How to Scan Bulk IOCs with VirusTotal?

If you have ever been part of security teams like the Security Operation Center (SOC) or CIERT teams, you might have dealt with many threat analyses as part of your incident response and malware analysis job. Capturing IOAs and IOCs and analyzing captured IOAs and IOCs are some of the crustal parts of the incident response and investigation procedure. And, of course, if you get lengthy lists of URLs, domains, IPs, and files, then it’s not just crustal, but also it’s a laborious task.

I still remember the early days of my professional job, where my team was used to get hundreds of URLs, domains, IPs, and file hashes from our security advisory partners to analyze and block them on all our security devices. We used to spend several hours just analyzing the captured IOCs every day. It was frustrating! The worst part is that the security services were not as mature as they are today. We must thank VirusTotal and other security services that have made security professionals’ lives a lot easier now. Today, we can automate such things with the help of services like VirusTotal combined with scripting languages like Python.

We created this post to help security analysts who need to validate or identify IOCs like URLs, domains, IPs, and file hash in bulk every day. We will show you a complete process to submit a list of IOCs to VirusTotal to the VirusTotal’s API using Didier Stevens’s Python Script. Let’s see what VirusTotal is and its API offerings. About Didier Stevens and his Python tools, automate the IOC scanning process by learning how to scan bulk IOCs with VirusTotal in this blog post.

A Short Note About VirusTotal and Its API Service

VirusTotal is a free online service that analyzes files and URLs, enabling the identification of viruses, worms, trojans, and other kinds of malicious content using antivirus engines and website scanners. It also enables the generation and sharing of threat intelligence with its huge URL and file analysis database.

VirusTotal offers both public and private APIs that allow users to programmatically interact with their services. The public API has some limitations, like only allowing 500 requests per day and 4 requests per minute. The private API, on the other hand, provides more flexibility and advanced capabilities like allowing users to choose their own request rate and quota, download submitted samples, get more detailed analysis reports, etc.

If you are an individual security researcher who wants to scan multiple URLs, domains, IPs, and file hash with VirusTotal less frequently, then public API services are enough to have. If you are working for a corporate company that needs to do a lot more than just scan URLs, domains, IPs, and file hash, then you should get private API services.

Public vs Private API

Here is a quick comparison of VirusTotal’s public and private APIs:

Feature Public API Private API
Request rate limit 500 requests/day, 4 requests/min Flexible based on service tier
File download No Yes
Additional metadata No Yes e.g. first submission date, prevalence etc.
File behaviors No Yes
Advanced hunting APIs No Yes e.g. YARA based hunting
SLA No Yes

Didier Stevens and his Contributions to the Cybersecurity World

If you have been in the security landscape for some time, then you definitely know that Didier Stevens, is a renowned security researcher who has made numerous contributions to the cybersecurity community. He is the author of many popular open-source security tools written in Python, including:

  • oledump: to analyze OLE files like MS Office documents
  • pdf-parser: to analyze PDF documents
  • oletools: tools to analyze MS OLE2 files (Structured Storage)
  • peepdf: PDF analysis tool
  • VirusTotal: to search VirusTotal for hashes, URLs, IPs and domains
See also  How Can We Use the MITRE ATT&CK Framework for Threat Hunting? How to Hunt APT Groups Using the MITRE ATT&CK Framework?

These are only a few tools that he created. He has tons of tools in his ToolSuite. However, these are quite popular tools that are very useful for malware analysts, forensics investigators, and security researchers to analyze and gather threat intelligence.

Anyways, these tools are not the point of discussion in this blog post. We have another tool or a Python script vtsearch to cover in this blog post. Didier Stevens’s TirusTotal tool allows interfacing with VirusTotal APIs, making it easy to gather reputation data and scan bulk IOCs.

Prerequisites to Validate Bulk IOCs with VirusTotal

To start scanning bulk IOCs with VirusTotal, you need a few things in place:

  • VirusTotal API Key: The first requirement is to sign up on VirusTotal and get an API key. This key will be used to authenticate API requests. With the free public API key, you can make only 500 requests per day with a rate limit of 4 requests/min. For bulk scanning, it is recommended to get the private API key, which has higher rate limits.
  • Python Interpreter: You need Python 3.x installed to run the vtsearch tool. Python can be downloaded for all major operating systems from python.org. Make sure to add it to your PATH.
  • Python IDE (Optional): Using an IDE like PyCharm or Visual Studio Code can improve the development experience. But any text editor would also work.
  • vtsearch Tool: This is a modified Python tool which is originally created by Didier Stevens is used to interface with the VirusTotal API. You can download it from Didier’s blog or GitHub repo. Tis script was originally created to run on Python 2. We modified it to work on Python 3. Now this tool has been tested on Python 3.9.

