You are tasked to analyse unknown malware samples detected by your SOC team.
start the machine, i will use Flare VM based on windows
cd C:\Users\Administrator\Desktop\Samples
Get-ChildItem
Get-ChildItem | Get-FileHash -Algorithm MD5 | select Hash,Path
if you check first file with REMnux VM using file command
you can see it's PE32 executable, or Portable Executable 32-bit
now, search md5 hash of first file on virustotal
search md5 hash of second file on virustotal
check Details tab, you can see the dll it import
and original name of it
check malware signature of 3rd and 4th file on abuse.ch
open PE-Bear in Flare VM, find the message in DOS_STUB of malbuster_4
or you can use PE Tree in REMnux VM will return same answer
search md5 hash of 4th file on virustotal, check Details tab to see imported dll
capa malbuster_1 | findstr /I "anti"
capa malbuster_1 | findstr /I "log keystrokes"
capa malbuster_2 | findstr /I "log keystrokes"
capa malbuster_3 | findstr /I "log keystrokes"
capa malbuster_4 | findstr /I "log keystrokes"
you can find the answer in malbuster_3
capa malbuster_4 | findstr /I "DISCOVERY"
strings malbuster_1 | findstr /I "GodMode"
strings malbuster_2 | findstr /I "GodMode"
strings malbuster_3 | findstr /I "GodMode"
strings malbuster_4 | findstr /I "GodMode"
you can find the answer in malbuster_2
strings malbuster_1 | findstr /I "Mozilla/4.0"
strings malbuster_2 | findstr /I "Mozilla/4.0"
strings malbuster_3 | findstr /I "Mozilla/4.0"
strings malbuster_4 | findstr /I "Mozilla/4.0"
you can find the answer in malbuster_1
Answer:
