Refer to Malbuster for the challenge room on TryHackMe

Scenario

As a Malware Reverse Engineer. Our team supports the SOC team when unknown binaries are detected. A SOC analyst found an alert triggered by suspicious binaries. Our job is to analyze these binaries and provide information to help the SOC team handle the threat.
Lastly, find the malware samples on C:\Users\Administrator\Desktop\Samples.

Tools

Tasks

Based on the ARCHITECTURE of the binary, is malbuster_1 a 32-bit or a 64-bit application?

Open the file with PE-studio to find its CPU architecture.

What is the MD5 hash of malbuster_1?

Refer to the previous screenshot.

What is the number of detections of malbuster_1 in VirusTotal?

Upload the MD5 hash value of malbuster_1 to VirusTotal and check the report.

What is the malware signature of malbuster_2 according to Avira?

Firstly, retrieve the MD5 hash value of malbuster_2 with certutil.

C:\Users\Desktop\Samples>certutil -hashfile malbuster_2 MD5

Search retrieved the MD5 hash on VirusTotal and check the report from Avira under the DETECTION tab.

From which DLL file does malbuster_2 import function _CorExeMain?

Open the file with PEstudio, find the function on the Functions tab, and identify the DLL file that imports it.

What is the original name of malbuster_2?

Open the file with PEstudio, found the original filename of malbuster_2 on the Version tab.

Note: The VERSION tab shows the version information embedded within the PE file, such as the. This data is stored in the file’s version resource section. It is useful for detecting tampered or suspicious files, as malware may disguise itself.

What is its malware signature of malbuster_3 based on abuse.ch?

Firstly, retrieve the MD5 hash value of malbuster_3 with certutil

C:\Users\Desktop\Samples>certutil -hashfile malbuster_3 MD5

Then, search the hash value on Malware Bazaar to find the file signature.

Note: Trickbot is a banking Trojan that is often used to steal personal and financial data, as well as to deliver ransomware. It spreads through phishing campaigns and is known for its ability to evade detection by using advanced techniques and exploiting network vulnerabilities.

What is its malware signature of malbuster_4 based on abuse.ch?

Following the same approach as the previous task for the file signature.

Note: Zloader primarily functions as a banking trojan, often used to steal sensitive information like login credentials and financial data. It is commonly spread through phishing emails and can deliver additional payloads, including ransomware, by exploiting system vulnerabilities.

What is the message in the DOS_STUB of malbuster_4?

Use PE-Tree to view the DOS_STUB header and find the message.

~/Desktop/Samples$ pe-tree malbuster_4

Note: The DOS STUB is a small piece of code that runs only if the PE file is incompatible with the system it’s being executed on.

From which DLL file does malbuster_4 import function ShellExecuteA?

Upload the malbuster_4 hash to VirusTotal and find the function in the DETAILS tab, under the Imports section.

How many anti-VM instructions were identified in malbuster_1?

Export the result from the Capa utility and use the search function to find the answer.

C:\Users\Desktop\Samples> capa malbuster_1 > Output_1.txt

Which binary can log keystrokes?

After using the capa on each binary, we will be able to identify which binary contains keylogger functions.

C:\Users\Desktop\Samples> capa <Binary> > Output_Binary.txt

What is the MITRE ID of the DISCOVERY technique used by malbuster_4?