VMRay

This integration was integrated and tested with version xx of vmray

VMRay Playbook

Detonate File - VMRay

Configure VMRay on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for VMRay.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://cloud.vmray.com)
    • API Key
    • Use system proxy
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Known Limitations

  • Non-ASCII characters in file names will be ignored when uploading.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Submit a sample for analysis


Submits a sample to VMRay for analysis.

Base Command

vmray-upload-sample

Input
Argument Name Description Required
entry_id Entry ID of the file to submit. Required
document_password Password of the document. Optional
archive_password Password of an archive. Optional
sample_type Force type of the file. Optional
shareable Whether the file is shareable. Optional
reanalyze Analyze even if analyses already exist. Optional
max_jobs Maximum number of jobs to create (number). Optional
tags A CSV list of tags to add to the sample. Optional

Context Output
Path Type Description
VMRay.Job.JobID Number ID of a new job
VMRay.Job.Created Date Timestamp of job creation.
VMRay.Job.SampleID Number ID of the sample.
VMRay.Job.VMName String Name of the virtual machine.
VMRay.Job.VMID Number ID of the virtual machine.
VMRay.Sample.SampleID Number ID of the sample.
VMRay.Sample.Created Date Timestamp of sample creation.
VMRay.Submission.SubmissionID Number Submission ID.

Command Example
vmray-upload-sample entry_id=79@4 max_jobs=1
Context Example
{
    "VMRay.Sample": [
        {
            "SHA1": "69df095557346b3c136db4378afd5ee7a4839dcc", 
            "Created": "2019-05-27T07:48:11", 
            "SampleID": 3902285, 
            "FileName": "KeePass-2.41-Setup.exe", 
            "FileSize": 3301376, 
            "SSDeep": "98304:rk/6KPcsSO9iShSf0UTsj+te5NrYWM+40n3vGJyc:rkCK0UhSfHsKw5z4OvGJL"
        }
    ], 
    "VMRay.Submission": [
        {
            "SampleID": 3902285, 
            "SubmissionID": 4569315
        }
    ], 
    "VMRay.Job": [
        {
            "Created": "2019-05-27T07:48:11", 
            "JobRuleSampleType": "Windows PE (x86)", 
            "VMID": 20, 
            "SampleID": 3902285, 
            "JobID": 3908304, 
            "VMName": "win10_64_th2"
        }
    ]
}
Human Readable Output

File submitted to VMRay

Jobs ID Samples ID Submissions ID
3908304 3902285 4569315

2. Get analysis details for a sample


Retrieves all analysis details for a specified sample.

Base Command

vmray-get-analysis-by-sample

Input
Argument Name Description Required
sample_id Analysis sample ID. Required
limit Maximum number of results to return (number). Optional

Context Output
Path Type Description
VMRay.Analysis.AnalysisID Number Analysis ID.
VMRay.Analysis.SampleID Number Sample ID in the analysis.
VMRay.Analysis.Severity String Severity of the sample (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown).
VMRay.Analysis.JobCreated Date Date when the analysis job started.
VMRay.Analysis.MD5 String MD5 hash of the sample.
VMRay.Analysis.SHA1 String SHA1 hash of the sample.
VMRay.Analysis.SHA256 String SHA256 hash of the sample.
VMRay.Analysis.SSDeep String ssdeep hash of the sample.

Command Example
vmray-get-analysis-by-sample sample_id=3902238
Human Readable Output

No analysis found for sample id 3902238

3. Get job details for a sample


Retrieves details for all jobs for a specified sample.

Base Command

vmray-get-job-by-sample

Input
Argument Name Description Required
sample_id Job sample ID. Required

Context Output
Path Type Description
VMRay.Job.JobID Number ID of the job.
VMRay.Job.SampleID Number Sample ID of the job.
VMRay.Job.SubmissionID Number ID of the submission.
VMRay.Job.MD5 String MD5 hash of the sample in the job.
VMRay.Job.SHA1 String SHA1 hash of the sample in the job.
VMRay.Job.SHA256 String SHA256 hash of the sample in the job.
VMRay.Job.SSDeep String ssdeep hash of the sample in the job.
VMRay.Job.VMName String Name of the virtual machine.
VMRay.Job.VMID Number ID of the virtual machine.
VMRay.Job.Status String Status of the job.

Command Example
!vmray-get-job-by-sample sample_id=3902238
Context Example
{
    "VMRay.Job": {
        "JobID": 365547,
        "SampleID": 3902238,
        "SubmissionID": 4569262,
        "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", 
        "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", 
        "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", 
        "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
        "VMName": "windows8.1-x64 sp1",
        "VMID": 747112,
    }
}
Human Readable Output

4. Get submission results


Retrieves the results of a submission.

