Posted May 14, 2014

VirusTotal + Maltego = Visualizing Actionable Malware IOCs

– by Steven Weinstein

Setting up your own malware analysis lab and collecting all indicators of compromise related to those samples of malware can be time consuming and expensive. While there’s a long list of benefits to doing this on your own, it doesn’t make sense for every organization. All other arguments aside, some companies may decide that while it’s more expensive in the long run, it’s simpler and faster to leverage a malware repository such as VirusTotal to develop their analysis.

VirusTotal is an open source solution for inspecting URL/domain items with over 70 different scanners, along with a myriad of other resources. We will be using the VirusTotal Private API which adds immediate value to teams looking to mine data via custom scripts. With tens of millions of samples of malware and hundreds of millions of IOCs, the data a simple script can return can be vast. While incredibly useful, comprehending and making sense of this large amount of data is very difficult.

Fortunately, using Maltego can help us visualize data to easily grasp correlations otherwise missed due to the flat nature of a large data set. Maltego is an open source intelligence and graphical link analysis tool which can be used to mine information, merge and highlight entity properties for deeper intelligence Maltego can also allows us to run scripts (transforms) against isolated data we import to visualize the custom data that we are interested in, and then pivot to new queries and results, or even different data sets.


Setting up the Malware Lab

To better serve the threat intelligence community, we are announcing the public availability of 26 Maltego transforms that we’ve authored, designed to mine the data available from the VirusTotal Private API. These transforms enable security professionals to quickly find actionable intelligence for an incident, create their own malware analysis lab with ease or find interesting overlaps or clusters while doing research. With these transforms, among a number of other capabilities, you will be able to:

  • Find hashes which have been downloaded from or have communicated with a domain or IP address
  • Get domains and IP addresses which a hash has communicated with
  • Locate hashes associated with a specific IOC (string, reg key, mutex, filename, command, etc)
  • Find IOCs (reg keys, file names, mutexes, commands run, etc) associated with a hash
  • Find hashes of which have a specific import hash or PE section hash
  • Find hashes which have been detected as a certain threat or specific CVE
  • Get scan information and detection ratios for hashes and URLs
  • Get Passive DNS for a domain or IP

How to Get Started

These transforms don’t require any frameworks, and only need Python 2.7.x, the Requests and a VirusTotal API key library to run properly. The Maltego transforms are able to run on any platform that runs Maltego and Python, but the configuration file provided has been set up using Windows, and requires changes to be run on other operating systems.

Be sure to check out the documentation and download the transforms on GitHub:

Examples of Analyses

See below for some quick examples of what’s possible with these transforms:

Maltego visualization of IP address relationships

Example 1: Retrieve details about a hash that has communicated with a given domain, and then pivot to other hashes also communicating with the same IP addresses.

Maltego visualization of retrieved data using VirusTotal API

Example 2: Retrieve details about a hash including the commands executed via the CreateProcessInternalW API call.

Please contact us if you’re interested in learning how the LookingGlass data set can enrich what you discover with these transforms.


Thanks to Keith Gilbert for his effort on the Malformity project, which includes some great public API VirusTotal transforms. Malformity, which is a “Maltego project based on the Canari framework for malicious binary and infrastructure research”, can be found here:

Additional Posts

Is TrueCrypt No More?

By Robert Simmons Late Wednesday night (and as has now been reported by Brian Krebs and others), ...

No Silver Bullets: Insuring Against Cyber Threats

by Tobias Losch, GLEG The information age has long outgrown its infancy, and the widespread ...