File search modifiers
There are a set of special terms that you can use to refine your search results. For example, you can take advantage of the term positives:5+ to get files detected by five antivirus solutions or more. If you want to get those detected by ten engines or less you can use positives:11- . Specifying the number without any trailing plus or minus sign you will retrieve those detected exactly by the given number of engines, i.e. positives:7. These terms can be used more than once in the same query, for example positives:20+ positives:31- will return any file detected by a number of engines in the range 20-30.
You can directly type these modifiers on the search box:
Or click on the sliders icon:
To get a form where you can use some of these modifiers:
- Select a file type from the dropdown list of most common file types.
- Number of antivirus vendors that detected it upon scanning with Google Threat Intelligence.
- Minimum file size. The size can be specified in bytes, kilobytes(default) or megabytes.
- Maximum file size. The size can be specified in bytes, kilobytes(default) or megabytes.
- Malware family name exclusively on the antivirus results (no matter which particular engine produced the output). Example: "Trojan.Isbar" to search for malware with this family name.
- Executable files (for example: pexe, dmg, apks) whose dynamic behavioral report contains the literal provided.
- Finds all those files that have some (indexed) Exif field containing the literal(s) provided, not only limited to Exif, certain other tools apply, such as taggant packer information, office metadata, etc.
- Finds all those files that have some sigcheck/codesign (PE signature, Apple code signing) field containing the literal(s) provided.
- Files that have been downloaded from a URL containing the literal provided.
- Files submitted to Google Threat Intelligence with a file name that contains the literal provided.
- Files tagged by Google Threat Intelligence with the literal provided. Example: android , html , peexe
- Files submitted to Google Threat Intelligence after this datetime.
- Files submitted to Google Threat Intelligence before this datetime.
- Number of times files were submitted to Google Threat Intelligence.
- Number of distinct sources that submitted the file to Google Threat Intelligence, independently of whether any given source submitted the file more than once.
The following table details the full list of available search modifiers along with the type of file on which the modifier can act. Please note that all these modifiers can be combined together and used in conjunction with the search modalities described above.
The following modifiers admits wildcards: attack_technique , attack_tactic , behaviour_network: / behavior_network: , capability_tab , name: / filename: , name: / filename:.
Modifier | Scope | Description |
---|---|---|
size | Any file type | Filters the files to be returned according to size. The size can be specified in bytes (default), kilobytes or megabytes. Trailing plus or minus sign will retrieve those files with a size, respectively, larger than or smaller than the one provided. The modifier can be used more than once in the same query. Examples: size:200, size:500+, size:120KB+, size:15MB-,size:1MB+ |
type | Any file type | Filters the type of file to be returned (i.e. magic signature). Example: type:pdf. This is the full list of available file type literals:
|
fs | Any file type | Filters the files to be returned according to the first submission datetime to Google Threat Intelligence. It allows you to specify larger than or smaller than values. Examples: fs:2009-01-01T19:59:22-, fs:2012-08-21T16:59:22+, fs:2012-08-2116:00:00+ fs:2012-08-2116:59:22-, fs:3d+ |
ls | Any file type | Filters the files to be returned according to the last submission datetime to Google Threat Intelligence. It allows you to specify larger than or smaller than values. Examples: ls:2012-08-22T06:40:59, ls:2009-01-01T19:59:22-, ls:2012-08-21T16:59:22+, ls:2012-08-2116:00:00+ ls:2012-08-2116:59:22-, ls:3d+ |
la | Any file type | Filters the files to be returned according to the last analysis datetime by Google Threat Intelligence. Normally the last analysis datetime will be the same as the last submission datetime, however, sometimes users will submit a file for scanning and will then decide to view the latest report on the file rather than rescanning it, in those cases both dates may differ. It allows you to specify larger than or smaller than values. Examples: la:2012-08-21T16:00:00, la:2009-01-01T19:59:22-, la:2012-08-21T16:59:22+, la:2011-08-21T16:00:00+ la:2012-08-21T16:59:22- |
positives p | Any file type | Filters the files to be returned according to the number of antivirus vendors that detected it upon scanning with Google Threat Intelligence. It allows you to specify larger than or smaller than values. Examples: positives:1, positives:10+, positives:5-, positives:10+ positives:20- |
children_positives cp | Any file type | Filters the files to be returned according to the maximum number of detections of children files for a given sample. Samples with children files include compressed bundles, ROMs, etc. Examples: children_positives:10+, children_positives:5- |
name | Any file type | Returns the files submitted to Google Threat Intelligence with a file name that contains the literal provided. Examples: name:"winshell.ocx", name:"postal" |
tag | Any file type | Return all those files tagged by Google Threat Intelligence with the literal provided. Examples: tag:honeypot, tag:armadillo, tag:nsrl. These are some of the tags, the full list can be found at Full list of Google Threat Intelligence Intelligence tag modifier:
|
submissions s: | Any file type | Filter the files returned according to the number of times they were submitted to Google Threat Intelligence. Examples: submissions:2, submissions:10+, submissions:20-, submissions:10+ submissions:20- |
sources | Any file type | Filter the files returned according to the number of distinct sources that submitted the file to Google Threat Intelligence, independently of whether any given source submitted the file more than once. Examples: sources:2, sources:10+, sources:20-, sources:10+ sources:20- |
submitter | Any file type | Filters the files to be returned according to region of its submitter. ISO 3166-1-alpha-2 codes are used. You can also filter by the submission interface (web/api). Examples: submitter:CN , submitter:web submitter:BR |
first_submitter | Any file type | Filters the files to be returned according to region of the first submitter. ISO 3166-1-alpha-2 codes are used. Examples: first_submitter:ua |
itw | Any file type | Return all those files that have been downloaded from a URL containing the literal provided. Examples: itw:"www.google.com", itw:"&product_title=", itw:"https://sites.google.com/site/llgcyber/WKWK.zip?attredirects=0&d=1" |
metadata | Any | Filter the files returned according to metadata properties (if applicable). Finds all those files that have some (indexed) field containing the literal(s) provided, including data from:
Examples: metadata:"microsoft inc", metadata:uscourts,metadata:"ScanSoft PDF Create" , metadata:"3.2.5 (v119), Copyright © 2003-2015" , metadata:"Ubuntu Developers <ubuntu-devel-discuss@lists. ubuntu.com>" |
androguard | Android files: APKs, ODEX, DEX, AXML. | Return all Android files whose Androguard output contains the literal provided. Examples: androguard:"com.ON32233.Q2.GgActivity", androguard:"Time Out Bistro" |
lang | Portable Executable (PE) and Documents (DOC, DOCX, PPT, ODT, etc.) | In the case of Portable Executables it will return all those files that have at least one resource of the specified language. In the case of documents, it will find all those files whose Exif language property matches the language provided. Examples:lang:farsi, lang:"portuguese brazilian", type:pdf lang:"es-ar" For PEs these are the available languages: *neutral, invariant, afrikaans, albanian, arabic, armenian, assamese, azeri, basque, belarusian, bengali, bulgarian, catalan, chinese, croatian, czech, danish, divehi, dutch, english, estonian, faeroese, farsi, finnish, french, galician, georgian, german, greek, gujarati, hebrew, hindi, hungarian, icelandic, indonesian, italian, japanese, kannada, kashmiri, kazak, konkani, korean, kyrgyz, latvian, lithuanian, macedonian, malay, malayalam, manipuri, marathi, mongolian, nepali, norwegian, oriya, polish, portuguese, punjabi, romanian, russian, sanskrit, serbian, sindhi, slovak, slovenian, spanish, swahili, swedish, syriac, tamil, tatar, telugu, thai, turkish, ukrainian, urdu, uzbek, vietnamese, gaelic, maltese, maori, rhaeto_romance, saami, sorbian, sutu, tsonga, tswana, venda, xhosa, zulu, esperanto, walon, cornish, welsh, breton, neutral, default, sys default, arabic saudi arabia, arabic iraq, arabic egypt, arabic libya, arabic algeria, arabic morocco, arabic tunisia, arabic oman, arabic yemen, arabic syria, arabic jordan, arabic lebanon, arabic