Base Command

vmray-get-submission

Input
Argument Name Description Required
submission_id ID of the submission. Can be obtained by running the vmray-upload-sample command. Required

Context Output
Path Type Description
VMRay.Submission.IsFinished Boolean Whether the submission is finished (true or false).
VMRay.Submission.HasErrors Boolean Whether there are any errors in the submission (true or false).
VMRay.Submission.SubmissionID Number ID of the sample in the submission.
VMRay.Submission.MD5 String MD5 hash of the sample in the submission.
VMRay.Submission.SHA1 String SHA1 hash of the sample in the submission.
VMRay.Submission.SHA256 String SHA256 hash of the sample in the submission.
VMRay.Submission.SSDeep String ssdeep hash of the sample in the submission.
VMRay.Submission.Severity String Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown).
VMRay.Submission.SampleID Number ID of the sample in the submission.

Command Example
vmray-get-submission submission_id=4569262
Context Example
{
    "DBotScore": [
        {
            "Vendor": "VMRay", 
            "Indicator": "e24992f83bb3d0ed12b3e8cd7c35888f", 
            "Score": 0, 
            "Type": "hash"
        }, 
        {
            "Vendor": "VMRay", 
            "Indicator": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", 
            "Score": 0, 
            "Type": "hash"
        }, 
        {
            "Vendor": "VMRay", 
            "Indicator": "b94951a9dde256624289abe8b9744d0f61fab8bb", 
            "Score": 0, 
            "Type": "hash"
        }, 
        {
            "Vendor": "VMRay", 
            "Indicator": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", 
            "Score": 0, 
            "Type": "hash"
        }
    ], 
    "VMRay.Submission": {
        "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", 
        "HasErrors": false, 
        "Severity": "Unknown", 
        "IsFinished": true, 
        "SampleID": 3902238, 
        "SubmissionID": 4569262, 
        "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", 
        "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", 
        "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
    }
}
Human Readable Output

Submission results from VMRay for ID 4569262 with severity of Unknown

IsFinished Severity HasErrors MD5 SHA1 SHA256 SSDeep
true Unknown false e24992f83bb3d0ed12b3e8cd7c35888f b94951a9dde256624289abe8b9744d0f61fab8bb 543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07 192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB

5. Get information for a sample


Retrieves a sample using the sample ID.

Base Command

vmray-get-sample

Input
Argument Name Description Required
sample_id ID of the sample. Required

Context Output
Path Type Description
VMRay.Sample.SampleID Number ID of the sample.
VMRay.Sample.FileName String File name of the sample.
VMRay.Sample.MD5 String MD5 hash of the sample.
VMRay.Sample.SHA1 String SHA1 hash of the sample.
VMRay.Sample.SHA256 String SHA256 hash of the sample.
VMRay.Sample.SSDeep String ssdeep hash of the sample.
VMRay.Sample.Severity String Severity of the sample in the submission (Malicious, Suspicious, Good, Blacklisted, Whitelisted, Unknown).
VMRay.Sample.Type String File type.
VMRay.Sample.Created Date Timestamp of sample creation.
VMRay.Sample.Classifications String Classifications of the sample.

Command Example
vmray-get-sample sample_id=3902238
Context Example
{
    "DBotScore": [
        {
            "Vendor": "VMRay", 
            "Indicator": "e24992f83bb3d0ed12b3e8cd7c35888f", 
            "Score": 0, 
            "Type": "hash"
        }, 
        {
            "Vendor": "VMRay", 
            "Indicator": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", 
            "Score": 0, 
            "Type": "hash"
        }, 
        {
            "Vendor": "VMRay", 
            "Indicator": "b94951a9dde256624289abe8b9744d0f61fab8bb", 
            "Score": 0, 
            "Type": "hash"
        }, 
        {
            "Vendor": "VMRay", 
            "Indicator": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", 
            "Score": 0, 
            "Type": "hash"
        }
    ], 
    "VMRay.Sample": {
        "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", 
        "Severity": "Unknown", 
        "Classification": [], 
        "Created": "2019-05-27T07:28:08", 
        "SampleID": 3902238, 
        "FileName": "[TEST][COFENCE]_CASO_1_EMAIL_DA_SISTEMA_COFENCE__ZIP PASSWORD.msg", 
        "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", 
        "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", 
        "Type": "CDFV2 Microsoft Outlook Message", 
        "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
    }
}
Human Readable Output

Results for sample id: 3902238 with severity Unknown

Type MD5 SHA1 SHA256 SSDeep
CDFV2 Microsoft Outlook Message e24992f83bb3d0ed12b3e8cd7c35888f b94951a9dde256624289abe8b9744d0f61fab8bb 543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07 192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB

6. Get threat indicators


Retrieves threat indicators (VTI).

Base Command

vmray-get-threat-indicators

Input
Argument Name Description Required
sample_id ID of the sample. Can be obtained from the VMRay.Sample.ID output. Required

Context Output
Path Type Description
VMRay.ThreatIndicator.AnalysisID Number List of connected analysis IDs.
VMRay.ThreatIndicator.Category String Category of threat indicators.
VMRay.ThreatIndicator.Classification String Classifications of threat indicators.
VMRay.ThreatIndicator.ID Number ID of a threat indicator.
VMRay.ThreatIndicator.Operation String Operation the indicators caused.

