September 4th, 2023 - Download strings, malware config extraction in Private Scanning, new search modifiers and more ~ VirusTotal Release Notes

Monday, September 4, 2023

Download file content strings. Other than a Threat Intelligence suite allowing its users to research world-wide emerging threat patterns, VT ENTERPRISE is also an automated malware analysis solution performing {reputational, static, dynamic, code, similarity} analysis of suspicious files. One of the static analysis components that run on files is strings extraction, it runs on absolutely all uploaded files and VT ENTERPRISE users can both download files and see the strings for files uploaded by themselves or any other VirusTotal Community user. As of now, users are not only able to see file strings within their browsers, they can also download full strings dumps for offline searching and analysis. Strings downloading is available in the content tab of file reports.

Malware config extraction in Private Scanning. VirusTotal Private Scanning allows its users to “see files through VirusTotal’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard VirusTotal analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for multi-antivirus scanning. We have extended Private Scanning with Mandiant Backscatter. Backscatter understands common malware families and extracts configuration files, see example. Backscatter will identify malware families, C2s, decoys, dropzones, etc. Note that the entire malware configuration output is pivotable (click on any of its fields) and a new search modifier (malware_config:) powers the search, example - malware_config:amadey.

Default private scanning settings. VirusTotal Private Scanning allows its users to specify custom file/report retention periods (1 day by default) and file storage regions (US vs EU) to comply with applicable regulations. Having to select non-default retention periods and regions on every upload can be a tedious task, VirusTotal group administrators can now provide default values for these selections in the settings tab of their group profile.

New search VT Intelligence search modifiers - ssl_not_before and ssl_not_after. VT INTELLIGENCE is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We have added support for the following new modifiers, they allow users to monitor any newly issued HTTPS certificates as part of potential phishing campaigns:

ssl_not_before: search according to the validity start date of the last SSL certificate seen for a given domain or IP address. Example: entity:domain fuzzy_domain:amazon.com ssl_not_before:2023-08-31+.
ssl_not_after: search according to the validity end date of the last SSL certificate seen for a given domain or IP address. Example: entity:domain fuzzy_domain:amazon.com ssl_not_after:2023-08-31+.