kuwait, arabic uae, arabic bahrain, arabic qatar, azeri latin, azeri cyrillic, chinese traditional, chinese simplified, chinese hongkong, chinese singapore, chinese macau, dutch, dutch belgian, english us, english uk, english aus, english can, english nz, english eire, english south africa, english jamaica, english caribbean, english belize, english trinidad, english zimbabwe, english philippines, french, french belgian, french canadian, french swiss, french luxembourg, french monaco, german, german swiss, german austrian, german luxembourg, german liechtenstein, italian, italian swiss, kashmiri sasia, kashmiri india, korean, lithuanian, malay malaysia, malay brunei darussalam, nepali india, norwegian bokmal, norwegian nynorsk, portuguese, portuguese brazilian, serbian latin, serbian cyrillic, spanish, spanish mexican, spanish modern, spanish guatemala, spanish costa rica, spanish panama, spanish dominican republic, spanish venezuela, spanish colombia, spanish peru, spanish argentina, spanish ecuador, spanish chile, spanish uruguay, spanish paraguay, spanish bolivia, spanish el salvador, spanish honduras, spanish nicaragua, spanish puerto rico, swedish, swedish finland, urdu pakistan, urdu india, uzbek latin, uzbek cyrillic, dutch surinam, romanian, romanian moldavia, russian, russian moldavia, croatian, lithuanian classic, gaelic, gaelic scottish, gaelic manx. In the case of documents, it is really up to the tool generating the corresponding Exif metadata property what the language can be, hence, you may try searching using the full language name (e.g. Spanish) or its ISO code (e.g. es-ar). |
signature | Portable Executables (PE), Mach-O | Filter the files returned according to sigcheck fields. Finds all those files that have some sigcheck/codesign (PE signature, Apple code signing) field containing the literal(s) provided. Example: sigcheck:"google inc", sigcheck:"Google Update Setup", sigcheck:"Thawte Premium Server CA" |
creation_date generated gen pets petimestamp | Filter according to their compilation timestamp. Example: creation_date:2018-08-21T18:18:38 | |
subspan | Any file types | Filter Portable Executables according to the difference (in seconds) between the first submission time and the compilation timestamp (submission span). Can be used for attack attribution purposes. Example: subspan:100- |
segment | Mach-Os | Return executables having a segment with the name provided. Example: segment:"__LINKEDIT". |
section | Portable Executables (PE), ELFs, Mach-Os | Return executables having a section with the name or md5 hash provided. Example: section:".xxx", sectionmd5:d41d8cd98f00b204e9800998ecf8427e |
imports | Portable Executables (PE), ELFs, Mach-Os, IPAs, JARs, Java bytecode | Return all those executables importing the given library. Examples: imports:"crypt32.dll" |
exports | Portable Executables (PE), ELFs, Java bytecode | Return all those executables exporting the function with the name provided. Examples: exports:"_FormMain" |
behaviour behavior: | Any file type with behavioral report | Return all those Portable Executables, MacOS or Android APKs whose dynamic behavioral report contains the literal provided. Examples: behaviour:"explorer.exe", behaviour:"HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable", behaviour:"www.go2000.cn", behaviour:"CTF.LBES.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003" |
behavior_files behaviour_files | Any file type with behavioral report | Changes related to the filesystem. Example: behaviour_files:Crack |
behavior_processes behaviour_processes | Any file type with behavioral report | Related to any process fields such as processes_killed, processes_terminated, command_executions, injected_processes Example: behavior_processes:"calc.exe" |
behavior_injected_processes behaviour_injected_processes | Any file type with behavioral report | Related to injected processes. Example:behaviour_injected_processes:calc.exe |
behavior_created_processes behaviour_created_processes | Any file type with behavioral report | Related to created processes. Example:behaviour_created_processes:cmd.exe |
behavior_registry behaviour_registry | Any file type with behavioral report | Modifications related to the Windows registry. Example:behavior_registry:dc971ee5-44eb-4fe4-ae2e-b91490411bfc |
behavior_services behaviour_services | Any file type with behavioral report | Observations related to services and daemons. Example:behavior_services:TheService |
