Wednesday, 17 July 2019

VirusTotal MultiSandbox += SNDBOX

Today, VirusTotal is happy to welcome SNDBOX to the Multi-sandbox project. SNDBOX is a cloud based automated malware analysis platform. SNDBOX advanced dynamic analysis capabilities gives additional insights and visibility intro a variety of file-types.

In their own words:
  • SNDBOX malware research platform developed by researchers for researchers and provides static, dynamic and network analysis. 
  • SNDBOX is the first malware research solution to leverage multiple AI detection vectors and undetectable kernel driver analysis. 
  • SNDBOX kernel agent is located between the user mode and kernel mode. The agent has the ability to detect all malicious activities going from the running application to its execution in the operating system.
  • SNDBOX technology delivers in-depth results, quickly while providing AI and big data insights necessary for comprehensive malware research and false positive rate reduction.

Highlighting some examples

Detecting ZBOT variant, with high visibility to “Process Hollowing” and “Process Injection” techniques used by the malware.

On the SNDBOX site you can see malicious network domains, as well as enabling next stage file analysis of dropped files found in analysis.

For VirusTotal Enterprise users, you may click on the mutex, to search for other samples with this same mutex. 

This links to a search of behavior:"7EF531C0" which will lead you to other behaviour reports with the same mutex name.

Revealing malicious network domains, as well as enabling next stage file analysis of dropped files found in analysis.


On VirusTotal take note of the DNS resolutions, and dropped files.  Dropped files are defined as the interesting files that are written to disk by the sample under analysis. 

Pykspa variant, network activity detected with Suricata and dropped files being sent for second stage analysis & detection:

Within the “Registry Keys Set” section we find that the sample is set to RunOnce on next startup, possibly a method to achieve persistence. 

VT Enterprise customers can click on the registry value which uses the “behavior_registry” search modifier  to search for other files that also use the same registry value:  behavior_registry:"nrsyjl"  

Bancteian variant data stealer caught and detected by SNDBOX's signatures:

Within the SNDBOX report check out the detections:

Thursday, 27 June 2019

VirusTotal, Chronicle and Google Cloud

It's been more than seven years since Google acquired VirusTotal, and more than one year since we moved to Chronicle. Today we have another update: Chronicle is joining Google Cloud. This update, like our move to Google a few years back, does not change the mission or focus of VirusTotal. We'll continue to operate independently, focused on our mission of helping keep you safe on the web.

Thursday, 6 June 2019

VirusTotal += Segasec URL scanner

We have added Segasec to the assortment of URL scanners on VirusTotal. You can find the results when scanning a URL at

In their own words:

Segasec is a Tel-Aviv based cyber-security startup providing end-to-end digital threat protection against consumer phishing attacks that originate in your blind spot - beyond the enterprise perimeter. Segasec’s patent-pending technology provides intelligence of upcoming attacks at the earliest possible preparation stages, running quadrillions of targeted scans that identify even unknown attack patterns. Segasec blocks compromised assets before they become a live risk, because once customer trust is broken, it’s already too late.

If you ask our customers what made them pick us over the competition, this is what they say -  End-to-end solution, in an entirely managed service. Early, proactive detection, both for brand and non-brand related threats. Fast and efficient block and take down, in under 3 hours.   Zero integration and fast onboarding .

If you would like to see a few example detections, checkout these reports:

Tuesday, 14 May 2019

VirusTotal += SecureAge

We welcome SecureAge APEX scanner to VirusTotal. In the words of the company:

“SecureAge APEX is an anti-malware scanning engine powered by artificial intelligence, designed to extend the detection capabilities of the SecureAge SecureAPlus endpoint protection platform (EPP). The APEX engine provides next-generation endpoint detection as part of the SecureAPlus layered approach to security which includes Application Control & Application Whitelisting, multi-cloud anti-virus, fileless attack protection and more. To deal with advanced threats like zero-day malware, the APEX engine goes beyond traditional scanners by reliably identifying unseen and mutated malware types and variants from day one of their release. The APEX engine that runs in VirusTotal targets Windows PE files; with integration into the VirusTotal ecosystem, SecureAge looks forward to further enhancing APEX's capabilities, and above that, adding value to VirusTotal's cybersecurity services.”

