Extracting C2 domains/IPs from samples/hashes

[t...@kettledrums.com]

May be a bit of a n00b question but I can only find indirect references to it, nothing in the FAQs, or this forum.

If a given malware has specific c2 infrastructure associated with it, does VT expose the domains/IPs? I tested with a few hashes and didn't find any, so can't tell if that's just not something VT does, or if those particular variants didn't have any identified c2.

Simply stated, what I'm looking for is this: 

input: file or hash

output: domain names and/or IPs tied to that malware

I know there are various threat intel feeds that provide this kind of info. Just wondering if VT can as well (on an interactive query basis, obviously, not as a feed).

Thanks,

Tim

[Henry]

I uploaded my first captured files from my Honeypot and put the extra information I had in a comment (had to use the API, couldn't get the commenting web UI to work).
I added:
- host ip where malware was downloaded from
- IP of attackers using the host
- List of files captured from the same host at the same time

An example can be found at:
https://www.virustotal.com/en/file/d707b71a9230644f967ae9f38134cff68089d3f5cbd9d2b8d8cee7df856276c1/analysis/

The extra information need standardized hash tags and some best practicies (I couldn' find any existing).
The data is auto-generated and the plan is to fully automate uploading to Virustotal from the Honeypots.