Command Example
vmray-get-threat-indicators sample_id=3902238
Human Readable Output

No threat indicators for sample ID: 3902238

7. Add a tag to an analysis or submission


Adds a tag to an analysis and/or a submission.

Base Command

vmray-add-tag

Input
Argument Name Description Required
submission_id ID of the submission to which to add tags. Optional
analysis_id ID of the analysis from which to delete tags. Optional
tag Tag to add. Optional

Context Output

There is no context output for this command.

Command Example
vmray-add-tag submission_id=4569262 tag=faulty
Human Readable Output

Tags: faulty has been added to submission: 4569262

8. Delete a tag from an analysis or submission


Deletes tags from an analysis and/or a submission.

Base Command

vmray-delete-tag

Input
Argument Name Description Required
analysis_id ID of the analysis from which to delete a tag. Optional
submission_id ID of the submission from which to delete a tag. Optional
tag Tag to delete. Optional

Context Output

There is no context output for this command.

Command Example
vmray-delete-tag submission_id=4569262 tag=faulty
Human Readable Output

Tags: faulty has been added to submission: 4569262

9. Get IOCs for a sample


Retrieves indicators of compropmise for a specified sample.

Base Command

vmray-get-iocs

Input
Argument Name Description Required
sample_id ID of the sample. Required

Context Output
Path Type Description
VMRay.Sample.IOC.URL.AnalysisID Number IDs of other analyses that contain the given URL.
VMRay.Sample.IOC.URL.URL String URL.
VMRay.Sample.IOC.URL.Operation String Operation of the specified URL.
VMRay.Sample.IOC.URL.ID Number ID of the URL.
VMRay.Sample.IOC.URL.Type String Type of URL.
VMRay.Sample.IOC.Domain.AnalysisID Number IDs of other analyses that contain the given domain.
VMRay.Sample.IOC.Domain.Domain String Domain.
VMRay.Sample.IOC.Domain.ID Number ID of the domain.
VMRay.Sample.IOC.Domain.Type String Type of domain.
VMRay.Sample.IOC.IP.AnalysisID Number IDs of other analyses that contain the given IP address.
VMRay.Sample.IOC.IP.IP String IP address.
VMRay.Sample.IOC.IP.Operation String Operation of the given IP.
VMRay.Sample.IOC.IP.ID Number ID of the IP address.
VMRay.Sample.IOC.IP.Type String Type of IP address.
VMRay.Sample.IOC.Mutex.AnalysisID Number IDs of other analyses that contains the given IP.
VMRay.Sample.IOC.Mutex.Name String Name of the mutex.
VMRay.Sample.IOC.Mutex.Operation String Operation of given mutex
VMRay.Sample.IOC.Mutex.ID Number ID of the mutex.
VMRay.Sample.IOC.Mutex.Type String Type of mutex.

Command Example
vmray-get-iocs sample_id=3902238
Context Example
{
    "VMRay.Sample": {
        "URL": [], 
        "IP": [], 
        "Domain": [], 
        "Mutex": [], 
        "Registry": []
    }
}
Human Readable Output

No IOCs found in sample 3902238

10. Get information for a job


Retrieves a job by job ID.

Base Command

vmray-get-job-by-id

Input
Argument Name Description Required
job_id ID of a job. Required

Context Output
Path Type Description
VMRay.Job.JobID Number ID of the job.
VMRay.Job.SampleID Number Sample ID of the job.
VMRay.Job.SubmissionID Number ID of the submission.
VMRay.Job.MD5 String MD5 hash of the sample in the job.
VMRay.Job.SHA1 String SHA1 hash of the sample in the job.
VMRay.Job.SHA256 String SHA256 hash of the sample in the job.
VMRay.Job.SSDeep String ssdeep hash of the sample in the job.
VMRay.Job.VMName String Name of the virtual machine.
VMRay.Job.VMID Number ID of the virtual machine.
VMRay.Job.Status String Status of the job.

Command Example
!vmray-get-job-by-id job_id=365547
Context Example
{
    "VMRay.Job": {
        "JobID": 365547,
        "SampleID": 3902238,
        "SubmissionID": 4569262,
        "SHA1": "b94951a9dde256624289abe8b9744d0f61fab8bb", 
        "SSDeep": "192:sv28pU/UDVCavCAIl20otWzFtyTI619lKoFt333esXPDOljpcS+oOKzHg4/IOSCS:sv23/eogCPzFcTIaaljXSKbUJiB", 
        "SHA256": "543da75d434d172533411bb4a23577d54e2c63d959974c91b5a3098aaa0cad07", 
        "MD5": "e24992f83bb3d0ed12b3e8cd7c35888f"
        "VMName": "windows8.1-x64 sp1",
        "VMID": 747112,
    }
}