VTI Cheatsheet
VTI Cheatsheet
VTI Cheatsheet
This modifier simply determines the output (ip, domain, url, file or collection) Find samples with a given network-related sandbox output (ip, domain,
for a VTIntelligence search. Please note that depending on the entity we select, USER_AGENT and any other PCAP content):
there are some specific modifiers we can or we cannot use (here you have full behavior_network:bumblebee (type:peexe OR type:pedll)
details for files, URLs, domains and IPs). Here you can find a few examples:
Samples contacting a specific endpoint. This helps discovering additional
entity:ip asn:15169 communicating_files_max_detections:30+ samples deploying the same backend in different infrastructure:
detected_communicating_files_count: 5+ behaviour_network:"/vpnchecker.php"
entity:domain downloaded_files_max_detections:20+
entity:url p:3+ have:tracker Search by any file system operations (open, write, read, remove). Useful in
entity:file tag:signed p:10+ different cases such as dropping malware payloads with specific names:
entity:collection (name:apt OR tag:apt) behaviour_files:"<SYSTEM32>\\windowspowershell\\v1.0\\powershell.exe" AND
behaviour_files:"%TEMP%\\4.ps1"
behaviour_files:"/80C.dat" AND behaviour_files:"/7FC.dat"
SUSPICIOUS DOCUMENTS
Samples attempting execution of Powershell with Execution Policy bypass:
behaviour_processes:"powershell.exe -ep bypass -File"
Recently created documents with macros embedded, detected at least by 5 AVs:
(type:doc OR type: docx) tag:macros p:5+ generated:30d+ Samples abusing VSSAdmin tool to remove shadow volume copies (can be
used to detect all sorts of ransomware/cryptolocker malware):
Excel files bundled with powershell scripts and uploaded to VT for the last 10 behaviour_processes:"\\vssadmin.exe delete shadows /all /quiet"
days:
(type:xls OR type:xlsx) tag:powershell fs:10d+
Documents with obfuscated VBA code executing other files. NON-WINDOWS SAMPLES
(type:doc OR type: docx) tag:exe-pattern tag:run-file tag:obfuscated
Signed iOS app packages detected by at least 5 AVs:
Suspicious documents (according to AV verdicts) with specific names: tag:iphone tag:signed p:5+
type:document name:"My Company Name" p:5+
Use any entity (like hardcoded URL, resource string or any other statically
Or documents used as email attachments: determined object) to match with Androguard output. For instance, part of
type:document name:"My Company Name" tag:attachment SpyMaster’s stalkerware URL:
androguard:"spyMobile/"
Follina-like exploit payloads:
entity:file magic:"HTML document text" tag:powershell have:itw_url APKs that mimic a legitimate app by using the same icon*, but having a
different signature:
Or any observable exploiting any vulnerability published since 2022: main_icon_dhash:c0c0c0c0fcc8e4e4 type:apk AND NOT
tag:cve-2022-* androguard:"O:BBVA" AND NOT androguard:"OU:BBVA"
*Note: main_icon_dhash is the hash used for visual similarity. To find the hash you are looking for, the
best way is finding the legit resource (file or domain) in VirusTotal and clicking on visual similarity.
NETWORK AND INFRASTRUCTURE
APK files with specific package name (note: its new, so it works only for newly
Search for URLs with known suspicious endpoints. Useful when searching indexed files since March 2022):
additional infrastructure: androguard_package:org.xmlpush.v3
entity:url path:logpost.php
Searching for the APKs contained a certain files in assets directory:
URLs within certain Top Level Domain (tld) and specific meta content in the ( "assets/s.bin" AND "assets/l.bin" ) OR ( "assets/s.bin" AND
HTML response: "assets/m.bin" ) OR ( "assets/m.bin" AND "assets/c.bin" )
entity:url tld:xyz meta:"admin panel"
URLs with specific cookie names (“cookie” modifier) or specific cookie values IN THE WILD MALWARE
(“cookie_value” modifier):
entity:url cookie:njnmsdkfsdfbiuonsdkfnsdfl
entity:url cookie_value:1433a6c2ee8a92a887d7bfcc90b0c171 Suspicious malware (according to AV verdicts) downloaded from a given URL:
itw:cdn.domain.com p:5+
URLs related to specified parent domain/subdomain with a specific header in
the response: Any iOS/macOS malware with ITW distribution details available:
entity:url header_value:"Apache/2.4.41 (Ubuntu)" parent_domain:domain.org (type:apple OR type:mac) have:in_the_wild p:5+
Suspicious (recently updated on VirusTotal) IPs within a specified ASN/subnet: iOS/macOS files served from a given URL:
entity:ip asn:15169 (urls_max_detections:5+ OR reputation:-20- OR (type:apple OR type:mac) itw:cdn.domain.com
p:5+ OR communicating_files_max_detections:10+ OR
downloaded_files_max_detections:10+ OR referring_files_max_detections:10+ Malware contacting (during sandbox detonation) a given IP address or
) last_modification_date:3d+ subnet:
entity:ip ip:"172.31.0.0/16" (urls_max_detections:5+ OR reputation:-20- contacted_ip:194.36.189.179
