πŸ”’ References

Information about references

🚧

Special privileges required

References are only available to users with the Threat Landscape module.

A reference represents an analysed URL with extracted IoCs, sometimes it is related to a collection, or a set of IOCs.

Object Attributtes

  • author: <string> author of the reference.
  • autogenerated_summary:<string> Autogenerated summary of the reference by ML.
  • collections_count:<int> Number of collections associated with the reference.
  • creation_date: <integer> creation date of the reference (UTC timestamp).
  • description:<int> Description of the reference.
  • domain_count:<int> Number of domains extracted from the reference.
  • files_count:<int> Number of files extracted from the reference.
  • iocs_count:<int> Number of IoCs extracted from the reference.
  • ip_addresses_count:<int> Number of ip_addresses extracted from the reference.
  • last_modification_date: <integer> date when the reference was last updated (UTC timestamp).
  • recent_activity_relative_change:<float> Ratio of change between the last two "recent activity" periods. Note: "recent activity" periods are comprised of 14 days.
  • recent_activity_summary:<list<int>> List of integers with the aggregated activity of the IoCs of the collection for the last 14 days. Note: the aggregated activity consider #lookups plus #submissions.
  • tags:<list<string>> List of tags extracted from the Reference. Note: it also includes CVEs.
  • threat_actors_count:<int> Number of threat_actors associated to the IoCs extracted from the reference.
  • threat_categories:<list<string>> List of threat categories derived from the IoCs of the Reference.
  • title: <string> title of the reference.
  • url: <string> URL of the reference.
  • urls_count:<int> Number of urls extracted from the reference.
{
  "data": {
    "attributes": {
      "author": <string>,
      "autogenerated_summary": <string>,
      "collections_count": <int>,
      "creation_date": <int>,
      "description": <string>,
      "domains_count": <int>,
      "extracted_entities": <json>
      "files_count": <int>,
      "iocs_count": <int>,
      "ip_addresses_count": <int>,
      "last_modification_date": <int>,
      "recent_activity_relative_change": <float>,
      "recent_activity_summary": <list<int>>,
      "tags": <list<string>>,
      "threat_actors_count": <int>,
      "threat_categories": <list<string>>,
      "title": <string>,
      "url": <string>,
      "urls_count": <int>,
    },
    "type": "reference",
    "id": <string>,
    "links": {
      "self": "https://www.virustotal.com/api/v3/references/<id>"
    }
  }
}
{
    "data": {
        "attributes": {
            "autogenerated_summary": "ESET researchers have discovered a Linux backdoor that is likely linked to the Lazarus Group, a North Korean state-sponsored threat actor. The malware, dubbed SimplexTea, was found in a supply chain attack targeting 3CX VoIP software.\n\nSimplexTea is a modular backdoor that can be used to steal data, download and execute additional payloads, and establish persistence on the victim's system. It is similar to the SIMPLESEA macOS malware that was used in the 3CX attack, and it also uses the same C&C infrastructure.\n\nThe discovery of SimplexTea provides further evidence that Lazarus is using Linux malware in its attacks. This is a worrying development, as it suggests that the group is expanding its capabilities and becoming more sophisticated.\n\nESET researchers have released a YARA rule that can be used to detect SimplexTea. Organizations that use 3CX VoIP software should take steps to protect themselves from this threat.",
            "threat_categories": [
                "trojan",
                "pua"
            ],
            "recent_activity_relative_change": -0.06403162055335965,
            "tags": [],
            "ip_addresses_count": 4,
            "domains_count": 6,
            "url": "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/",
            "creation_date": 1681948800,
            "iocs_count": 24,
            "score": 1.0,
            "urls_count": 1,
            "recent_activity_summary": [
                131,
                78,
                137,
                89,
                77,
                28,
                28,
                194,
                49,
                35,
                421,
                840,
                256,
                5
            ],
            "collections_count": 1,
            "last_modification_date": 1682299863,
            "title": "Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack",
            "threat_actors_count": 0,
            "files_count": 12
        },
        "type": "reference",
        "id": "89d249dbe7e35d856e285752de8e016486c587f9e7fb4f51cd752c630bfac1de",
        "links": {
            "self": "https://core-dot-virustotalcloud.appspot.com/api/v3/references/89d249dbe7e35d856e285752de8e016486c587f9e7fb4f51cd752c630bfac1de"
        }
    }
}

Relationships

In addition to the previously described attributes, reference objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

RelationshipReturn object type
collectionsList of Collections
domainsList of Domains
filesList of Files
ip_addressesList of IP addresses
threat_actorsList of Threat Actors
urlsList of URLs
submitterSubmitter of the references Submitter