This article describes the Intelligence Card Extension for ReversingLabs. Feedback and improvement ideas are welcome, and can be submitted at https://ideas.recordedfuture.com.
About ReversingLabs
ReversingLabs is a provider of game-changing solutions for detection and analysis of advanced cyber threats.
Extending Hash Intelligence Cards
Through a partnership established between Recorded Future and ReversingLabs in 2017, all Recorded Future clients have access to the following information on Hash Intelligence Cards:
- File reputation
- Sample file stats [including malware family, if applicable]
- Other hashes for the file (e.g., SHA1, SHA256, SHA512, MD5)
The extension appears near the top of the intelligence card and is called "Hash Data Powered by ReversingLabs":
For clients with separate ReversingLabs subscriptions, you can also enable a commercial access-only version of the ReversingLabs extension that includes additional information. Please see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension.
Commercial Access with Limited privilege credentials:
- SHA1 hashes for similar files as determined by the ReversingLabs Hash Algorithm (RHA)
- Anti-Virus (AV) Scanner summary and detailed results
- Link to ReversingLabs Advanced Threat Analysis Portal
- Threat Actors related to the malware family
Example(from a search on 40f1b160b88ff98934017f3f1e7879a5):
Commercial Access with Complete privilege credentials:
ReversingLabs commercial extension with complete privilege credentials includes additional information to that of reversing labs extension with limited privilege credentials
- Recent Hashes for the related malware family sorted based on first seen date
- Extensive threat actor mapping from Recorded Future data and ReversingLabs data
Example (from a search on 40f1b160b88ff98934017f3f1e7879a5):
In both cases you can pivot in Recorded Future on these elements of the ReversingLabs response:
- File Hashes
- Malware Family Name
- Threat Actor Names
Extending Malware Intelligence Cards
ReversingLabs threat intelligence for a Malware can be accessed on a Malware Intelligence Card by clients that have complete privilege credentials for ReversingLabs. The clients have access to the following information:
- Time range for the intelligence
- Categories to which the malware belongs to
- Recent and Prior detections with additional information:
- Extensive threat actor mapping from Recorded Future data and ReversingLabs data
- Link to ReversingLabs Advanced Threat Analysis Portal
Example (from a search on PlugX):
You can pivot in Recorded Future on these elements of the ReversingLabs response:
- File Hashes
- Threat Actor names
Extending IP Address and Domain Intelligence Cards
You can enrich any IP Address and Domain Intelligence Card with the following threat intelligence from ReversingLabs:
- SHA-1 file hashes that are linked to the given IP address or Domain
You can pivot in Recorded Future on these elements of the ReversingLabs response:
- File Hashes
Example (from a search on 127.0.0.1):
Clients with access to Vulnerability API privileges
Clients can also enrich Vulnerability Intelligence Cards with the following information from ReversingLabs:
- Recent file hashes that include the vulnerability
- scanner results from the most recent 4 weeks
Example (from CVE-2017-11882):
Other Resources
ReversingLabs commercial extension hits different API endpoints for limited and complete privileges
- Limited Privileges
-
TCA-0101 File reputation (Malware Presence)
-
TCA-0103 Historic Scan Records (Xref)
-
TCA-0301 RHA Functional Similarity
- TCA-0401 URI to Hash Search (List of file hashes associated with given URI)
-
- Complete Privileges
- TCA-0101 File reputation (Malware Presence)
-
TCA-0103 Historic Scan Records (Xref)
-
TCA-0301 RHA Functional Similarity
- TCA-0304 Malware Family Search (Return List of Hashes based on input string)
- TCA-0312 APT Indicator Search (Returns new malware hashes belonging to APT tool or actor)
- TCA-0313 Financial Services Indicator Search
- TCA-0314 Retail Sector Indicator Search
- TCA-0315 Ransomware Search
-
TCA-0316 CVE Search
- TCA-0401 URI to Hash Search (List of file hashes associated with given URI)
- Vulnerability Privileges
- TCA-0311 Vertical Statistics Feed
- TCA-0316 Vertical Feeds Search
ReversingLabs Overview: https://www.youtube.com/watch?v=CCqMB5oEQTQ
ReversingLabs Hashing Algorithm: https://www.youtube.com/watch?v=oizsQIF0YZU