for CTI teams
VirusTotal’s Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture accordingly. In…
COM Objects Hijacking
The COM Hijacking technique is often utilized by threat actors and various malware families to achieve both persistence and privilege escalation in target systems. It relies on manipulating Component Object Model (COM), exploiting the core architecture of Windows that enables…
Following MITRE’s footsteps in analyzing malware behavior
The MITRE framework helps all defenders speak the same language regarding attackers’ modus operandi. VirusTotal provides multiple data points where MITRE’s Tactics and Techniques are dynamically extracted from samples when detonated in our sandboxes. In particular, samples’ MITRE mapping can…
Following in Mitre’s footsteps and malware behavior
The MITRE framework helps all defenders speak the same language regarding attackers’ modus operandi. VirusTotal provides multiple data points where MITRE’s Tactics and Techniques are dynamically extracted from samples when detonated in our sandboxes. In particular, samples’ MITRE mapping can…
VT Livehunt Cheat Sheet
Today we are happy to announce the release of our “Livehunt Cheat Sheet”, a guide to help you quickly implement monitoring rules in Livehunt. You can find the PDF version here. VirusTotal Livehunt is a service that continuously scans all…
Uncovering Hidden Threats with VirusTotal Code Insight
In the constantly changing world of cybersecurity, generative AI is becoming an increasingly valuable tool. This blog post shows various examples that elude traditional detection engines yet are adeptly unveiled by Code Insight. We explore diverse scenarios, ranging from firmware…
Monitoring malware trends with VT Intelligence
Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. VT Intelligence can be a powerful tool for monitoring malware trends, enhancing your detection capabilities and enabling proactive defense against evolving…
Hunting for malicious domains with VT Intelligence
Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for different malicious…
Sigma rules for Linux and MacOS
TLDR: VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows. We recently discussed how to maximize the value of Sigma rules by easily converting them to YARA Livehunts. Unfortunately, at…
Protecting the perimeter with VT Intelligence – malicious URLs
Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. One of the main attacking vectors attackers use for credential theft and malware deployment are malicious link-based attacks leveraging impersonated websites…
Protecting the perimeter with VT Intelligence – Email security
Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. One of the most common attack vectors to gain access to your network is through phishing emails with attachments containing malware,…
VTMondays
Welcome to VTMondays! A weekly series of bite-sized educational pills exploring the use of VirusTotal in real-world scenarios. Here’s what you’ll get: Short lessons: VTMondays are packed with valuable info in under 5 minutes read. Real-world scenarios: We’re not talking…
How AI is shaping malware analysis
We just released our “Empowering Defenders: How AI is shaping malware analysis” report, where we want to share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on…
Actionable Threat Intel (VI) – A day in a Threat Hunter’s life
Kaspersky’s CTI analysts recently released their Asian APT groups report, including details on behavior by different adversaries. Following our series on making third-party intelligence actionable using VirusTotal Intelligence, we have put on our threat hunter’s hat to find samples and…
The definitive VirusTotal’s admin guide
VirusTotal administrators’ tasks are key for the good health of the groups they manage. Unfortunately it is not always clear the best way to do this or that task. But we heard our beloved community, and we created the definitive…
Unifying threat context with VirusTotal connectors
In an age where cyber threats continue to grow in sophistication and frequency, the pursuit of a unified threat contextualization platform is no longer a mere convenience but an absolute necessity. When faced with an unfamiliar file, hash, domain, IP…
The path from VT Intelligence queries to VT Livehunt rules: A CTI analyst approach
< div> This post will explain the process you can follow to create a VT Livehunt rule from a VT Intelligence query. Something typical in threat hunting and threat intelligence operations. Let’s assume that, as a threat hunter, you created…
It’s all about the structure! Creating YARA rules by clicking
Since we made our (extended) vt module available for LiveHunt YARA rules we understand it is not easy for analysts to keep in mind all the new potential possibilities – too many of them! Our goal is to make YARA…
