VirusTotal is a great analysis platform for enriching data on IOCs and finding related malicious infrastructure. VT inspects IOCs with over 70 antivirus scanners and URL/domain blacklisting services. The platform offers a search engine for previously scanned items, as well as a number of URL and file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API.
In our opinion, VT's holy grail is its awesome VT Graph - a dynamic threat relations visualization, allowing users to view information about each entity, pivot over data points, edit the graph, and add new nodes. Users can also save their graphs and download the node list.
Check out this analysis example using VT Graph:Searching on a top-searched IP (92.63.197[.]71) from ThreatSTOP's CheckIOC Hot IOCs, a list showing the most frequently requested IOCs from our in-house IOC analysis tool, we found that 6 security and threat intelligence vendors have flagged the IP as malicious:
(see over 1.5 million connection attempts over the last 7 days from this IP)
Using VT Graph, you can instantly see where this maliciousness is coming from and what it's all about. Looking at the downloading and communicating files, you can see the type of malicious activity happening on the IP. The graph displays the malware name that each vendor gave that specific malware hash, so you can get a few different threat intelligence angles on a file, and see if they all agree it's the same ransomware variant, for example, or if there are a few different explanations offered for the same hash. Using the Relation Resolutions section of the graph, you can see the resolving domains. Like all entities on the graph, malicious ones are colored in red. You can see that in our IP's case - 92.63.197[.]71 - some of the domains are red and some are grey. Taking a closer look, it seems that there was a DGA infrastructure running on this IP in the past, switching domains built on the syntax "mobile-ref[4-5 number string].com". Threat intelligence vendors and scanners caught some of these, but didn't flag all of them as malicious. Using the VT graph, an analyst could easily see the bigger picture, find which DGAs to block (especially in cases when the domains rotate every once in a while and not every day), and take further action on this infrastructure.
Want to find out about more tools like this? Check out our Free Open Source Analysis Tools Series post about enrichment and connecting the dots using analysis tools.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?