Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Creating a VirusTotal hash lookup

This article outlines the process of automating VirusTotal hash lookups using Cydarm. By integrating Cydarm with VirusTotal, you can streamline your analysis workflows and gain insights into potential threats.

Overview

Cydarm can be used to trigger automated lookups against other platforms, VirusTotal in this instance, for analysis purposes.

This article details how to configure the automated lookup, and write the desired response body from the lookup, which will be added to the case notes.

Prerequisites

A VirusTotal Connector has been configured.

VirusTotal configuration instructions 

1. Create connector

If you haven't done so, you will need to create a Connector using the VirusTotal Connector instructions.

2. Create file hash trigger

  1. Navigate to Settings > Triggered Automations > Create Triggered Automation

  2. Basic settings:

    • Choose trigger (event type): Case STIX data created

    • Name: VirusTotal lookup hash

    • Condition: event.observable.type == 'file'

    • Select action: Send Generic Webhook

    • Select connector: your VirusTotal Connector

    • Check Activate automation on Submit

    • Click Next

  3. Operation settings (configure template - to create the URL path):

    • URL Path: /files/{{ event.observable.file.hashes.SHA-256 }}

    • HTTP Method: GET

    • Headers:

      • Key name: x-apikey

      • Value: {{ connector.config.api_key }}

    • Request Template is empty as all the information exists in the URL path

    • Check Process response in Cydarm

    • Success Response Codes: auto sets at 200

  4. Response Template (optional): Create your own response template.

  5. See example:

{{#response.body}}
{{#data}}
{{#attributes}}
Malicious votes: {{total_votes.malicious}}
Harmless votes: {{total_votes.harmless}}


Suggested label: {{popular_threat_classification.suggested_threat_label}}


Type description: {{type_description}}


Type tags:
{{#type_tags}}
* {{.}}
{{/type_tags}}


{{/attributes}}
{{/data}}


[Link to result](https://www.virustotal.com/gui/{{data.type}}/{{data.id}})
{{/response.body}}
  1. Submit to create an active triggered automation.

3. How to use triggered actions in a Cydarm case

When you're in a case, you can add a hash to a case, which will then send it to VirusTotal for analysis.

  1. Click the Add Item button.

  2. Select Add Data > File > File name/name/description.

  3. Hash Type: SHA-256.

  4. Enter Hash: Paste the hash in field.

  5. Press Save to create a STIX indicator with the Hash.

  6. The triggered action will fetch data from VirusTotal, and add it to the case thread.

  7. Link to result > takes you straight to the VirusTotal result!

Gotchas

  • Please remember to use capital letters for hash names, such as SHA-256 instead of sha-256, or MD5 instead of md5.


For more detailed technical information please refer to our Cydarm API documentation.