Crowdsourced AI += NICS Lab
We are pleased to share that NICS Lab, a security research group from the Computer Science Department at the University of Malaga, is joining the Crowdsourced AI initiative at VirusTotal. By extending our capabilities using a different AI model for…
Actionable Threat Intel (V) – Autogenerated Livehunt rules for IoC tracking
As we previously discussed, YARA Netloc uncovers a whole new dimension for hunting and monitoring by extending YARA support to network infrastructure. All VirusTotal users have already access to different resources, including templates, a GitHub repository, and the official documentation…
VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques
We just released a new edition of our “VirusTotal Malware Trends Report” series, where we want to share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on…
VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques
We just released a new edition of our “VirusTotal Malware Trends Report” series, where we want to share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on…
Actionable Threat Intel (IV) – YARA beyond files: extending rules to network IoCs
We are extremely excited to introduce YARA Netloc, a powerful new hunting feature that extends YARA supported entities from traditional files to network infrastructure, including domains, URLs and IP addresses. This opens endless possibilities and brings your hunting to a…
Apology and Update on Recent Accidental Data Exposure
We are writing to share information about the recent customer data exposure incident on VirusTotal. We apologize for any concern or confusion this may have caused. On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform.…
VirusTotal += Crowdsourced AI
We are pleased to announce the launch of Crowdsourced AI, a new initiative from VirusTotal, dedicated to leveraging the power of AI in tandem with community contributions. Spearheading this endeavor, Hispasec brings to the table an AI solution designed to…
Actionable Threat Intel (III) – Introducing the definitive YARA editor
One of VirusTotal’s biggest strengths is its Hunting capabilities using YARA rules. In addition to matching all files against a big set of crowdsourced YARA rules, it also allows users to create their own detection and classification rules. YARA was…
Threat hunting converting SIGMA to YARA
Malware threat hunting is the process of proactively searching for malicious activity. It is a critical part of any organization’s security posture, as it can help to identify and mitigate threats that may have otherwise gone undetected. Sigma rules and…
VirusTotal += Docguard
We are excited to announce our integration with DOCGuard for the analysis of Office documents, PDFs and other file types as a behavioral analysis engine. This document analysis collaboration will allow the community to get the another opinion on the scanned documents. …
Inside of the WASP’s nest: deep dive into PyPI-hosted malware
Photo by Matheus Queiroz on Unsplash In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as,…
Actionable Threat Intel (II) – IoC Stream
Access to RELEVANT threat data is a recurring challenge highlighted by SOCs and CTI teams, at VirusTotal we want to help you understand your unique threat landscape. Indeed, tracking campaigns and threat actors in VirusTotal’s Threat Landscape module should be…
AI boosts Code Language and File Format identification on VirusTotal
We are pleased to announce that VirusTotal has improved the identification of programming languages and file formats through the implementation of Generative AI (artificial intelligence). Historically, automating these tasks has been quite challenging, especially when it comes to certain scripting…
VirusTotal += Mandiant Permhash: Unearthing adversary infrastructure and toolkits by leveraging permissions similarity
Last Monday our colleagues over at Mandiant rolled out Permhash. In their own words, Permhash is an extensible framework to hash the declared permissions applied to Chromium-based browser extensions and APKs allowing for clustering, hunting, and pivoting similar to import…
VT Code Insight: Updates and Q&A on Purpose, Challenges, and Evolution
Following the announcement of VirusTotal Code Insight at the RSA Conference 2023, we’ve been thrilled by the overwhelmingly positive response from the cybersecurity community. As enthusiasm grows, we’ve been flooded with inquiries from those keen to discover more about Code…
Actionable Threat Intel (I) – Crowdsourced YARA Hub
YARA rules are an essential tool for detecting and classifying malware, and they are one of VirusTotal’s cornerstones. Other than using your own rules for Livehunts and Retrohunts, in VirusTotal we import a number of selected crowdsourced rules provided by…
