Virus Total Graph Exercise
Last updated
Last updated
Time to graph! You have received a hash value of a malicious file. Your task is to identify as much information about the samples as possible. What malware is it? Can we find related files and malicious samples? Where is the file hosted? Where are next stages of the malware hosted?
Given is the following hash value: b2fc2c0e222c88b45df343109a204a46b60d85f56e9fbfd9527e18f693469412
Goal of this exercise is to know the VirusTotal Graph interface, enrich indicators with data stored on VirusTotal, add values from other sources, continue your graph adventure until you feel confident that you mapped out the attack, identified related malicious URLs, command and control (C2) servers and can identify the malware.
To get started with virus total graph you need to create a login first.
Ressources:
Let's start to create a new graph on virus total. As start ressource I'll put the given hash value in and rename it to Subcontract 504.zip
A right click on the zip file by selecting "Full expansion" doesn't bring more informations at the moment. Maybe that's because the zip file is protected with a password!
Let's check malwarebazaar to see if we can find more additional info to the hash value we have:
From here we see that the zip file is linked to a xslm file with a note that it is the dridex malware. We have a second hashvalue and can now bring this informations together for our graph.
adbfe3ab87bdb320c3ef08a99550da2b188dfabe822b90519806e5f399732b69w
From here we can see also other interessted informations like a dropbox URL that we can add to our virus total graph.
Note there is also an information in the comment field about the password.
Now I can add different nodes to my starting node. If I connect the SHA256 hashvalue of the XSLM File we can see that virustotal knows a lot of more informations about it. We now can expand
Every node that is marked in red can be expanded and the graph will grow even more!
You can view my graph here:
