Thiago Teixeira
EN | PT

VirusTotal

Google / Chronicle

Cloud multi-engine scanning and threat-intel pivot for hashes, URLs, files and domains.

Malware Analysis & Sandboxing Freemium Web App Practiced in lab saas
Homepage

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

VirusTotal (Google) aggregates 70+ antivirus engines and dozens of URL/file analysers behind a single API and web UI. Submitting a hash, URL, IP, or domain returns engine verdicts, file metadata, behavioural reports from sandboxes, and (with a paid account) VT Intelligence — a Google-style search across the global corpus of submitted samples.

For a CySA+ analyst, VirusTotal is the universal second-opinion and pivot tool: given an IOC, find every related sample, every contacted domain, every YARA rule that matched, and every campaign that has reused the infrastructure.

Use cases

  • Second-opinion on an EDR alert
  • Pivoting from a single hash to related infrastructure
  • Enriching SIEM detections with VT verdicts (via API)

Example

# Look up a file hash via the API
curl --request GET \
     --url https://www.virustotal.com/api/v3/files/<sha256> \
     --header "x-apikey: $VT_API_KEY"