ReversingLabs

Updated

This article describes the Intelligence Card Extension for ReversingLabs. Feedback and improvement ideas are welcome, and can be submitted at https://ideas.recordedfuture.com.

 

About ReversingLabs

ReversingLabs is a provider of game-changing solutions for detection and analysis of advanced cyber threats.

Extending Hash Intelligence Cards

Through a partnership established between Recorded Future and ReversingLabs in 2017, all Recorded Future clients have access to the following information on Hash Intelligence Cards:

  • File reputation
  • Sample file stats [including malware family, if applicable]
  • Other hashes for the file (e.g., SHA1, SHA256, SHA512, MD5)

The extension appears near the top of the intelligence card and is called "Hash Data Powered by ReversingLabs":

Screen_Shot_2018-06-13_at_1.12.50_PM.png
For clients with separate ReversingLabs subscriptions, you can also enable a commercial access-only version of the ReversingLabs extension that includes additional information.  Please see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension.

Commercial Access with Limited privilege credentials:

  • SHA1 hashes for similar files as determined by the ReversingLabs Hash Algorithm (RHA)
  • Anti-Virus (AV) Scanner summary and detailed results
  • Link to ReversingLabs Advanced Threat Analysis Portal
  • Threat Actors related to the malware family

Example(from a search on 40f1b160b88ff98934017f3f1e7879a5):

Screen_Shot_2018-06-13_at_12.48.55_PM.png

Commercial Access with Complete privilege credentials:

ReversingLabs commercial extension with complete privilege credentials includes additional information to that of reversing labs extension with limited privilege credentials

  • Recent Hashes for the related malware family sorted based on first seen date
  • Extensive threat actor mapping from Recorded Future data and ReversingLabs data

Example (from a search on 40f1b160b88ff98934017f3f1e7879a5):

Screen_Shot_2018-06-13_at_12.12.33_PM.png

In both cases you can pivot in Recorded Future on these elements of the ReversingLabs response:

  • File Hashes 
  • Malware Family Name
  • Threat Actor Names

Extending Malware Intelligence Cards

ReversingLabs threat intelligence for a Malware can be accessed on a Malware Intelligence Card by clients that have complete privilege credentials for ReversingLabs. The clients have access to the following information:

  • Time range for the intelligence
  • Categories to which the malware belongs to
  • Recent and Prior detections with additional information:
  • Extensive threat actor mapping from Recorded Future data and ReversingLabs data
  • Link to ReversingLabs Advanced Threat Analysis Portal

Example (from a search on PlugX):

Screen_Shot_2018-06-13_at_12.14.15_PM.png

You can pivot in Recorded Future on these elements of the ReversingLabs response:

  • File Hashes
  • Threat Actor names

Extending IP Address and Domain Intelligence Cards

You can enrich any IP Address and Domain Intelligence Card with the following threat intelligence from ReversingLabs:

  • SHA-1 file hashes that are linked to the given IP address or Domain

You can pivot in Recorded Future on these elements of the ReversingLabs response:

  • File Hashes

Example (from a search on 127.0.0.1):

Clients with access to Vulnerability API privileges

Clients can also enrich Vulnerability Intelligence Cards with the following information from ReversingLabs:

  • Recent file hashes that include the vulnerability
  • scanner results from the most recent 4 weeks

Example (from CVE-2017-11882):

Screen_Shot_2019-05-23_at_12.19.48_PM.pngScreen_Shot_2019-05-23_at_12.20.25_PM.png

 

Other Resources

ReversingLabs commercial extension hits different API endpoints for limited and complete privileges

  • Limited Privileges
    • TCA-0101 File reputation (Malware Presence)
    • TCA-0103 Historic Scan Records (Xref)
    • TCA-0301 RHA Functional Similarity
    • TCA-0401 URI to Hash Search (List of file hashes associated with given URI)
  • Complete Privileges
    • TCA-0101 File reputation (Malware Presence)
    • TCA-0103 Historic Scan Records (Xref)
    • TCA-0301 RHA Functional Similarity
    • TCA-0304 Malware Family Search (Return List of Hashes based on input string)
    • TCA-0312 APT Indicator Search (Returns new malware hashes belonging to APT tool or actor)
    • TCA-0313 Financial Services Indicator Search
    • TCA-0314 Retail Sector Indicator Search
    • TCA-0315 Ransomware Search
    • TCA-0316 CVE Search
    • TCA-0401 URI to Hash Search (List of file hashes associated with given URI)
  • Vulnerability Privileges
    • TCA-0311 Vertical Statistics Feed
    • TCA-0316 Vertical Feeds Search

ReversingLabs Overview: https://www.youtube.com/watch?v=CCqMB5oEQTQ
ReversingLabs Hashing Algorithm: https://www.youtube.com/watch?v=oizsQIF0YZU

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
4 out of 4 found this helpful

Articles in this section

See more