SecureAge has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-Comparatives, an AMTSO-member tester.

Wednesday, 8 May 2019

VirusTotal MultiSandbox += Yoroi: Yomi sandbox

We are excited to welcome Yomi: The Malware Hunter from Yoroi to the mutisandbox project. This brings VirusTotal upl to seven integrated sandboxes, in addition to VT’s own sandboxes for Windows, MacOS, and Android.

In their own words:
Yomi engine implements a multi-analysis approach able to exploit both static analysis and behavioral analysis, providing ad hoc analysis path for each kind of files. The static analysis section includes document and macro code extraction, imports, dependencies and trust chain analysis. The behavioral detection engine is weaponized to recognize suspicious actions the malware silently does, giving a powerful insight on command and control, exfiltration and lateral movement activities over the network, including encrypted channels. Each analysis is reported in an intuitive aggregated view to spot interesting patterns at a glance.

Some recent samples on VirusTotal with reports from Yoroi:

To see the full details click on the “Full report” within the behavior tab.

Interesting features

Executed commands
Within the Yomi Hunter report, additional information on executed commands can be seen. In this case, we see obfuscated powershell commands being run.

To search other behaviour reports for the string “zgohmskxd” we can use the behavior_processes:zgohmskxd search query to find another sample with the same variable name. Check out the other search modifiers that can be used to find similar samples.


Within the Additional information tab, we can also find the mutexes used by the sample under analysis. behaviour:AversSucksForever

To search other sandbox behavior reports with the same string we can search


Mitre ATT&CK™ tab

On the MITRE ATT&CK™ tab you can see how the specific behaviour is behavior is tagged


With the emotet sample we can see the SMB and HTTP traffic. Next you can click on the relationships tab to see other related IP Addresses, Domains, URLs and files.

You can visually see these relationships from within VirusTotal Graph:

Tuesday, 7 May 2019

VirusTotal Multisandbox += NSFOCUS POMA

We are pleased to announce that the multisandbox project has partnered with NSFOCUS POMA. This brings VirusTotal up to six integrated sandboxes. The NSFOCUS sandbox gives us insight into the behaviour of samples that run on Windows 7 and XP SP3.

In their own words:

NSFOCUS POMA, as an integral part of the NSFOCUS Threat Intelligence (NTI) system, is a cloud‐based malware analysis engine built by the NSFOCUS Security Lab. It can take various types of files and perform both static and dynamic analysis on them to detect potentially malicious behavior, and produce analytic reports in many formats (including STIX). This service can help a user to protect his environment from various threats, such as 0‐day attacks, advanced persistent threats (APTs), ransomware, botnets, cryptocurrency mining and other malware.

We are very honored and proud to bring such values to the VirusTotal users and community.

Here are a few examples:

You can find the sandbox behaviour reports on the behavior tab.

Threat Summary

At the top of the detailed report, right away we can see a summary of the detection.

Threat Detail

Within the threat detail section we can see the behavior in both Windows XP SP3 and Windows 7 SP1 ordered by risk, most important at the top.

Registry actions:
Within the behaviour report we can see an interesting UUID

Using  a behavior search in VT Intelligence, we can find other samples that also use this same UUID

Connecting the dots

In the sample we can see the relationship with the IP address 185[.]45[.]252[.]36

Within VTGraph we can visually see the relationships between this sample, the IP address, domains and URLS that we know about

Wednesday, 17 April 2019

VirusTotal += Max Secure Software

We welcome Max Secure Software scanner to VirusTotal. In the words of the company:

“Max Total Security is a built in-house, multi-layer, pro-active intelligent malware scanning engine which includes detection of most advanced current and future threats. Scanner utilizes Artificial Intelligence with Machine learning, Gibberish malware file detection, Heuristic detection, Pattern identification as well as Dynamic Emulation and Debugging. With capability to detect the whole malware family and 360 degree learning capability using threat community network. Continuously analyzing, collecting response from Threat community updates definition database daily. Scanning is very quick with minimal impact on resources and no conflict with other software.”

Max Secure Software has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by ICSA Labs, an AMTSO-member tester.