Get a File behaviour report from a sandbox.

External Documentation

To learn more, visit the VirusTotal documentation.

Parameters

ParameterDescription
Analysed File’s SHA256The analysed file’s SHA256 identifier.
Sandbox NameThe name of the required sandbox.

Example Output

{
	"data": {
		"id": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08_Zenbox",
		"type": "file_behaviour",
		"links": {
			"self": "https://mock-api.example.com/v3/file_behaviours/mock-behaviour-id-1"
		},
		"attributes": {
			"behash": "25d02ca094be83575d9f51298b3448ba",
			"last_modification_date": 1712589429,
			"analysis_date": 1712589367,
			"processes_tree": [
				{
					"process_id": "7456",
					"name": "C:\\Windows\\System32\\wscript.exe C:\\Windows\\System32\\WScript.exe "
				}
			],
			"has_evtx": true,
			"memory_dumps": [
				{
					"file_name": "00000001.00000003.1028472294.0000018726DDD000.00000004.00000020.00020000.00000000.sdmp",
					"process": "C:\\Windows\\System32\\wscript.exe",
					"size": "77824",
					"base_address": "1679984283648",
					"stage": "MEM_STAGE_FREE"
				}
			],
			"mitre_attack_techniques": [
				{
					"id": "T1064",
					"severity": "IMPACT_SEVERITY_INFO",
					"signature_description": "Found WSH timer for Javascript or VBS script (likely evasive script)",
					"refs": [
						{
							"ref": "#signature_matches",
							"value": "839"
						}
					]
				},
				{
					"id": "T1082",
					"severity": "IMPACT_SEVERITY_INFO",
					"signature_description": "Queries the cryptographic machine GUID",
					"refs": [
						{
							"ref": "#signature_matches",
							"value": "285"
						}
					]
				},
				{
					"id": "T1082",
					"severity": "IMPACT_SEVERITY_INFO",
					"signature_description": "Reads software policies",
					"refs": [
						{
							"ref": "#signature_matches",
							"value": "509"
						}
					]
				}
			],
			"processes_terminated": [
				"C:\\Windows\\System32\\wscript.exe"
			],
			"dns_lookups": [
				{
					"hostname": "mock.example.com",
					"resolved_ips": [
						"192.0.2.71",
						"192.0.2.73",
						"192.0.2.68",
						"192.0.2.2",
						"192.0.2.67",
						"192.0.2.23",
						"192.0.2.4",
						"192.0.2.74"
					]
				}
			],
			"tags": [
				"IDLE",
				"LONG_SLEEPS"
			],
			"files_opened": [
				"C:\\Users\\user\\Desktop\\sample.js",
				"C:\\Users\\user\\Desktop\\sample.js\\",
				"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
				"C:\\Windows\\SYSTEM32\\USERENV.dll",
				"C:\\Windows\\SYSTEM32\\WLDP.DLL",
				"C:\\Windows\\SYSTEM32\\amsi.dll"
			],
			"registry_keys_opened": [
				"HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSaferCodeIdentifiers0UrlZones",
				"HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CryptSIPDllGetSignedDataMsg{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}",
				"HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CryptSIPDllPutSignedDataMsg{000C10F1-0000-0000-C000-000000000046}"
			],
			"verdict_confidence": 100,
			"processes_created": [
				"C:\\Windows\\System32\\wscript.exe C:\\Windows\\System32\\WScript.exe \"C:\\Users\\user\\Desktop\\sample.js",
				"\n]",
				"verdicts",
				":",
				[
					"CLEAN"
				],
				"has_memdump",
				": true",
				"signature_matches",
				":",
				[
					{
						"id": "507",
						"description": "Uses an in-process (OLE) Automation server",
						"match_data": [
							"HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}InprocServer32"
						],
						"severity": "IMPACT_SEVERITY_INFO"
					}
				],
				"sandbox_name",
				":",
				"Zenbox",
				"has_html_report",
				": true",
				"has_pcap",
				": true"
			]
		}
	}
}

Workflow Library Example

Get File Behaviour Report from Sandbox with Virustotal and Send Results Via Email

Preview this Workflow on desktop