Skip to content
OSINT AI One

VirusTotal

Three tools in one key

With a single VirusTotal API key you have coverage for the three main types of IOC:

FunctionIOCWhat it analyzes
virustotal_ip_lookupIPReputation, detections, associated domains
virustotal_domain_lookupDomainCategories, DNS, WHOIS, detections, subdomains
virustotal_hash_lookupHash MD5/SHA1/SHA256File reputation, AV detections, metadata

virustotal_ip_lookup

from src.tools.virustotal import virustotal_ip_lookup
result = await virustotal_ip_lookup("185.220.101.34")

Main fields returned:

  • malicious_count: number of AV engines that mark it as malicious
  • harmless_count: engines that mark it as benign
  • reputation: reputation score (-100 to 100)
  • country: country of origin
  • asn: autonomous system number
  • as_owner: ISP/provider name
  • tags: tags (e.g. “TOR”, “VPN”, “hosting”)
  • last_analysis_stats: statistics from the last analysis
  • associated_domains: domains seen on that IP

virustotal_domain_lookup

from src.tools.virustotal import virustotal_domain_lookup
result = await virustotal_domain_lookup("evil-phishing.com")

Main fields:

  • categories: categories assigned by different providers
  • reputation: reputation score
  • malicious_count: detections
  • creation_date: registration date (from VT’s WHOIS)
  • last_dns_records: recent DNS records
  • subdomains: known subdomains
  • last_https_certificate: SSL certificate info
  • tags: tags

virustotal_hash_lookup

from src.tools.virustotal import virustotal_hash_lookup
result = await virustotal_hash_lookup("d41d8cd98f00b204e9800998ecf8427e")

Main fields:

  • meaningful_name: malware name (if known)
  • malicious_count: number of AVs that detect it
  • popular_threat_classification: malware family
  • file_type: file type
  • size: size in bytes
  • first_submission_date: first time seen in VT
  • tags: tags (packed, overlay, pdf, etc.)

Free tier

  • 500 requests/day
  • Rate limit of 4 requests/minute in free tier
  • No access to some premium fields (comments, advanced relationships)

The 24h cache reduces actual consumption — if you investigate the same IP multiple times in a day, it only counts as one real call.

Example agent output

[VirusTotal IP] 185.220.101.34
  ├─ Malicious: 87/94 engines
  ├─ Reputation: -95
  ├─ Tags: tor, exit-node
  ├─ Country: NL (Netherlands)
  ├─ ASN: AS53667 (Frantech Solutions)
  └─ Associated domains: (3 found)
       ├─ relay1.example.tor
       ├─ exit-node-nl.example.net
       └─ ...