An Threat Intel lab talking about Stealer Malware and It`s behavior so here we go
Firstly after download the lab file wich is a SHA(265) hash we have to take this hash and start our journey with intel websites Mainly we will use
Whois
VirusTotal
MalwareBazaar
ThreatFox
Any Run
1-Let`s use Virus Total
I took the hash and put in virus total
and what a view btw
we can Easily identify it is a Trojan
2- Details Section at Virus Total
Search For the Names for this Trojan and Found it easily
3- Still in the Details Section
That gives us Fully Details of first Detection for this Trojan
4- What about Mitre Technique
Ok For Me the Easily Way to detrimine the techique is fully understand What is the behaviour for owr Malware it collects data from the system before the exection so it is T1005
5-Let`s see Behavior Section
It is Facebook soo weierd ):
6- We in the same behaviour section
This is the First Communicated ip btw
7-Use WHOIS to determine the doamin
8- To determine the Yara Rule we can go to MalwareBazzar
8-To determine the Milicous IP I like Threat Fox
use ioc and give the ip
10- For the DLL we back to use behaviour section in Virus total again ):
