Skip to content

VirusTotal#

Version: 1.0.1 · Category: Threat Intelligence · Plan: Base+

VirusTotal aggregates detection results from many security vendors for file hashes, URLs, IPs, and domains. Use this connector only when your workspace is configured with a customer-provided VirusTotal API key.

!!! info "Looking for quick TI without an API key?" AttackThreat is the built-in threat intelligence layer. Use a customer-configured VirusTotal connector only when you specifically need vendor-specific VirusTotal data or workflows.

Tools#

get_file_report — File hash analysis#

Comprehensive file analysis via hash (MD5, SHA-1, or SHA-256):

  • Detection verdicts from 70+ antivirus engines
  • File metadata (type, size, first seen, last analysis date)
  • Behavioral indicators (network connections, dropped files, registry changes)
  • Key relationships: dropped files, contacted domains/IPs, threat actor associations

Example: 

Check whether this file hash is malicious: 44d88612fea8a8f36de82e1278abb02f

get_file_relationship — File relationship graph#

Enumerate a file's relationship graph for lateral pivoting:

Relationship type Description
contacted_domains Domains contacted during execution
contacted_ips IPs contacted during execution
dropped_files Files written to disk by this sample
behavior_summary Sandbox behavioral profile
embedded_urls URLs found inside the file

Use after get_file_report to expand from one IOC to full infrastructure.

get_url_report — URL safety analysis#

Scans a URL across 90+ security engines:

  • Final URL after following all redirects
  • Per-engine detection verdicts (malicious / phishing / clean)
  • Threat categories (malware, phishing, spam, etc.)
  • HTTP response metadata

Example: 

Analyze the safety of this URL: http://suspicious-site.example.com/payload.exe

get_url_relationship — URL relationship data#

Pivot from a suspicious URL to its full infrastructure footprint:

  • Downloaded files (malware distributed from this URL)
  • Contacted domains and IPs
  • Redirecting URLs (sources that redirect to this URL)
  • Embedded links

get_ip_report — IP threat intelligence#

IP address analysis from VirusTotal's perspective:

  • Geolocation and ASN / ISP details
  • Detection rates across engines
  • Reputation history and threat score
  • Associated communicating files

Example: 

What is the threat score for IP 185.220.101.1 on VirusTotal?

get_ip_relationship — IP relationship data#

  • Communicating files (malware samples that contacted this IP)
  • Historical DNS resolutions
  • SSL certificates hosted on this IP
  • Sibling IPs sharing the same ASN or behavior cluster

get_domain_report — Domain intelligence#

Full domain reconnaissance in a single call:

  • WHOIS data (registrar, creation/expiration, nameservers)
  • DNS record history (A / AAAA / MX / NS / TXT)
  • SSL certificate chain
  • Security engine categories and verdicts

Example: 

Query the DNS records and associated IPs for evil-domain.com

get_domain_relationship — Domain relationship graph#

  • Subdomains and sibling domains
  • Historical DNS resolutions
  • Communicating malware files
  • URLs hosted on this domain
  • SSL certificate siblings (domains sharing the same certificate)

Configuration#

VirusTotal requires your own API key (BYOK).

Item Description
VIRUSTOTAL_API_KEY Your personal VirusTotal API key

!!! info "Getting an API key" Register at VirusTotal and go to My API key. Free accounts are rate-limited to 4 requests/min and 500/day — sufficient for most investigation workflows.

Investigation workflow#

1. Extract IOCs from alerts (hashes, URLs, IPs, domains)

2. get_file_report hash:"<SHA256>"
   → Confirm whether the file is a known malicious sample
   → Detection rate > 10/70 = high-confidence malicious

3. get_file_relationship hash:"<SHA256>" relationship:"contacted_ips"
   → Pivot to C2 infrastructure from the malware sample

4. get_ip_report ip:"<C2-IP>"
   → Understand attacker infrastructure; cross-validate with AbuseIPDB and Shodan

5. get_domain_report domain:"<phishing-domain>"
   → Enumerate DNS and SSL history for the attacker's domain

6. get_url_report url:"<suspicious-URL>"
   → Verify phishing or malware distribution link before clicking