URLhaus

Use the URLhaus integration to get information about URLs and domains, and to download malware samples.

Configure URLhaus on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for URLhaus.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1)
    • Trust any certificate (not secure)
    • Use system proxy
    • Blacklists appearances threshold
    • Compromised (is malicious)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get information for a URL: url
  2. Get information for a domain: domain
  3. Get information for a file: file
  4. Download a malware sample: urlhaus-download-sample

1. Get information for a URL


Retrieves URL information from URLhaus.

Base Command

url

Input
Argument Name Description Required
url URL to query. Required

Context Output
Path Type Description
URL.Data string The URL.
URL.Malicious.Vendor string Vendor that reported the URL as malicious.
URL.Malicious.Description string Description of the malicious URL.
URLhaus.URL.ID string Unique identifier of the URLhaus database entry.
URLhaus.URL.Status string The current status of the URL.
URLhaus.URL.Host string The extracted host of the malware URL (IP address or domain name/FQDN).
URLhaus.URL.DateAdded date Date the URL was added to URLhaus.
URLhaus.URL.Threat string The threat corresponding to this malware URL.
URLhaus.URL.Blacklist.Name String Name of the blacklist.
URLhaus.URL.Tags string A list of tags associated with the queried malware URL.
URLhaus.URL.Payload.Name String Payload file name.
URLhaus.URL.Payload.Type String Payload file type.
URLhaus.URL.Payload.MD5 String MD5 hash of the HTTP response body (payload).
URLhaus.URL.Payload.VT.Result Number VirusTotal results for the payload.
DBotScore.Type string Indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.
DBotScore.Indicator string The indicator that was tested.
URLhaus.URL.Blacklist.Status String Status of the URL in the blacklist.
URLhaus.URL.Payload.VT.Link String Link to the VirusTotal report.

Command Example
!url url="http://sskymedia.com/VMYB-ht_JAQo-gi/INV/99401FORPO/20673114777/US/Outstanding-Invoices/"
Human Readable Output

2. Get information for a domain


Retrieves domain information from URLhaus.

Base Command

domain

Input
Argument Name Description Required
domain Domain to query. Required

Context Output
Path Type Description
Domain.Name String The domain name, for example, google.com.
DBotScore.Type string Indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.
DBotScore.Indicator string The indicator that was tested.
URLhaus.Domain.FirstSeen Date Date that the IP was seen for the first time (UTC).
URLhaus.Domain.Blacklist.Name String The status of the domain in different blacklists.
URLhaus.Domain.URL String URLs observed on this domain.
Domain.Malicious.Vendor String Vendor that reported the domain as malicious.
Domain.Malicious.Description String Description of the malicious domain.
URLhaus.Domain.Blacklist.Status String Status of the URL in the blacklist.

Command Example
!domain domain="vektorex.com"
Human Readable Output

3. Get information for a file


Retrieves file information from URLhaus.

Base Command

file

Input
Argument Name Description Required
file MD5 hash or SHA256 hash of the file to query. Required

Context Output
Path Type Description
File.Size Number File size (in bytes).
File.MD5 String MD5 hash of the file.
File.SHA256 String SHA256 hash of the file.
URLhaus.File.MD5 String MD5 hash of the file.
URLhaus.File.SHA256 String SHA256 hash of the file.
URLhaus.File.Type String File type guessed by URLhaus, for example: .exe, .doc.
URLhaus.File.Size Number File size (in bytes).
URLhaus.File.Signature String Malware family.
URLhaus.File.FirstSeen Date Date and time (UTC) that URLhaus first saw this file (payload).
URLhaus.File.LastSeen Date Date and time (UTC) that URLhaus last saw this file (payload).
URLhaus.File.DownloadLink String Location (URL) where you can download a copy of this file.
URLhaus.File.VirusTotal.Percent Number AV detection (percentage), for example: 24.14.
URLhaus.File.VirusTotal.Link String Link to the VirusTotal report.
URLhaus.File.URL Unknown A list of malware URLs associated with this payload (max. 100).

Command Example
!file hash="01fa56184fcaa42b6ee1882787a34098c79898c182814774fd81dc18a6af0b01" hash_type="SHA256"

4. Download a malware sample


Downloads a malware sample from URLhaus.

Base Command

urlhaus-download-sample

Input
Argument Name Description Required
file SHA256 hash of the file to download. Required

Context Output
Path Type Description
File.Size number File size.
File.SHA1 string SHA1 hash of the file.
File.SHA256 string SHA256 hash of the file.
File.Name string File name.
File.SSDeep string SSDeep hash of the file.
File.EntryID string File entry ID.
File.Info string File information.
File.Type string File type.
File.MD5 string MD5 hash of the file.
File.Extension string File extension.

Command Example
!file hash="01fa56184fcaa42b6ee1882787a34098c79898c182814774fd81dc18a6af0b01" hash_type="SHA256"