That’s pretty much all you need to start submitting bulk IOCs to VirusTotal for analysis. Make sure Python and the vtsearch tool are configured correctly and you have the API key. Now we are ready to automate the scanning of bulk URLs, domains, IPs, and file hashes by programmatically interfacing with VirusTotal.

What vtSearch.py can Capable to Do?

vtsearch.py is a Python program that is designed to search VirusTotal for hashes, IPs, domains, and URLs using free public APIs. And, returns the result to a CSV file and CLI. Some of its capabilities:

  • Customize delay time in sending search queries.
  • Force all queries to be send to VirusTotal, even if found in local database.
  • Calculate the md5 of the file and search it
  • File to keep track and skip not found searches.
  • wait 1 hour when VirusTotal limitations exceeded
See also  A Guide to the OWASP Projects for Developers

Why You Need to Submit IOCs to VirusTotal in Bulk?

The main intention of this program is to automate the IOC verification process in malware analysis, forensic investigation, or threat detection procedures.

Security Advisory or Threat Intelligence teams often share a list of IOCs with the Organization’s Security Team in order to block the IOCs on their Proxy, Endpoint, Firewalls, SIEM, and other security solutions. You can use this script not only to identify the infected assets but also to curb the spread of malware infection on the corporate network.

It’s a very well-known fact that not all security products are perfect and provide 100% protection against thriving threats. This script also helps Security teams to determine the list of IOCs that were flagged as malicious by the Vendors of their products and block them on their security products if not blacklisted and submit the unidentified IOCs to their vendors in order to block them globally.

How to Scan Bulk IOCs with VirusTotal?

The procedure is simple and straightforward. You just need to set up your Python environment with the VirusTotal API key. Just follow these steps to leverage VirusTotal APIs for scanning multiple IOCs in an automated manner:

Step 1: Signup on VirusTotal and Acquire API Key

  • Go to VirusTotal.com and create a free account.
  • Navigate to your Profile and note down the API key provided. This will be used for authentication.
Signup VirusTotal and Acquire API Key

Step 2: Download the vtSearch script

Download the Python script from here and place it on your machine. We copied it to the c:\\securitymaster Directory on our machine.

Download the Script from Git.

Download the vtSearch script

Step 3: Install Python interpreter

  • Download the latest Python 3.x from python.org and install it.
  • Add Python to a PATH environment variable.

How to Install Python:

  1. Install Python on Windows:
  2. Install Python on Linux:

To ensure Python interpreter is working on your machine, run this command: python -V

Install Python interpreter

Step 4: Install PyCharm or Conda (Optional Step)

This step is totally optional. You can use any code editor of your choice. We recommend using either Pycharm or Visual Studio Code as it has excellent Python support through extensions.

For this demo, we will use PyCharm as our chosen IDE for Python development. You can check out how to install PyCharm on Windows here.  If in case you are not a fan of any IDE, you can directly download the Python interpreter and use it on your CLI.

Install PyCharm or Conda

Download and install PyCharm Community Edition from jetbrains.com/pycharm. Make sure to customize the installer to add Anaconda Python environment support.

Once setup is complete, open PyCharm. Open the directory in the vtSearch script is kept.  Go to File > Open > Browse the directory. Click the gear icon and select “Add.” Locate the Python executable in the <conda env> folder in the Anaconda installation.

Open project in PyCharm
Select Project Directory in PyCharm

Don’t forget to add the VirusTotal API key to the script. As you can see, we have added our API in Line #14.
IMP Note: Replace this key with your own key. We deleted this API key before we published this post. You can’t use this API key shown in the screenshot.

See Also  How to Protect Your Apple Devices From 14 0-Day Vulnerabilities in iOS, iPadOS, and macOS
vtSearch Python Script opened in PyCharm

As soon as you open the directory, PyCharm will create an isolated Virtual Environment for this project. Make sure the Python interpreter is configured for the project. To set up the Python Interpreter in your PyCharm, Click on the gear icon in the top right corner, then click on Setting. If you don’t have the Python interpreter, click on ‘Add Interpreter’, browse, and select the Python.exe file.

See also  How to Fix CVE-2022-20696- An Unauthenticated Access Vulnerability in Cisco SD-WAN vManage Software
Open Project Settings in PyCharm
Add Python interpreter in PyCharm

Great! Now your PyCharm is configured to run the vtSearch.py script.

Let us know if you need any help setting up the IDE.

Step 5: Run the Python script to Submit bulk IOCs to VirusTotal

Before running the vtSearch.py let’s learn about a couple of arguments to pass. This script accepts arguments like -f, -t, -e, and -d.

-f: It is a flag used to indicate the file has a list of md5 hash values.

-t: It is a flag used to indicate the file has a list of IPs, URLs, or Domains.

