Eric Partington

Context Menu - VirusTotal Hash Lookup

Blog Post created by Eric Partington Employee on Jan 16, 2017

Lets say you have NetWitness packet capture and you are at the point where you have located a suspicious executable which you want to check against VirusTotal or another hash lookup site to see if there are any matches ...  How would you go about that the most efficient way possible ?

 

Luckily there is the context menu function which can save your copy paste madness.

 

To use this context menu you need to be in the events section of investigator and looking at the files in the session.

Investigator > Events (where filename exists) > double click on session

 

You will see the hashes on the right for each of the files located in the session

You can right click on the has and select the options to submit the hash to VirusTotal (or whatever site you want to add to check on the hash)

 

 

You will open VT in a new tab with the hash passed over to search/report on

 

Here is the context menu:

{
    "displayName": "[VirusTotal Hash]",
    "cssClasses": [
        "ctxmenu-hash-lookup"
    ],
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "Custom",
    "modules": [
        "investigation"
    ],
    "local": "false",
    "urlFormat": "https://www.virustotal.com/en/search/?query={0}",
    "disabled": "",
    "id": "vtHashLookup",
    "moduleClasses": [
        "UAP.investigation.reconstruction.view.content.ReconstructedEventDataGrid"
    ],
    "openInNewTab": "true",
}

Outcomes