📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Create Graph
  • 3. Connecting the dots

Was this helpful?

  1. Threat Intelligence

Virus Total Graph Exercise

PreviousMISP Exercise 8NextRFI Incoming!

Last updated 3 years ago

Was this helpful?

1. Introduction

Time to graph! You have received a hash value of a malicious file. Your task is to identify as much information about the samples as possible. What malware is it? Can we find related files and malicious samples? Where is the file hosted? Where are next stages of the malware hosted?

Given is the following hash value: b2fc2c0e222c88b45df343109a204a46b60d85f56e9fbfd9527e18f693469412

Goal of this exercise is to know the VirusTotal Graph interface, enrich indicators with data stored on VirusTotal, add values from other sources, continue your graph adventure until you feel confident that you mapped out the attack, identified related malicious URLs, command and control (C2) servers and can identify the malware.

To get started with virus total graph you need to create a login first.

Ressources:

2. Create Graph

Let's start to create a new graph on virus total. As start ressource I'll put the given hash value in and rename it to Subcontract 504.zip

A right click on the zip file by selecting "Full expansion" doesn't bring more informations at the moment. Maybe that's because the zip file is protected with a password!

Let's check malwarebazaar to see if we can find more additional info to the hash value we have:

From here we see that the zip file is linked to a xslm file with a note that it is the dridex malware. We have a second hashvalue and can now bring this informations together for our graph.

adbfe3ab87bdb320c3ef08a99550da2b188dfabe822b90519806e5f399732b69w

From here we can see also other interessted informations like a dropbox URL that we can add to our virus total graph.

Note there is also an information in the comment field about the password.

3. Connecting the dots

Now I can add different nodes to my starting node. If I connect the SHA256 hashvalue of the XSLM File we can see that virustotal knows a lot of more informations about it. We now can expand

Every node that is marked in red can be expanded and the graph will grow even more!

You can view my graph here:

VirusTotal Graphvirustotal
Logo
MalwareBazaar - Malware sample exchange
Logo
https://bazaar.abuse.ch/sample/b2fc2c0e222c88b45df343109a204a46b60d85f56e9fbfd9527e18f693469412bazaar.abuse.ch
VirusTotal Graphvirustotal
Logo