OR p:5+ OR downloaded_files_max_detections:5+ OR contacted_ip:194.36.189.0/15
referring_files_max_detections:10+ OR (detected_communicating_files_count:2+
AND communicating_files_max_detections:5+ ) ) last_modification_date:7d+ Files which seems to communicate with DGA C&C domains, exhibit P2P C&C
communication or uses already inactive C&C infrastructure
entity:file tag:suspicious-dns
entity:file tag:suspicious-udp
Download here: virustotal.com/go/vti-cheatsheet entity:file tag:nxdomain
virustotal.com
V.1.1
VT INTELLIGENCE CHEAT SHEET
SIGNATURES BEHAVIOR (DURING SANDBOX DETONATION)
APT DETECTION
Searching for leaked or stolen certificates, using submission timestamp after Using AV verdicts (all of them, or certain vendors only):
the leak date. This example uses Nvidia leaked certificates: engines:wellmess
fs:"2022-03-01T00:00:00+" ( signature:"43 bb 43 7d 60 98 66 28 6d d8 39 e1 d0 kaspersky:wellmess OR eset:wellmess
03 09 f5" OR signature:"14 78 1b c8 62 e8 dc 50 3a 55 93 46 f5 dc c5 18" )
Looking for domains related to a specified APT based on users’ comments:
Suspicious (according to AV verdicts) recent signed files with valid signatures: entity:domain ( comment:APT29 OR comment:CozyBear OR
signature:"© Microsoft Corporation. All rights reserved." tag:signed comment:NobleBaron OR comment:UNC2452 OR comment:YTTRIUM )
p:5+ not (tag:invalid-signature or tag:revoked-cert) fs:2022-01-01+
Getting all recent files detected by crowdsourced rules (Yara, IDS, Sigma)
related to a specific actor:
COLLECTIONS crowdsourced_yara_rule:APT29 OR crowdsourced_ids:APT29 OR sigma_rule:
976e44f1eafa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e
OR crowdsourced_yara_rule:CozyBear OR crowdsourced_ids:CozyBear
Searching for collections containing specific names or tags: OR sigma_rule:
entity:collection (name:Sofacy OR tag:Sofacy OR name:apt28 OR tag:apt28) 34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a
Extracting specific type of IOCs (file, ip, domain, url) from a certain collection*: *Note: You can find IDs for sigma_rule by clicking on “Other files” when exploring a particular rule, or
collection:alienvault_60eff240c7c9cb4f24907049 entity:file you can check all crowdsourced rules here.
type:pedll p:10+
List all recent collections related to an specific actor:
*Note: To obtain the ID for a given collection, you can find it in the browser’s URL when visiting it. entity:collection ( name:APT29 OR tag:APT29 OR name:CozyBear OR
tag:CozyBear ) creation_date:2021-01-01+
EMAILS
positives:/p: number of AV detections (positives:20+ positives:31) sigcheck:/signature: - sigcheck output (sigcheck:"Google Update Setup")
children_positives:/cp: - number of detections of children files for a given section:/sectionmd5: - name/md5 of the section (section:".xxx", /sectionmd5:d41…)
sample, i.e. bundles, ROMs, etc imports: - (imports:"crypt32.dll")
engines: - any AV verdict name (engines:"Android.Zbot.1”) exports: - name of exported function (exports:"_FormMain")
exports: - [PE] dif in sec between first submission time and compilation
(exports:100-)
FILE METADATA resource: - [PE] resource type/file type/sha256 (resource:"RTF_FILE")
segment: - [MACHO] segment with the name provided (segment:"__LINKEDIT")
androguard: - [Android] any indexed Androguard output (androguard:"
size: - (size:500+, size:120KB+, size:15MB-) Time Out Bistro")
type: - full list here1 (type:pdf)
name: - (name:"winshell.ocx")
content: string/binary (content:"Hello World!", content:{CAFEBABE})
creation_date: - (creation_date:2018-08-21T18:18:38) SANDBOX
lang: - for PE and office files mainly (lang:farsi, lang:"portuguese brazilian", lang:"es-ar")
metadata: - any other1 indexed metadata (metadata:"Ubuntu Developers") behavior:/behaviour: 3 - any entity from SB reports (behavior:"explorer.exe")
behavior_files: - file system changes (behavior_files:Crack)
behavior_processes: - executed process (behavior_processes:"calc.exe")
SUBMISSION behavior_registry: - Windows registry modifications (behavior_registry:
dc971ee5-44eb)
behavior_services: - services and daemons (behavior_services:TheServiceName)
fs: - first submission (fs:2012-08-2116:00:00+ fs:2012-08-2116:59:22-, fs:3d+) behavior_tags: - tags generated by sandboxes 4 (behavior_tags:mysql_
ls: - last submission communication)
la: - last analysis sandbox_name: - only specific 5 SB report (sandbox_name:VirusTotal)
submissions:/s: - number of times file was submitted (submissions:10+ submissions:20-)
sources: - number of distinct sources
submitter: - country code and web/api (submitter:web submitter:BR)
TTPs
WEB
1. https://support.virustotal.com/hc/en-us/articles/360001385897
2. https://www.mandiant.com/blog/tracking-malware-import-hashing/
3. “behaviour” = “behavior” here and below
4. https://support.virustotal.com/hc/en-us/articles/360017236198
5. https://support.virustotal.com/hc/en-us/articles/360001385897-File-search-modifiers