# Virus Total Graph Exercise

### 1. Introduction

> **Time to graph!** You have received a hash value of a malicious file. Your task is to identify as much information about the samples as possible. What malware is it? Can we find related files and malicious samples? Where is the file hosted? Where are next stages of the malware hosted?

Given is the following hash value: `b2fc2c0e222c88b45df343109a204a46b60d85f56e9fbfd9527e18f693469412`

Goal of this exercise is to **know the VirusTotal Graph interface**, enrich indicators with data stored on VirusTotal, add values from other sources, continue your graph adventure until you feel confident that you mapped out the attack, identified related malicious URLs, command and control (C2) servers and can identify the malware.

To get started with virus total graph you need to create a login first.

Ressources:

{% embed url="<https://www.virustotal.com/graph>" %}

{% embed url="<https://bazaar.abuse.ch>" %}

### 2. Create Graph

Let's start to create a new graph on virus total. As start ressource I'll put the given hash value in and rename it to `Subcontract 504.zip`

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F7ZWYNH5J6iKBng5urZPq%2Fvt01.png?alt=media&#x26;token=ace6df42-6c0a-4319-a612-f2417950486d" alt=""></div>

A right click on the zip file by selecting "Full expansion" doesn't bring more informations at the moment. Maybe that's because the zip file is protected with a password!

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FSdp41mUqleeCGX3KTgHj%2Fvt02.png?alt=media&#x26;token=3b8b70a1-13fc-407d-8870-b977dbbb62f9" alt=""></div>

Let's check malwarebazaar to see if we can find more additional info to the hash value we have:

{% embed url="<https://bazaar.abuse.ch/sample/b2fc2c0e222c88b45df343109a204a46b60d85f56e9fbfd9527e18f693469412>" %}

From here we see that the zip file is linked to a xslm file with a note that it is the dridex malware. We have a second hashvalue and can now bring this informations together for our graph.&#x20;

`adbfe3ab87bdb320c3ef08a99550da2b188dfabe822b90519806e5f399732b69w`

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F1uuFXuMUwW7vW3z0rzgu%2Fvt03.png?alt=media\&token=48939441-fc20-451e-b01b-e996446db07c)

From here we can see also other interessted informations like a dropbox URL that we can add to our virus total graph.

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FEhDhZoDH1WyUcNhstWl7%2Fvt04.png?alt=media\&token=8c22ad71-f036-4051-a7c7-1248df5eb6a0)

Note there is also an information in the comment field about the password.

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FNMwP2npg644T8ko7IniV%2Fvt05.png?alt=media&#x26;token=00e8156c-148c-4435-8564-9c889f8e30de" alt=""></div>

### 3. Connecting the dots

Now I can add different nodes to my starting node. If I connect the SHA256 hashvalue of the XSLM File we can see that virustotal knows a lot of more informations about it.\
We now can expand &#x20;

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FS9WEtEjYKzYDoL8KIg6m%2Fvt06.png?alt=media\&token=af1daa45-d36a-4a66-8dfd-1d6cc639652b)

Every node that is marked in red can be expanded and the graph will grow even more!

You can view my graph here:

{% embed url="<https://www.virustotal.com/graph/embed/g7c164ed260f0449296bdc270416efc134053330eeb604beb9551690e40efb8d2>" %}