VirusTotal released a new feature today that allows a user to visualize data associated with a submitted file. Using this tool, a user can easily see information such as the hosts the file connects to, what files it creates, and more. Even better, this new tool is available to all members and not only to subscribers of VirusTotal's premium Intelligence platform.
Called Graph, VirusTotal explains that this visualization tool can help a user understand the relationship between different data associated with a submitted file.
It is a visualization tool built on top of VirusTotal’s data set. It understands the relationship between files, URLs, domains and IP addresses and it provides an easy interface to pivot and navigate over them.
By exploring and expanding each of the nodes in your graph, you can build the network and see the connections across the samples you are studying. By clicking on the nodes, you can see at a glance the most relevant information for each item. You can also add labels and see an in-depth report by going to VirusTotal Public or VirusTotal Intelligence report.
You can get to VirusTotal Graph by either going directly to the url https://www.virustotal.com/graph/ and submitting a known hash or going to the analysis page of a particular file. In the analysis page is a new option under the dropdown menu labeled Open in VirusTotal Graph, which brings you to the page's Graph page.
Once at the Graph page, you will see an item called the Root Node. This is the object associated with the file that was submitted to VirusTotal. From this node, you will see various arrows to information related to the sample. For this article, we will take a look at a simple Graph associated with an adware infection.
This graph contains the Root Node and two URLs it connects to.
You can then double-click on each node to dig down further into the details of that particular data object. When you double-click on a node, it expands the object and shows that object's related data. Below we can see what files were downloaded by Root node when it connected to an url.
It does not end there, you can also double-click on a downloaded file to find out information related to that particular file. This allows you to dig into a sample and see all of the data, files, domains, associated countries, URLs, and more related to the submitted file.
While everyone sees a base Graph associated with a file, it is also possible to customize a particular graph and save it for your own use. For example, if you are analyzing a particular malware sample and want to add labels to various objects as you research them, you can easily do so.
To add a label, just right click on an object an add a label. As you can see in the image below, I added the label Adware Downloader to a particular file object.
You can then click on the save button, as shown by the arrow above, to save your customizations to a new Graph. Once you save a graph, you will be given a new link that you can use to access this graph in the future or share it with others.
While VirusTotal Graph will definitely take some time getting used it, with the amount of data at your fingertips, it will become a very useful tool when analyzing malware and items associated with it.
To help learn how to use this new tool, VirusTotal has released video tutorials on how to use Graph with files and domains.