Introducing VirusTotal Code Insight: Empowering threat analysis with generative AI
At the RSA Conference 2023 today, we are excited to unveil VirusTotal Code Insight, a cutting-edge feature that leverages artificial intelligence for code analysis. Powered by Google Cloud Security AI Workbench, Code Insight produces natural language summaries of code snippets…
APT43: An investigation into the North Korean group’s cybercrime operations
Introduction As recently reported by our Mandiant’s colleagues, APT43 is a threat actor believed to be associated with North Korea. APT43’s main targets include governmental institutions, research groups, think tanks, business services, and the manufacturing sector, with most victims located…
VirusTotal += Deep Instinct
We welcome Deep Instinct to VirusTotal. In their own words: “Deep Instinct is the only prevention-first cybersecurity company with a natively architected deep learning platform. We keep enterprises safe by stopping >99% of threats before other solutions even see them…
Deep Instinct += VirusTotal
We welcome Deep Instinct to VirusTotal. In their own words: “Deep Instinct is the only prevention-first cybersecurity company with a natively architected deep learning platform. We keep enterprises safe by stopping >99% of threats before other solutions even see them…
Introducing VT4Splunk – The official VirusTotal App for Splunk
TL;DR: VT4Splunk, VirusTotal’s official Splunk plugin, correlates your telemetry with VirusTotal context to automate triage, expedite investigations and unearth threats dwelling undetected in your environment. This extends Splunk’s own VirusTotal plugin for their SOAR. Next March 30th we will host…
Threat Hunting with VirusTotal – Episode 2
Last week we conducted the second episode of our “Threat Hunting with VirusTotal” open training session, where we covered YARA services at VirusTotal. We focused on practical aspects of YARA rules providing real life examples of infamous malware and historical…
Threat Hunting with VirusTotal
We recently conducted our first “Threat Hunting with VirusTotal” open training session, providing some ideas on how to use VT Intelligence to hunt for in-the-wild examples of modern malware and infamous APT campaigns. In case you missed it, here you…
Upgrading from API v2 to v3: What You Need to Know
The VirusTotal API is a versatile and powerful tool that can be utilized in so many ways. Although it is commonly used for threat intelligence enrichment and threat analysis, the potential uses are virtually limitless. The latest version, VirusTotal API…
Upgrading from API v2 to v3: What You Need to Know
The VirusTotal API is a versatile and powerful tool that can be utilized in so many ways. Although it is commonly used for threat intelligence enrichment and threat analysis, the potential uses are virtually limitless. The latest version, VirusTotal API…
Lessons learned from 2022
One of our goals is sharing with the security community as much as we learn from VirusTotal’s data to help stop, monitor and mitigate malicious activity. When looking back to 2022 we observe different interesting trends; we decided to go…
Is malware abusing your infrastructure? Find out with VirusTotal!
Any organization’s infrastructure might inadvertently be abused by attackers as part of a malicious campaign. It is therefore important to monitor any suspicious activity. VirusTotal can help you identify these threats and improve your threat detection and protection capabilities. In…
Is malware abusing your infrastructure? Find out with VirusTotal!
Any organization’s infrastructure might inadvertently be abused by attackers as part of a malicious campaign. It is therefore important to monitor any suspicious activity. VirusTotal can help you identify these threats and improve your threat detection and protection capabilities. In…
Lessons learned from 2022
One of our goals is sharing with the security community as much as we learn from VirusTotal’s data to help stop, monitor and mitigate malicious activity. When looking back to 2022 we observe different interesting trends; we decided to go…
Lessons learned from 2022
One of our goals is sharing with the security community as much as we learn from VirusTotal’s data to help stop, monitor and mitigate malicious activity. When looking back to 2022 we observe different interesting trends; we decided to go…
Mandiant’s CAPA + GoReSym to reinforce VT’s capabilities
VirusTotal, the world’s largest crowdsourced threat intelligence platform, is made possible thanks to a large community of security practitioners and vendors who integrate into our platform their best security tools. We are happy to announce the inclusion of two remarkable…