Detonate URL - Lastline

Detonates a URL using the Lastline sandbox integration.

Lastline · 9 tasks · 3 inputs · 36 outputs

Inputs

  • URL — URL to detonate.
  • Interval — Polling frequency - how often the polling command should run (minutes)
  • Timeout — How much time to wait before a timeout occurs (minutes)

Outputs

  • File.Size — File size (only in case of report type=json)
  • DBotScore.Indicator — The indicator we tested (only in case of report type=json)
  • DBotScore.Vendor — Vendor used to calculate the score (only in case of report type=json)
  • DBotScore.Score — The actual score (only in case of report type=json)
  • IP.Address — IP's relevant to the sample
  • DBotScore.Type — The type of the indicator (only in case of report type=json)
  • File.Name — Filename (only in case of report type=json)
  • File.Type — File type e.g. "PE" (only in case of report type=json)
  • File.MD5 — MD5 hash of the file (only in case of report type=json)
  • File.SHA1 — SHA1 hash of the file (only in case of report type=json)
  • File.SHA256 — SHA256 hash of the file (only in case of report type=json)
  • File.EntryID — The Entry ID of the sample
  • File.Malicious.Vendor — For malicious files, the vendor that made the decision
  • File.Malicious.Description — For malicious files, the reason for the vendor to make the decision
  • URL.Data — List of malicious URLs identified by Lastline analysis
  • URL.Malicious.Vendor — For malicious URLs, the vendor that made the decision
  • URL.Malicious.Description — For malicious URLs, the reason for the vendor to make the decision
  • URL.Malicious.Score — For malicious URLs, the score from the vendor
  • File.Malicious.Score — For malicious files, the score from the vendor
  • Lastline.Submission.Status — Status of the submission
  • Lastline.Submission.DNSqueries — List of DNS queries done by the analysis subject
  • Lastline.Submission.NetworkConnections — ist of network connections done by the analysis subject
  • Lastline.Submission.DownloadedFiles — List of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.
  • Lastline.Submission.UUID — ID of the submission
  • Lastline.Submission.YaraSignatures.name — Yara signatures name
  • Lastline.Submission.YaraSignatures.score — The score according to the yara signatures. from 0 to 100.
  • Lastline.Submission.Process.arguments — Argument of the process
  • Lastline.Submission.YaraSignatures.internal — True if the signature is only for internal usage
  • Lastline.Submission.Process.process_id — The process ID
  • Lastline.Submission.Process.executable.abs_path — Absolute path of the executable of the process
  • Lastline.Submission.Process.executable.filename — Filename of the executable
  • Lastline.Submission.Process.executable.yara_signature_hits — Yara signature of the executable of the process
  • URL — URL object
  • URL.Malicious — URL Malicious object
  • DBotScore — DBot score object
  • Lastline.Submission — Lastline submission object

Commands used

lastline-check-status lastline-get-report lastline-upload-url

Flowchart

yes yes yes Start Start Lastline Upload URL - lastline-upload-url Lastline Upload URL lastline-upload-url GenericPolling - GenericPolling GenericPolling GenericPolling Lastline Get Report - lastline-get-report Lastline Get Report lastline-get-report Is there a URL to detonate? Is there a URL to detonate? Done Done Is Lastline sandbox enabled? Is Lastline sandbox enabled? Filter UUIDs Filter UUIDs Lastline Check Status - lastline-check-status Lastline Check Status lastline-check-status