threat_intel_get_file_behavior
Retrieve detailed sandbox behavioral analysis for a file hash to understand malware capabilities, including process activity, network connections, and MITRE ATT&CK techniques. Essential for threat detection and incident response.
Instructions
Get detailed behavioral analysis report for a file from VirusTotal sandboxes.
This tool retrieves sandbox execution reports that show what a file does when run, including process activity, network connections, file operations, registry changes, and MITRE ATT&CK techniques. Essential for understanding malware capabilities and identifying detection opportunities.
What this tool provides:
Process tree and execution flow
Network connections (IPs, domains, URLs contacted)
File system operations (files created, modified, deleted)
Registry modifications
MITRE ATT&CK TTPs (Tactics, Techniques, Procedures)
API calls and system interactions
Behavioral signatures matched
Mutex/synchronization objects
Memory operations
Common Use Cases:
Malware analysis: Understand what a file does when executed
Detection engineering: Identify behavioral indicators for rules
Incident response: Determine malware capabilities and impact
Threat intelligence: Extract TTPs for threat profiling
IOC extraction: Get network and file system indicators
Attribution: Identify techniques used by specific threat actors
Args: hash_value: The file hash (SHA256 preferred) to query. sandbox: Optional specific sandbox name (e.g., 'VirusTotal Jujubox', 'C2AE'). If not specified, returns the default/first available report.
Returns: JSON string containing detailed behavioral analysis (up to 50 reports) including: - Processes created and their relationships - Network activity (DNS, HTTP, TCP/IP) - File system operations - Registry operations - MITRE ATT&CK techniques - Behavioral signatures - Sandbox metadata (environment, time)
Examples: hash_value="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" hash_value="44d88612fea8a8f36de82e1278abb02f", sandbox="VirusTotal Jujubox"
Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Only SHA256 hashes are supported for behavior reports - Returns up to 50 behavior reports - Not all files have behavioral analysis (requires sandbox execution) - Multiple sandbox environments may have analyzed the same file - Reports reflect behavior in a controlled sandbox environment - Private API keys have access to more detailed reports - When no behavior report is found, returns a structured JSON response with found=false - IMPORTANT: Do NOT call this tool repeatedly with the same parameters. It returns the same data each time, not additional results.
Raises: ThreatIntelligenceClientError: If there's an error communicating with the API. RuntimeError: If the API key is not configured.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| sandbox | No | ||
| hash_value | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |