VT Hunting is a service that leverages the power of YARA over VirusTotal's dataset, it consists of two different components: Livehunt and Retrohunt. If you have never used YARA before we recommend you to start by reading the YARA documentation and getting familiar with it. You can also visit the YARA project site to get access to additional tools and resources.
Livehunt allows you to hook into the stream of files submitted to VirusTotal and get notified whenever one of them matches a certain rule written in the YARA language. Applying YARA rules to the files submitted to VirusTotal you should be able to get a constant flow of malware files classified by family, discover new malware files not detected by antivirus engines, collect files written in a given language or packed with a specific run-time packer, create heuristic rules to detect suspicious files, and, in general, enjoy the benefits of YARA's versatility acting on the huge amount of files processed by VirusTotal every day.
Livehunt applies your YARA rules to every file submitted to VirusTotal, no matter its type. If the file is a Portable Executable (PE) packed with some kind of run-time packer, it is unpacked and both the packed and unpacked versions of the file are scanned with YARA. When some file matches one of your rules, a notification is generated with details about the file and the matching rule.
We have an extensive article about VirusTotal YARA Module.
Malware hunting notifications can be automated via its email notifications or through VirusTotal APIv3.
Creating Livehunt rules
On the homepage, click on the hunting icon:
Then on the ruleset option on the left side menu:
And finally on the "New ruleset" button:
- Enable/Disable the rule to be applied for your notifications.
- Ruleset name.
- Yara rule definition.
- Max number of notifications of matching resources you want to receive per day.
- Add email addresses to receive notifications by email (one per line)
- Add users or groups whom you would like to share the rule with. Type the user or group and click on the “+” sign.
For more details you can read the following resources:
- List with matches generated by your YARA rule.
- This search bar allows accepts free text, it will search over the ruleset name, the rule name and the rule namespace, exclusively.
- Refresh to check for new notifications.
- Delete the selected notifications.
- Copy all the hashes to your clipboard.
- Create a zip file, with the option to be password protected, containing the resources that matched your rules.