Tuesday, 28 January 2020

VirusTotal MultiSandbox += BitDam ATP

VirusTotal would like to welcome BitDam to the multi-sandbox project!

In their own words:

BitDam Advanced Threat Protection (ATP) is a cloud-based engine that proactively detects threats, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and zero-day attacks contained in files and URLs. BitDam’s patented attack-agnostic technology shows remarkably higher protection rates compared to engines that are based on knowledge of previous threats. It learns the normal code-level executions of business applications such as MS-Word and Acrobat Reader, creating a whitelist knowledge-base. Based on this knowledge, the detection engine determines whether a given file or weblink is malicious or not, regardless of the specific malware it may contain.

Let's take a deeper look at some interesting samples showcasing BitDam's capabilities:

XLS spreadsheet with macro in a hidden sheet which launches powershell


This file contains a macro which accesses certain cells in a hidden sheet to retrieve the payload and then runs powershell with an obfuscated command line. The powershell script spawns a .NET related processes to compile the payload.


BitDam not only generates execution reports, it also produces behaviour-based detection verdicts, we see BitDam detects the file as malware.

Doc with macro and VBA and WMI


This word document has a macro with some benign code, likely for deception and to make static analysis more difficult. The document also uses some basic obfuscation techniques.

BitDam highlights the network communications observed during the execution and populates the pertinent file to domain/IP address/URL relationships back into VirusTotal, as illustrated by the sample’s graph:

Discovering detection blindspots


VT Enterprise customers can use search modifiers to dig deeper. For example, we can look for files with low AV detections that BitDam ATP detects as malware:

bitdam_atp:malware and positives:7- and fs:2020-01-01+

Note that this task can also be automated via APIv3.

Welcome BitDam, glad to have you onboard!

Wednesday, 22 January 2020

VirusTotal Graph++

Just 2 years ago we launched the first version of VirusTotal Graph. The goal was to provide a tool which understands the relationship between files, URLs, domains and IP addresses, and an easy interface to pivot and navigate over them.

To continue in this direction, today, we are releasing a set changes to help your investigations with VirusTotal Graph.

1. We have created a dashboard where you can see your graphs and the graphs created by the community.

You can also search for graphs with certain features, for example, graphs that contains a node with a label “c2”. The searches will go simultaneously to the public graph repository and to your private repository.

You can see the full list of search modifiers here.

2. We’ve improved the VirusTotal Graph UI with these features, most of them coming from our power users:
  • Undo/redo
  • In graph search
  • Download the graph as JSON and as image
  • Align nodes horizontally and vertically
  • New ways of visualizing the graph
We’ve also included some extra features for our premium customers:
  • Removed the API usage. If you are a premium customer you can use VT Graph extensively, its consumption won’t count against your API quota
  • Added more commonality calculations
  • Integration with VT Hunting - link

3. As most of our other products, VirusTotal Graph is getting a restful API. The documentation can be found here and a Python library to reduce the learning curve; it is available in our Github repository.

In the meanwhile we are cooking very exciting enhancements that we really hope will please the Community, stay tuned. As always, we would love to hear from you.