-e: It is a flag used to indicate the file has a list of sha256 hash values.

Some examples to Run the script:

  1. python vtSearch.py -f hashes.txt
  2. python vtSearch.py -t url urls.txt
  3. python vtSearch.py -e sha256 hashes.txt
  4. python vtSearch.py -f –d 30 hashes.txt

We have a file Sample.txt in that we saved 10 phishing domains. Let’s run the script to scan the domains with VirusTotal.

python vtSearch.py -t url Sample.txt

Run the vtSearch.py to Submit bulk IOCs to VirusTotal

The script creates a csv file to save the results. Here is the content of the csv file.

Search Term Requested Response Scan Date Detections Total Permalink
tr.amjaadasia.com 1 1 09-10-2023 07:20 6 90 https://www.virustotal.com/gui/url/92e20d94d338bafdc5b0bf6aaeff941d08d2bc1fca704aa4b64640553b92d936/detection/u-92e20d94d338bafdc5b0bf6aaeff941d08d2bc1fca704aa4b64640553b92d936-1696836027
beachcitiesradio.com 1 1 09-10-2023 07:20 12 90 https://www.virustotal.com/gui/url/c51a98dbb1199a235fd6da4cefe3ac4f835fa4ce83434454ade1d9f0cdf92138/detection/u-c51a98dbb1199a235fd6da4cefe3ac4f835fa4ce83434454ade1d9f0cdf92138-1696836059
acagro.ru 1 1 09-10-2023 07:21 2 90 https://www.virustotal.com/gui/url/11a3bdbbe1dce62c0ab3aed80c4bf52861cebd15f58df071699db4cbf72343fd/detection/u-11a3bdbbe1dce62c0ab3aed80c4bf52861cebd15f58df071699db4cbf72343fd-1696836091
suncontainerhouse.com 1 1 09-10-2023 07:22 4 90 https://www.virustotal.com/gui/url/53f0cd345eafdc87a0d71e541731562f9857e07d0125d9c997babec77309647a/detection/u-53f0cd345eafdc87a0d71e541731562f9857e07d0125d9c997babec77309647a-1696836123
gpinhouse.com 1 1 09-10-2023 07:22 20 91 https://www.virustotal.com/gui/url/0284870e502046ea8e6173310458dcb6fb7ea990e19a8050ac8008b2945b9fb3/detection/u-0284870e502046ea8e6173310458dcb6fb7ea990e19a8050ac8008b2945b9fb3-1696836155
craigvirginialaws.com 1 1 09-10-2023 07:23 12 90 https://www.virustotal.com/gui/url/1449b3ee4b72313d5f5e021eeca97fa0a6c94933f6c8ae71b7546911ef707107/detection/u-1449b3ee4b72313d5f5e021eeca97fa0a6c94933f6c8ae71b7546911ef707107-1696836187
discriminatieverdientaandacht.nl 1 1 09-10-2023 07:23 12 90 https://www.virustotal.com/gui/url/6e8d5b03cd98a5280dbcb176f88c55dfa36d38c44fde33253b696be25cca890d/detection/u-6e8d5b03cd98a5280dbcb176f88c55dfa36d38c44fde33253b696be25cca890d-1696836219
vgcrelbb.com 1 1 09-10-2023 07:24 2 90 https://www.virustotal.com/gui/url/54b59da19556448e377cb867e32b08c383f20c83ab6fdabd712ec4835c911393/detection/u-54b59da19556448e377cb867e32b08c383f20c83ab6fdabd712ec4835c911393-1696836251
theffegroup.com.au 1 1 09-10-2023 07:24 15 90 https://www.virustotal.com/gui/url/801e49aea0475771ce0a77bb7c22e5c8c0a7fc8026d6db896007fc7a1855357e/detection/u-801e49aea0475771ce0a77bb7c22e5c8c0a7fc8026d6db896007fc7a1855357e-1696836283
hees.com.au 1 1 09-10-2023 07:25 2 90 https://www.virustotal.com/gui/url/e7f6adb8ab6e8b6d952a1b855230a654ecf9f5fa2a6a54a7515d45351c7f5702/detection/u-e7f6adb8ab6e8b6d952a1b855230a654ecf9f5fa2a6a54a7515d45351c7f5702-1696836315

Step 6: Run the Python script using PyCharm (Optional Step)

Once The vEnv and Interpreter are ready, then set up the parameters to run the script. To set up the running parameters, Click on the 3 vertical dots. Select the parameters.

Run the vtSearch.py on PyCharm

We set up -t url Sample.txt as the parameter and click on the Run button.

Configure the parameters settings in PyCharm

Another CSV file will be created, which looks like this.

