Virustotal Adds Mandiant’s CAPA and GoReSym Capabilities

Virustotal is the biggest community for sharing/learning malicious files platform. It aggregates many antivirus and scan engines and allows users to check a file is malicious or not according to tens of antivirus products and scan engines.

Google acquired Virustotal in 2012 and Mandiant last year. While waiting eagerly about the integration of Google and Mandiant solutions, Virustotal announced that they increased Virustotal’s capabilities with Mandiant’s CAPA + GoReSym integrations.

Capa detects capabilities of an executable file, provides human readability for suspicious binary and describes the evidence that it found.

Virustotal now can show output of Capa about the file submitted under the behavior tab;

“Because we map the Capa results into ATT&CK Tactics and Techniques, you can pivot across them, making it easy to find other malware samples with the same behaviors. You can also create YARA rules for VirusTotal LiveHunt to get notified when any new file matching the same ATT&CK Tactics and Techniques is uploaded to VirusTotal” says Virustotal about the integration.

GoReSym is a Go symbol parser that extracts program metadata (such as CPU architecture, OS, endianness, compiler version, etc), function metadata (start & end addresses, names, sources), filename and line number metadata, and embedded structures and types. GoReSym outputs of the file also can be seen now in Virustotal.

Leave a Reply