01 Dec 2020

Enhance Malware Investigations with Maltego and VirusTotal

Maltego Team

These are very exciting times at Maltego! Our team has been hard at work and as a result, over the past few weeks, we have brought you the updated Shodan Transforms, followed by the new Pipl Transforms and Maltego data subscriptions, as well as the new IPQualityScore Transforms.

This time around, we are very excited to present a major update to what is perhaps one of the top items on many Maltego users’ wish lists through two additions to the Transform Hub: the VirusTotal Public API, and the VirusTotal Premium API Hub items!

VirusTotal data integrations in Maltego

Please note that the previous VirusTotal Public API Hub item developed by Malformity Lab has now been deprecated. In order to continue using the updated VirusTotal Transforms, install the new Hub items with existing or newly acquired API keys.

What is VirusTotal? 🔗︎

With a database of over two billion analyzed files, VirusTotal is one of the most renowned and best rated data sources within the cybersecurity sphere, particularly when it comes to malware research.

VirusTotal is popular not only because it is a community-oriented solution, but because it fills a gap for many companies which experience a lack of resources to collect their own malware samples and related indicators of compromise (IOCs).

For the Newbies: What is the Main Difference Between VirusTotal Public and Premium APIs? 🔗︎

VirusTotal Public API is the solution for non-commercial users and is available to everyone for free. Users are able to obtain an API key by signing up to the VirusTotal Community here. There is, amongst others, an important limitation to take note of for this API, which is a limit of 500 requests per day, and a rate of four requests per minute.

The paid solution available for enterprise users is the Premium API. This is an extension of the Public API and can thus return more threat context, as well as expose advanced threat hunting, malware discovery endpoints and functionality, such as the VirusTotal Intelligence Search queries. More information on the VirusTotal APIs can be found here.

What Can Users Expect from the New VirusTotal Hub Items? 🔗︎

More Transforms than Ever Before 🔗︎

Overall, the Maltego team has developed over one hundred new Transforms for these integrations—seventy-seven for the Public API and thirty-five for the Premium API—therefore ensuring higher efficiency for your investigations and better synergies with the VirusTotal data.

Given the number of Transforms developed, we categorized these into different Transform Sets. Transform Sets are implemented to organize Transforms into smaller groups by topic, making them easily discoverable, and offering users multiple lines of inquiry.

To reduce the Transform request and response times, all Transform requests for VirusTotal are limited to 256 results. This is due to the pagination on VirusTotal which shows only 40 results per page, and every page needing one API call.

New VirusTotal Entities 🔗︎

We have also added ten brand-new VirusTotal specific Entities, which have been created to satisfy unique characteristics within the VirusTotal API.

There are a lot of interesting things about these new Entities. For example, we have added color overlays to the VirusTotal File, IP Address, Domain, and URL Entities. This allows users to estimate the VirusTotal community score, which is based on the number of services that have detected a specific object.

VirusTotal Entities in Maltego

These overlays are rendered as colored dots on the upper-left corner of the Entity. There are four different colors: red (majority of scanners classified a sample as malicious or suspicious), yellow (more than one scanner classified a sample as malicious or suspicious), green (sample detected but marked as harmless by all scanners), and gray (sample not detected by scanners).

You can also visualize the actual score and gain more insights into the Entity by looking at the Detail View. The amount of information available to you in this pane will save you having to move back and forth between Maltego and the VirusTotal platform.

A New Version of the VirusTotal API 🔗︎

Both Hub items have been developed using the new VirusTotal APIv3. This has allowed Maltego to take advantage of the improvements made by the VirusTotal team in terms of richer data exposure of static information for files, crowdsourced detection details, and many others.

What are Some of the New VirusTotal Transforms? 🔗︎

Annotate Domains, URLs, IP Addresses 🔗︎

Let’s say you have a piece of information such as an IP address, a URL, or a domain, and you don’t want to look at relationships, instead, you just want to find out if and what VirusTotal knows about it. All you need to do is run the corresponding Annotate Transform as shown below.

These Transforms will retrieve analysis information from VirusTotal and update the existing/original Entity and add the information to the Detail view. This Transform Set is only available for the public API Hub Item.

Search for Files Using VirusTotal Raw Intelligence Search 🔗︎

This Transform is only available with the premium API and allows a user to input custom VirusTotal search combinations and lookup files, domains, URLs, IP addresses, and comments. The image below shows a search for files containing keywords related to banking trojans.

Search for Files Using VirusTotal Raw Intelligence Search in Maltego

Investigators can also search CVE’s returned by Shodan in VirusTotal using this Transform.

Use Case: Rapid Analysis for Incident Response with VirusTotal Transforms 🔗︎

That concludes the important changes and functionalities of the new VirusTotal Hub items.

In combination with Maltego, the new VirusTotal Hub items can be extremely helpful as a rapid analysis tool for incident response. Learn more about how you can leverage VirusTotal Transforms to streamline your work process and quickly analyze alerts from your SIEM systems.

We hope you enjoy the VirusTotal updates! Don’t forget to follow us on Twitter and LinkedIn and subscribe to our email newsletter to stay updated on the latest news, tutorials, and use cases.

Happy investigating!

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.