In Virustotal malware sample link, mostly there are seven tabs:
Analysis: It is about scan result.
File detail: It is about packer, PE details (header, section, imports), file metadata.
Relationship: It contains details about similar samples or malware variants, bundles.
Additional Information: File identification (Hashes- MD5, SHA1, SHA256), File size, File type, Virustotal submission details and File names (name when it is uploaded- It might contains many names for files, because the person who uploads the file can change the name of the file before uploading the file.
Comments: Malware researchers comments, if the sample is widely seen.
Votes: (It is not important to our analysis.) Ignore this section.
Behavioral Information: It is like dynamic analysis of the given sample. It gives more detail about file creation, deletion, network communication, etc. by the given samples.
Fields need to look:
File name: If you got proper file name, like readable file name, then you can take that for search in the log.
Hash of the file: MD5, SHA1, SHA256, any of these hashes can be used if the client have hash of the files in the logs. So that we can easily relates to the infection and go for in depth analysis.
IP address/ Url: Any malicious IP address or Url in the file association in the VT, can be used to search in the logs as indicator of compromise.
Important fields in the above seven tabs:
Relationship,
Additional Information,
Behavioral Information, and
comments.
Relationship:
We will get more information about similar or related file infection in the virustotal. So, analyst need to check all those links and look for any malicious IP, Url and file names which will be helpful for our analysis.
Additional Information:
File name: If you got proper file name, like readable file name, then you can take that for search in the log.
Hash of the file: MD5, SHA1, SHA256, any of these hashes can be used if the client have hash of the files in the logs. So that we can easily relates to the infection and go for in depth analysis.
Behavioral Information:
-IP address/ Url: Any malicious IP address or Url in the file association in the VT, can be used to search in the logs as indicator of compromise.
-New files created
-CNC communication (IPaddress/Url)
Comments:
In this, some times you get the important information from malware researcher like more information about the propagation, IOC and even sandbox link.
Post created by
newWorld
Analysis: It is about scan result.
File detail: It is about packer, PE details (header, section, imports), file metadata.
Relationship: It contains details about similar samples or malware variants, bundles.
Additional Information: File identification (Hashes- MD5, SHA1, SHA256), File size, File type, Virustotal submission details and File names (name when it is uploaded- It might contains many names for files, because the person who uploads the file can change the name of the file before uploading the file.
Comments: Malware researchers comments, if the sample is widely seen.
Votes: (It is not important to our analysis.) Ignore this section.
Behavioral Information: It is like dynamic analysis of the given sample. It gives more detail about file creation, deletion, network communication, etc. by the given samples.
Fields need to look:
File name: If you got proper file name, like readable file name, then you can take that for search in the log.
Hash of the file: MD5, SHA1, SHA256, any of these hashes can be used if the client have hash of the files in the logs. So that we can easily relates to the infection and go for in depth analysis.
IP address/ Url: Any malicious IP address or Url in the file association in the VT, can be used to search in the logs as indicator of compromise.
Important fields in the above seven tabs:
Relationship,
Additional Information,
Behavioral Information, and
comments.
Relationship:
We will get more information about similar or related file infection in the virustotal. So, analyst need to check all those links and look for any malicious IP, Url and file names which will be helpful for our analysis.
Additional Information:
File name: If you got proper file name, like readable file name, then you can take that for search in the log.
Hash of the file: MD5, SHA1, SHA256, any of these hashes can be used if the client have hash of the files in the logs. So that we can easily relates to the infection and go for in depth analysis.
Behavioral Information:
-IP address/ Url: Any malicious IP address or Url in the file association in the VT, can be used to search in the logs as indicator of compromise.
-New files created
-CNC communication (IPaddress/Url)
Comments:
In this, some times you get the important information from malware researcher like more information about the propagation, IOC and even sandbox link.
Post created by
newWorld
No comments:
Post a Comment