This article describes the Intelligence Card Extension for VirusTotal.
About VirusTotal
VirusTotal is an online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.
You must have an API key in order to use this service. You can sign up for an API key here. Please also see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension.
Extending Hash Cards
You can enrich any Hash Card with the following threat intelligence from VirusTotal:
- File Details
- Positive Scans
- Negative Scans
You can pivot in Recorded Future on these elements of the VirusTotal response:
- MD5, SHA-1, SHA256 Hash
Example:
Extending IP Address Cards
You can enrich any IP Address Card with the following threat intelligence from VirusTotal:
- Geolocation
- Passive DNS Replication
- Latest Detected URLs
- Latest undetected files that embed this domain in their strings
You can pivot in Recorded Future on these elements of the VirusTotal response:
- Domains
- URLs
- Hashes
Example:
Note that if the IP address is not found in the VirusTotal data set, the response will show the following message: "Missing IP address - CODE 0"
Extending Domain Cards
You can enrich Domain Cards with the following threat intelligence from VirusTotal:
- Domain Reputation
- Passive DNS Replication
- Whois lookup
- Observed subdomains
- Latest Detected URLs
- Latest undetected files downloaded from here
- Latest undetected files that embed this domain in their strings
You can pivot in Recorded Future on these elements of the VirusTotal response:
- IP Address
- Domains
- URLs
- Hashes
Example:
