VirusTotal offers a hash lookup API, allowing forensics examiners to look up hashes for files to determine if the files are malicious, unknown, or benign. At Polito, our forensic experts often rely on X-Ways Forensics to rapidly acquire and analyze digital computer evidence. Today, Polito is pleased to announce that we are releasing our VirusTotal extension for X-Ways. This open source extension is useful for quickly triaging a file hash or multiple file hashes at once, all from within the X-Ways Forensics interface.
Figure 1 - Overview of VirusTotal X-Ways Extension results
Obtaining VirusTotal X-Ways Extension
Step 1: Download the VirusTotal X-Ways Extension
The VirusTotal extension can be downloaded from our Github repository here:
The extension is designed to run on 19.x and 20.x 64-bit versions of X-Ways. It may or may not work on older versions, as it has only been tested on 64-bit X-Ways versions 19.3 to 20.5. We are working on testing additional recent versions for compatibility.
Step 2: Prepare Your VirusTotal API Key
You can sign up for VirusTotal’s free API key at https://www.virustotal.com/gui/join-us and your API key can be found in your VirusTotal account menu.
Step 3: Create VirusTotal Configuration File
In the same folder where you saved the .DLL, create vtconfig.txt file.
The vtconfig.txt file should contain your API key followed by the queries per minute you would like X-Ways to make, separated by a “:” character. For example:
01234...abcd:4
This will tell the extension that your API key is “01234...abcd”, and the extension will execute 4 queries per minute.
NOTE: Do not use notepad.exe to create the vtconfig.txt, since notepad will add additional characters to the file.
Adding the VirusTotal X-Ways Extension to X-Ways
To add the extension to X-Ways, go to Tools > Run X-Tensions then click the add button (plus sign). Navigate to the folder where you saved .DLL, select it, and click OK.
Figure 2 - Popup window to add the VirusTotal extension
Before the extension can be used, you need to hash the files of interest in your X-Ways evidence. The typical way to hash all files in X-Ways is to go to:
Specialist > Refine Volume Snapshot > and check the option to "Compute hash"
If you want to process and hash the file contents of compressed file archives, make sure to also check the corresponding box to "Include contents of file archives: zip, rar, 7z, tar, gz, ... ".
How to Use the VirusTotal X-Ways Extension
To use the extension, right-click on the file or files of interest to select them and click Run X-Tensions... in the context menu that appears. Select the VirusTotal extension then click the OK button to run it.
Figure 3 - Right click menu to run X-Ways extensions on specific files
After running the XT_VirusTotal.DLL extension, the “Hash category” column will be populated with a tag of “notable” for easy filtering. Hovering over the Metadata column will expand the cell and show the results of the query.
Figure 4 - Metadata results after running VirusTotal extension
After running the VirusTotal extension, a completion message will appear in the X-Ways message box.
Figure 5 - Message box showing status of VirusTotal extension’s progress
Our team is eager to hear your feedback. Please feel free to open an issue on GitHub or contact us about any questions, bug reports, or anything else.
For more X-Ways extensions look here: https://www.x-ways.net/forensics/x-tensions/index.html
If you’d like to learn more about mimikatz, the malware detected by this extension, look here: https://github.com/gentilkiwi/mimikatz
Happy forensicating!
Polito Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, red teaming engagements, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
Phone: 571-969-7039
E-mail: info@politoinc.com
Website: politoinc.com