Search Term Requested Response Scan Date Detections Total Permalink
tr.amjaadasia.com 0 1 09-10-2023 07:20 6 90 https://www.virustotal.com/gui/url/92e20d94d338bafdc5b0bf6aaeff941d08d2bc1fca704aa4b64640553b92d936/detection/u-92e20d94d338bafdc5b0bf6aaeff941d08d2bc1fca704aa4b64640553b92d936-1696836027
beachcitiesradio.com 0 1 09-10-2023 07:20 12 90 https://www.virustotal.com/gui/url/c51a98dbb1199a235fd6da4cefe3ac4f835fa4ce83434454ade1d9f0cdf92138/detection/u-c51a98dbb1199a235fd6da4cefe3ac4f835fa4ce83434454ade1d9f0cdf92138-1696836059
acagro.ru 0 1 09-10-2023 07:21 2 90 https://www.virustotal.com/gui/url/11a3bdbbe1dce62c0ab3aed80c4bf52861cebd15f58df071699db4cbf72343fd/detection/u-11a3bdbbe1dce62c0ab3aed80c4bf52861cebd15f58df071699db4cbf72343fd-1696836091
suncontainerhouse.com 0 1 09-10-2023 07:22 4 90 https://www.virustotal.com/gui/url/53f0cd345eafdc87a0d71e541731562f9857e07d0125d9c997babec77309647a/detection/u-53f0cd345eafdc87a0d71e541731562f9857e07d0125d9c997babec77309647a-1696836123
gpinhouse.com 0 1 09-10-2023 07:22 20 91 https://www.virustotal.com/gui/url/0284870e502046ea8e6173310458dcb6fb7ea990e19a8050ac8008b2945b9fb3/detection/u-0284870e502046ea8e6173310458dcb6fb7ea990e19a8050ac8008b2945b9fb3-1696836155
craigvirginialaws.com 0 1 09-10-2023 07:23 12 90 https://www.virustotal.com/gui/url/1449b3ee4b72313d5f5e021eeca97fa0a6c94933f6c8ae71b7546911ef707107/detection/u-1449b3ee4b72313d5f5e021eeca97fa0a6c94933f6c8ae71b7546911ef707107-1696836187
discriminatieverdientaandacht.nl 0 1 09-10-2023 07:23 12 90 https://www.virustotal.com/gui/url/6e8d5b03cd98a5280dbcb176f88c55dfa36d38c44fde33253b696be25cca890d/detection/u-6e8d5b03cd98a5280dbcb176f88c55dfa36d38c44fde33253b696be25cca890d-1696836219
vgcrelbb.com 0 1 09-10-2023 07:24 2 90 https://www.virustotal.com/gui/url/54b59da19556448e377cb867e32b08c383f20c83ab6fdabd712ec4835c911393/detection/u-54b59da19556448e377cb867e32b08c383f20c83ab6fdabd712ec4835c911393-1696836251
theffegroup.com.au 0 1 09-10-2023 07:24 15 90 https://www.virustotal.com/gui/url/801e49aea0475771ce0a77bb7c22e5c8c0a7fc8026d6db896007fc7a1855357e/detection/u-801e49aea0475771ce0a77bb7c22e5c8c0a7fc8026d6db896007fc7a1855357e-1696836283
hees.com.au 0 1 09-10-2023 07:25 2 90 https://www.virustotal.com/gui/url/e7f6adb8ab6e8b6d952a1b855230a654ecf9f5fa2a6a54a7515d45351c7f5702/detection/u-e7f6adb8ab6e8b6d952a1b855230a654ecf9f5fa2a6a54a7515d45351c7f5702-1696836315

Manually analyzing and validating lengthy lists of IOCs is a repetitive, monotonous, and cumbersome task. But we can easily automate scanning bulk IOCs by utilizing VirusTotal’s API and open-source tools like vtsearch.

Key Advantages:

  • Faster than manual analysis – Automated scanning of bulk IOCs is significantly faster than manual lookup.
  • Error-free – No chances of human errors when using automation.
  • No human intervention needed – Once scripted, you just need to run it for hands-free IOC scanning.
  • Fully automated – Scheduling recurrent scans is easy to validate new IOCs automatically.

By leveraging VirusTotal’s API capabilities and Didier Stevens’s handy vtsearch tool, security teams can supercharge their threat hunting and intelligence workflows.

Automating the scanning and validation of bulk IOCs like URLs, domains, IPs, and file hashes can save hundreds of hours of repetitive manual work. This allows highly skilled resources to focus on other high-priority tasks like threat analysis, hunting, response, and improving security posture.

In summary, if you frequently deal with large IOC lists as part of your job, do check out the vtsearch Python tool to easily submit bulk IOCs to VirusTotal.

Leave a Reply

Your email address will not be published. Required fields are marked *