Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Is malware abusing your infrastructure? Find out with VirusTotal!
[Image: Logo_VT_Horizontal.png]

Any organization’s infrastructure might inadvertently be abused by attackers as part of a malicious campaign. It is therefore important to monitor any suspicious activity. VirusTotal can help you identify these threats and improve your threat detection and protection capabilities. In this post we will first analyze different available search modifiers and then we will provide different templates to quickly deploy infrastructure monitoring rules.

Hunting for infrastructure abuses

VirusTotal Intelligence
allows you to search VT’s extensive dataset for domains, URLs, IP addresses and files. You can find some examples on using search modifiers in our previous blog post.

You can use entity: domain or entity: url along parent_domain (entity:domain or entity:url search modifiers to find VT details on your infrastructure. You can always adjust the results with the antivirus detection ratio (positives or p keyword).

For IP addresses we can use the ip search modifier, also valid for IP ranges: The domain/URL/IP report shows the assigned category by antivirus vendors along with the detection ratio. One of the most interesting tabs is “Relations”, where we can check any suspicious samples communicating with it.

Indeed, we can use some additional modifiers to find networking entities having interesting relationships. We can also use them to immediately flag if there is any domain or IP in our infrastructure communicating with any suspicious file.


The most generic (although noisy) way to find files potentially targeting your infrastructure is the static one checking files’ content. This returns any file matching your IP addresses, domains or URLs in its content’s strings. In this case it is not possible using IP ranges.

❗Please notice that the content search modifier can't be used in combination with the entity modifier in the same query.

(content:"" or content:"" or content:"") p:20+

This type of query is useful when malware’s infrastructure is not obfuscated and statically found in the sample, which is not common.There is a better way through dynamic analysis. All samples in VirusTotal are detonated in several sandboxes, which produces valuable data on how it behaves dynamically.

Many samples implement anti-sandboxing techniques, so it is not always possible to get all the details.The best search modifier to find samples communicating with a given URL, domain or IP through sandbox detonation is behaviour_network: The contacted_ip search modifier also allows specifying IP address ranges: Besides dynamic execution, you can check if VirusTotal has ever seen any particular suspicious samples being downloaded from your infrastructure. For this you can use the “In the Wild” (itw) search modifier: entity:file p:1+ 

Do it yourself!

Let’s say you are interested in tracking fresh suspicious samples submitted to VirusTotal communicating your company’s infrastructure (in this case consisting of 2 IPs resolving to our domain). The “first submission” (fs) search modifier gets us files submitted since december last year:

entity:file (contacted_ip: or contacted_ip: p:10+ fs:2022-12-01+

This query returns 4 files that are detected as malicious by at least 12 antivirus engines.
Continue Reading

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
Windows 11: Microsoft rolls out Start Me...
Microsoft relea...harlan4096 — 15:54
Microsoft may be working on a modern ver...
Remember Window...harlan4096 — 08:21
AV1 Live Streaming Is Finally Coming To ...
Pixelation-less 14...harlan4096 — 08:19
Brave 1.49.132
Desktop​ Release N...harlan4096 — 08:14
uBlock Origin 1.48.2
uBlock Origin 1.48...harlan4096 — 08:13

Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

Online Staff
There are no staff members currently online.