behavior_tags behaviour_tags | Any file type with behavioral report | Tags generated by sandboxes (Full list of behaviours_tags). Example:behavior_tags:tag |
behavior_network behaviour_network: | Any file type with behavioral report | Related to networks. Examples:behaviour_network:www.goooo behaviour_network:update.iobit.com/dl/ |
behash | Any file type with behavioral report | Behavior Similarity Hashes. Examples:behash:d4e0fb08ee8b4e9e12641a14d5dc04ae |
sandbox_name | search for specific sandbox name: Example:sandbox_name:VirusTotal List of sandboxes:
| |
traffic | Packet Captures (PCAPs) | Searches within a limited subset of URLs, host names and IP addresses observed in the capture file, such that you may filter, for example, network traces containing a given domain. Example: traffic:"google.com" |
similar-to | Portable Executables (PE), PDFs, MS Office documents, Flash SWFs, RTFs. | Return all those Portable Executables that are structurally similar to the one provided. Examples: similar-to:7f71a98e67c61d7a0786fcfcb2c884b8acd26f5378dab5a786ae8a38d6b7b87e, similar-to:df9772a80d3da048b928623c3819dec5defb7840, similar-to:19b86fe81df05de2b4207e8eb0c3aa40 |
ssdeep | Any file type | Return all those files that are similar to the one having the ssdeep hash provided. Example: ssdeep:"24576:KrKqlGCPcJKwybUDwEZZODYmR9G+gnbkk6XRJfe3DqYO/KpLwFfngWX4VmJPakl:KrKo4ZwCOnYjVmJPaO" |
imphash | Portable Executables (PE) | Return all those Portable Executables with the given import hash, can be used to identify samples belonging to the same family. Example: imphash:7fa974366048f9c551ef45714595665e |
vhash | Portable Executables (PE) | Return all those files with the given vhash provided. Example: vhash:01603e0f7d501013z11z39z15z1011z1011z19z |
telfhash | Portable Executables (PE) | Return all those files with the given telfhash provided. Example:telfhash:"t12ab138722e7558f8b7f08402425a7620ce39e027259439b71ef2b454f7f2c429b6ad7a 50" |
content | Any file type | Search for string or binary content within a file. The syntax is similar to YARA content strings. One caveat is that content search queries cannot be sorted. Examples:content:"Hello World!", content:{CAFEBABE} |
contacted_ip | Any file type | Return all those files that have contacted with the IP/Subnet provided. Examples:contacted_ip:162.158.0.0/15 |
have | Any file type | Filter the resources which report contains information from the selected fields. Examples: have:embedded_domains have:embedded_urls have:behaviour Available fields: androguard, authentihash, behavior, behavior_files, behavior_network, behavior_processes, behavior_registry, behavior_services, behaviour, behaviour_files, behaviour_network, behaviour_processes, behaviour_created_processes , behaviour_injected_processes, behaviour_registry, behaviour_services, bundled_file, bundled_files, capability_tag, capability_tags, carbonblack_parents, ciphered_parents, clue_rule, clues, comment, comments, compressed_parents, contacted_domain, contacted_domains, contacted_ip, contacted_ips, contacted_url, contacted_urls, creation_date, crowdsourced_ids, crowdsourced_yara_rule, dropped_file, dropped_files, email_attachment, email_attachments, email_parents, embedded_domains, embedded_ips, embedded_urls, entry_point, ep, evtx, execution_parents, exports, gen, generated, imphash, imports, in_the_wild, itw, itw_domain, itw_domains, itw_url, itw_urls, ja3_digest, ja3_digests, lang, language, main_icon_dhash, main_icon_md5, malware_config, memdump, metadata, netguid, overlay_children, overlay_parents, packer, packers, parent, parents, pcap, pcap_children, pcap_parents, peresource, pe_resource_children, pe_resource_parents, permhash, petimestamp, pets, sandbox_name, scan_timeout, screenshot, screenshots, section, sectionmd5, sections, segment, segments, sigcheck, sigma_rule, sigma_rules, signature, signatures, tag, tags, tlsh, traffic, urls_for_embedded_js |
comment | Any file type | Search for string in the comments section: Example:comment:"#math_entropy_close_8" |
comment_author | Any file type | Search for resources that have any comment from the specific user. Example:comment_author:javilinux |
clue_rule | Any file type | Searches all files matching a specific VT Clue rule. Example:clue_rule:1bd7d049d5d2d9b6a9ba92814d5e59f6ee1ccd45c2f3a9b0346e809e7e60fe07 |
