1. Introduction
ITW is the abbreviation of in the wild. VirusTotal provides the search keyword itw, which can search for samples downloaded from a certain url (part of the url).
Other articles written by the author on the usage of VirusTotal smart search can be found in references 1 and 2.
2. itw use
For example, in order to find malicious Android samples downloaded from github, the following search conditions can be constructed:
itw:"github" tag:apk positives:15+
itw specifies the character string contained in the url for downloading the sample, tag indicates that the Android sample is searched, and positives indicates that the sample must be found by more than 15 Vendors.
A sample found is as follows
As you can see from RELATIONS, this sample is downloaded from https[:]//github[.]com/markgambino/file.
Visit this github, you can see
This sample does exist, and it can be seen from the commits that the author has recently updated a lot.
Download this sample and upload it to VT for analysis. According to the analysis results, it can be preliminarily judged that its family is Banker.
Follow-up: After the author found this sample, a few hours later, when I looked at it again, I found that it was deleted by the author of github.
3. Reference
- VirusTotal smart search, https://blog.csdn.net/ybdesire/article/details/121665678?spm=1001.2014.3001.5501
- VirusTotal Smart Search Android sample example, https://blog.csdn.net/ybdesire/article/details/123885855?spm=1001.2014.3001.5501