User Guide
Synapse-VirusTotal User Guide
Synapse-VirusTotal adds new Storm commands to allow you to query the VirusTotal API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> virustotal.setup.apikey --self myapikey
Setting Synapse-VirusTotal API key for the current user.
Get the VirusTotal report for a file
Query the VirusTotal file report API using a hash:sha256 node:
> hash:sha256#myhash | virustotal.file.report --yield
file:bytes=sha256:02a69029bf2b0c97bfb9ddbbe6e89409f1b11007a92d8ca4a6df6597b72eb453
.created = 2024/04/17 17:19:23.985
.seen = ('2017/11/20 19:41:21.000', '2021/07/19 16:01:03.000')
:_virustotal:reputation = -101
:_virustotal:vhash = 893472e80b8f6c729a3952ab290e9a4f7
:_virustotal:votes:harmless = 0
:_virustotal:votes:malicious = 2
:md5 = c5117ac5232ed7980d1672b820ac1a8d
:mime = application/rtf
:sha1 = 02b16bf68b44828aa253b526aa1e8f1896f49250
:sha256 = 02a69029bf2b0c97bfb9ddbbe6e89409f1b11007a92d8ca4a6df6597b72eb453
:size = 8078
#rep.vt.cve_2017_0199
#rep.vt.cve_2017_11882
#rep.vt.exploit
#rep.vt.ole_embedded
#rep.vt.rtf
Get “In the Wild” URLs for a file
Find In the Wild URLS for a file using a hash:sha256 node:
> hash:sha256#myhash | virustotal.file.itwurls --yield
inet:url=http://arishitz.net/files/tmp/CVE-2017-11882/example/exploit.rtf
.created = 2024/04/17 17:19:26.231
.seen = ('2019/11/13 12:05:20.000', '2019/11/13 12:05:20.001')
:base = http://arishitz.net/files/tmp/CVE-2017-11882/example/exploit.rtf
:fqdn = arishitz.net
:params =
:path = /files/tmp/CVE-2017-11882/example/exploit.rtf
:port = 80
:proto = http
inet:url=https://od.lk/d/MzRfNjM5ODI5N18/test.rtf
.created = 2024/04/17 17:19:26.310
.seen = ('2019/07/10 07:39:42.000', '2019/07/10 07:39:42.001')
:base = https://od.lk/d/MzRfNjM5ODI5N18/test.rtf
:fqdn = od.lk
:params =
:path = /d/MzRfNjM5ODI5N18/test.rtf
:port = 443
:proto = https
inet:url=https://raw.githubusercontent.com/Ridter/CVE-2017-11882/master/example/exploit.rtf
.created = 2024/04/17 17:19:26.389
.seen = ('2019/04/07 18:35:51.000', '2019/04/07 18:35:51.001')
:base = https://raw.githubusercontent.com/Ridter/CVE-2017-11882/master/example/exploit.rtf
:fqdn = raw.githubusercontent.com
:params =
:path = /Ridter/CVE-2017-11882/master/example/exploit.rtf
:port = 443
:proto = https
inet:url=https://raw.githubusercontent.com/embedi/CVE-2017-11882/master/example/exploit.rtf
.created = 2024/04/17 17:19:26.469
.seen = ('2017/11/23 01:38:11.000', '2019/01/29 23:43:39.000')
:base = https://raw.githubusercontent.com/embedi/CVE-2017-11882/master/example/exploit.rtf
:fqdn = raw.githubusercontent.com
:params =
:path = /embedi/CVE-2017-11882/master/example/exploit.rtf
:port = 443
:proto = https
Use of meta:source nodes
Synapse-VirusTotal uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the VirusTotal API.
> meta:source=acb670cd23617d825418435c8061e622
meta:source=acb670cd23617d825418435c8061e622
.created = 2024/04/17 17:19:23.911
:name = virustotal api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-VirusTotal. The following example shows how to filter the results of a query to include only results observed by Synapse-VirusTotal:
> hash:sha256#myhash -> file:bytes +{ <(seen)- meta:source=acb670cd23617d825418435c8061e622 }
file:bytes=sha256:02a69029bf2b0c97bfb9ddbbe6e89409f1b11007a92d8ca4a6df6597b72eb453
.created = 2024/04/17 17:19:23.985
.seen = ('2017/11/20 19:41:21.000', '2021/07/19 16:01:03.000')
:_virustotal:reputation = -101
:_virustotal:vhash = 893472e80b8f6c729a3952ab290e9a4f7
:_virustotal:votes:harmless = 0
:_virustotal:votes:malicious = 2
:md5 = c5117ac5232ed7980d1672b820ac1a8d
:mime = application/rtf
:sha1 = 02b16bf68b44828aa253b526aa1e8f1896f49250
:sha256 = 02a69029bf2b0c97bfb9ddbbe6e89409f1b11007a92d8ca4a6df6597b72eb453
:size = 8078
#rep.vt.cve_2017_0199
#rep.vt.cve_2017_11882
#rep.vt.exploit
#rep.vt.ole_embedded
#rep.vt.rtf