crowdsourced_yara_rule | Any file type | Filters the files that match a crowdsourced YARA rule. You can search either using a rule’s name or using both ruleset’s ID and rule’s name. Examples: crowdsourced_yara_rule:Imphash_Malware_2_TA17_293A crowdsourced_yara_rule:Nanocore [crowdsourced_yara_rule:000554a6bb|SUSP_XORed_URL_in_EXE](https://www.virustotal.com/gui/search/crowdsourced_yara_rule%253A000554a6bb%257CSUSP_XORed_URL_in_EXE/files) [crowdsourced_yara_rule:0024b0b651|WinLock](https://www.virustotal.com/gui/search/crowdsourced_yara_rule%253A0024b0b651%257CWinLock/files) |
crowdsourced_ids | Any file type | Filters the files that match a crowdsourced IDS rule. You can search either using a rule's name or ruleset's ID Examples: crowdsourced_ids:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection" crowdsourced_ids:48084 |
sigma_critical sigma_high sigma_medium sigma_low | Any file type | Number of matched sigma rules of the different levels (critical/high/medium/low). Examples: sigma_critical:1+ sigma_high:1+ sigma_medium:1+ sigma_low:1+ |
sigma_rule | Any file type | Filters the files that match a Sigma rule. Examples: sigma_rule:30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb |
engines | Any file type | Filters the files according to Malware family name on the antivirus results (no matter which particular engine produced the output). Example: "Trojan.Isbar" You can also filter files according to specific engines detections, check the details at: Identifying files according to antivirus detections |
min_engines_{verdict} | Any file type | Filters files based on the number of engines providing an specific verdict. Example: min_engines_banker:5 min_engines_emotet:10 |
peresource | Portable Executables (PE) | Filters the files according to the hash associated with the contained resource. Example: peresource:3de7cf1214054541d9b57cc2ab8d5e85516a0ac274b9d9213a07cd6e8e70a138 |
attack_technique | Any file type | Filters the files according to the Mitre Att&ck technique. Example: attack_technique:T1055 |
attack_tactic | Any file type | Filters the files according to the Mitre Att&ck tactic. Example: attack_tactic:TA0003 |
trid | Any file type | TrIDis a utility designed to identify file types from their binary signatures. It may give several detections, ordered by higher to lower probability of file format identification (given as percentage). Example: trid:"InstallShield setup" |
tlsh | Any file type | It is a hash used byTrend Micro which can be used for similarity comparisons. Example: tlsh:T1F0B12349F49722D219B3707D3BBF920476A6454F0D48CD44742D7984AF1CF2BB8BA2CA |
permhash | APKs, CRXs and their manifests | Filter APKs, CRXs and their manifests based on their permhash. Example: permhash:9126f12ce5d0e610bb74da304b6bd0cd648428e59e74326fbd5affaa70d2257e |
detectiteasy | MSDOS, PE, ELF, MACH and Binary | It is a program for determining types of files. Example: detectiteasy:"Compiler: Microsoft Visual C/C++ (2015 v.14.0)" |
malware_config | Any file type | Filter files according to the malware configuration. Example:malware_config:dcscmin\imdcsc.exe |
codeinsight | Any file type | Searches among all the Sec-PaLM AI analyses of the file. Example: codeinsight:keylogger |
crowdsourced_ai_analysis | Any file type | Searches among all the AI analyses of the file. Example: crowdsourced_ai_analysis:"is malicious" |
crowdsourced_ai_verdict | Any file type | Searches among all the AI verdicts of the file. Example: crowdsourced_ai_verdict:benign |
xxx_ai_analysis | Any file type | Searches a specific source's AI analysis. Right now xxx can be hispasec and nics . Example: nics_ai_analysis:"is malicious" |
xxx_ai_verdict | Any file type | Searches a specific source's AI verdict. Example: hispasec_ai_verdict:benign |
threat_actor related_actor | Any file type | Searches for IoCs which have that related threat actor. Example: threat_actor:"Lazarus Group" |
gti_score | Any file type | Google Threat Intelligence assessment threat score. Example: gti_score:30+" |
gti_severity | Any file type | Google Threat Intelligence assessment severity of the IOC. Example: gti_severity:high" |
gti_verdict | Any file type | Google Threat Intelligence assessment verdict of the IOC. Example: gti_verdict:benign" |
behaviour_signature behavior_signature | Any file type | Search for behavior signature matches on rule names and descriptions.. Example: behaviour_signature:"linking/runtime-linking" behaviour_signature:"create process on Windows" |
mbc | Any file type | Search by MBC ID. Example: mbc:C0002 |
attribution | Any file type | Search by malware family based on the verdicts provided by the data sources available in VirusTotal. Attribution can be of 3 types: malwares , actors or campaigns Example: attribution:apt15 |
Updated 11 days ago