VT Hunting is a service that leverages the power of YARA over VirusTotal's dataset, it consists of two different components: Livehunt and Retrohunt. If you have never used YARA before we recommend you to start by reading the YARA documentation and getting familiar with it. You can also visit the YARA project site to get access to additional tools and resources.
Besides hunting for files in real time as they arrive to VirusTotal, you can also apply your YARA rules to files sent in the past with the Retrohunt component. A Retrohunt job can take some time to complete and scans files sent to VirusTotal in the last 3 months. This can be increased to 12 months with Threat Hunter Pro. Retrohunts may also be automated using VirusTotal APIv3.
However, notice that none of the Malware Hunting-specific features will work with Retrohunt, including rules based on the number of positives, antivirus signatures, tags, file type and Cuckoo's behaviour reports. Only pure YARA rules will work.
Creating a Retrohunt job
On the homepage, click on the hunting icon:
From the left menu, select Retrohunt.
Click on "New retrohunt job":
Here you can add your Yara Rule and check if you want to receive an email once the job has finished. Remember that with Retrohunt only pure YARA rules will work. (VirusTotal YARA Module cannot be used)
You can choose to run your retrohunt against a corpus of goodware files in order to test a rule, this job is fast.
Retrohunt jobs result
- Status of the job: Starting, Running, Aborted or Finished.
- Number of matches.
- Button to download list of matches.