Performing Malware Hash Enrichment with VirusTotal

Overview

VirusTotal is the world's largest crowdsourced malware corpus, scanning files with 70+ antivirus engines and providing behavioral analysis, YARA rule matches, network indicators, and community intelligence. This skill covers using the VirusTotal API v3 to enrich file hashes (MD5, SHA-1, SHA-256) with detection verdicts, sandbox reports, related indicators, and contextual intelligence for SOC triage, incident response, and threat intelligence enrichment workflows.

When to Use

• When conducting security assessments that involve performing malware hash enrichment with virustotal
• When following incident response procedures for related security events
• When performing scheduled security testing or auditing activities
• When validating security controls through hands-on testing

Prerequisites

• Python 3.9+ with vt-py (official VirusTotal Python client) or requests
• VirusTotal API key (free tier: 4 requests/minute, 500/day; premium for higher limits)
• Understanding of file hash types: MD5, SHA-1, SHA-256
• Familiarity with AV detection naming conventions