URLhaus
Use the URLhaus integration to get information about URLs and domains, and to download malware samples.
Configure URLhaus on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for URLhaus.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1)
- Trust any certificate (not secure)
- Use system proxy
- Blacklists appearances threshold
- Compromised (is malicious)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get information for a URL: url
- Get information for a domain: domain
- Get information for a file: file
- Download a malware sample: urlhaus-download-sample
1. Get information for a URL
Retrieves URL information from URLhaus.
Base Command
url
Input
Argument Name | Description | Required |
---|---|---|
url | URL to query. | Required |
Context Output
Path | Type | Description |
---|---|---|
URL.Data | string | The URL. |
URL.Malicious.Vendor | string | Vendor that reported the URL as malicious. |
URL.Malicious.Description | string | Description of the malicious URL. |
URLhaus.URL.ID | string | Unique identifier of the URLhaus database entry. |
URLhaus.URL.Status | string | The current status of the URL. |
URLhaus.URL.Host | string | The extracted host of the malware URL (IP address or domain name/FQDN). |
URLhaus.URL.DateAdded | date | Date the URL was added to URLhaus. |
URLhaus.URL.Threat | string | The threat corresponding to this malware URL. |
URLhaus.URL.Blacklist.Name | String | Name of the blacklist. |
URLhaus.URL.Tags | string | A list of tags associated with the queried malware URL. |
URLhaus.URL.Payload.Name | String | Payload file name. |
URLhaus.URL.Payload.Type | String | Payload file type. |
URLhaus.URL.Payload.MD5 | String | MD5 hash of the HTTP response body (payload). |
URLhaus.URL.Payload.VT.Result | Number | VirusTotal results for the payload. |
DBotScore.Type | string | Indicator type. |
DBotScore.Vendor | string | Vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
DBotScore.Indicator | string | The indicator that was tested. |
URLhaus.URL.Blacklist.Status | String | Status of the URL in the blacklist. |
URLhaus.URL.Payload.VT.Link | String | Link to the VirusTotal report. |
Command Example
!url url="http://sskymedia.com/VMYB-ht_JAQo-gi/INV/99401FORPO/20673114777/US/Outstanding-Invoices/"
Human Readable Output
2. Get information for a domain
Retrieves domain information from URLhaus.
Base Command
domain
Input
Argument Name | Description | Required |
---|---|---|
domain | Domain to query. | Required |
Context Output
Path | Type | Description |
---|---|---|
Domain.Name | String | The domain name, for example, google.com. |
DBotScore.Type | string | Indicator type. |
DBotScore.Vendor | string | Vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
DBotScore.Indicator | string | The indicator that was tested. |
URLhaus.Domain.FirstSeen | Date | Date that the IP was seen for the first time (UTC). |
URLhaus.Domain.Blacklist.Name | String | The status of the domain in different blacklists. |
URLhaus.Domain.URL | String | URLs observed on this domain. |
Domain.Malicious.Vendor | String | Vendor that reported the domain as malicious. |
Domain.Malicious.Description | String | Description of the malicious domain. |
URLhaus.Domain.Blacklist.Status | String | Status of the URL in the blacklist. |
Command Example
!domain domain="vektorex.com"
Human Readable Output
3. Get information for a file
Retrieves file information from URLhaus.
Base Command
file
Input
Argument Name | Description | Required |
---|---|---|
file | MD5 hash or SHA256 hash of the file to query. | Required |
Context Output
Path | Type | Description |
---|---|---|
File.Size | Number | File size (in bytes). |
File.MD5 | String | MD5 hash of the file. |
File.SHA256 | String | SHA256 hash of the file. |
URLhaus.File.MD5 | String | MD5 hash of the file. |
URLhaus.File.SHA256 | String | SHA256 hash of the file. |
URLhaus.File.Type | String | File type guessed by URLhaus, for example: .exe, .doc. |
URLhaus.File.Size | Number | File size (in bytes). |
URLhaus.File.Signature | String | Malware family. |
URLhaus.File.FirstSeen | Date | Date and time (UTC) that URLhaus first saw this file (payload). |
URLhaus.File.LastSeen | Date | Date and time (UTC) that URLhaus last saw this file (payload). |
URLhaus.File.DownloadLink | String | Location (URL) where you can download a copy of this file. |
URLhaus.File.VirusTotal.Percent | Number | AV detection (percentage), for example: 24.14. |
URLhaus.File.VirusTotal.Link | String | Link to the VirusTotal report. |
URLhaus.File.URL | Unknown | A list of malware URLs associated with this payload (max. 100). |
Command Example
!file hash="01fa56184fcaa42b6ee1882787a34098c79898c182814774fd81dc18a6af0b01" hash_type="SHA256"
4. Download a malware sample
Downloads a malware sample from URLhaus.
Base Command
urlhaus-download-sample
Input
Argument Name | Description | Required |
---|---|---|
file | SHA256 hash of the file to download. | Required |
Context Output
Path | Type | Description |
---|---|---|
File.Size | number | File size. |
File.SHA1 | string | SHA1 hash of the file. |
File.SHA256 | string | SHA256 hash of the file. |
File.Name | string | File name. |
File.SSDeep | string | SSDeep hash of the file. |
File.EntryID | string | File entry ID. |
File.Info | string | File information. |
File.Type | string | File type. |
File.MD5 | string | MD5 hash of the file. |
File.Extension | string | File extension. |
Command Example
!file hash="01fa56184fcaa42b6ee1882787a34098c79898c182814774fd81dc18a6af0b01" hash_type="SHA256"