Analyze a suspicious executable using VirusTotal and MalwareBazaar to extract IOCs, identify C2 infrastructure, MITRE ATT&CK techniques, and privilege escalation mechanisms.

Introduction

Another Threat Intel focused lab for today. The red stealer lab available through Cyber Defenders.

You are part of the Threat Intelligence team in the SOC (Security Operations Center). An executable file has been discovered on a colleague’s computer, and it’s suspected to be linked to a Command and Control (C2) server, indicating a potential malware infection.
Your task is to investigate this executable by analyzing its hash. The goal is to gather and analyze data beneficial to other SOC members, including the Incident Response team, to respond to this suspicious behavior efficiently.

As mentioned in the above scenario introduction we’ll be using VirusTotal and MalwareBazaar. At first glance this appears to be a similar lab setup to the Phish Strike lab which I covered previously.

Before we can answer any questions we need to download the lab files. There isn’t much here, just a txt file: FileHash.txt. Here’s what’s inside;

File Hash (SHA-256): 248FCC901AFF4E4B4C48C91E4D78A939BF681C9A1BC24ADDC3551B32768F907B

Use this hash on online threat intel platforms (e.g., VirusTotal, Hybrid Analysis) to complete the lab analysis.

We can add Hybrid Analysis to our list of platforms to use.

Question one

Categorizing malware enables a quicker and clearer understanding of its unique behaviors and attack vectors. What category has Microsoft identified for that malware in VirusTotal?

The question doesn’t mess around in pointing us to VirusTotal. We can enter the hash from the lab files and get to this page. Microsoft is one of the vendors that VirusTotal uses (Microsoft also own VirusTotal), so they will appear under the ‘Security Vendors’ Analysis’ section.

Our answer is beside Microsoft’s analysis, but you can find it much faster by checking the single ‘Threat Category’ shown above all of the vendors. It’s a very generic malware label.

Question two

Clearly identifying the name of the malware file improves communication among the SOC team. What is the file name associated with this malware?

If you’re familiar with VirusTotal you should find this quickly. Right at the top of the VirusTotal report you’ll see how many vendors have reported the hash as malicious/suspicious, The hash of the file, and the name of the file: A screenshot of the VirusTotal report showing that 60 out of 71 vendors have reported the file as suspicious, the file hash is a long string of characters, and a blurred out answer to the question (being the name of the exe)

It’s blurred out in the above image, but this is the easiest way to find the answer. Remember not to include the extension!

Question three

Knowing the exact timestamp of when the malware was first observed can help prioritize response actions. Newly detected malware may require urgent containment and eradication compared to older, well-documented threats. What is the UTC timestamp of the malware’s first submission to VirusTotal?

In the details tab there are a few timestamps that we have access to;

  • Creation Time
  • First Seen In The Wild
  • First Submission
  • Last Submission
  • Last Analysis

These can all be useful for different things.

Creation Time can tell you when the file was created and help to build the timeline between when the malware was created and when it was first deployed.

First Seen In The Wild is similar to the creation time, but will let you see the time difference in when the malware was created and when it was first used on a target. For example if the creation time was in January, but it was first seen in the wild in July, then it might be possible that the attack had been planned for some time.

First Submission is where we find our answer. Remember that the format of the answer should just be YYYY-MM-DD HH:MM. This can be useful as it may show up before the First Seen In The Wild timestamp. This might happen if a malware author is testing to see whether any vendors flag the file. This is actually the case with this sample. There are legitimate reasons for this too.

Last Submission is similar to the First Submission, just the other way around. This is the most recent date of the hash being submitted.

Last Analysis will be the most recent time the hash has been analyzed. As of writing this was in 2026, so pretty recent.

Question four

Understanding the techniques used by malware helps in strategic security planning. What is the MITRE ATT&CK technique ID for the malware’s data collection from the system before exfiltration?

MITRE ATT&CK techniques are important to understand and learn for blue and red teaming. You don’t and won’t be able to memorize every ID, but it is important to map indicators you come across in malware samples to the MITRE ATT&CK framework. Doing this can help to understand threats and assist in detection and defending against similar attacks in the future.

The behavior tab is where we can find the mapped technique IDs. We’re looking for the Technique under the ‘Collection’ category that collects data from the local system.

Question five

Following execution, which social media-related domain names did the malware resolve via DNS queries?

We’re still with VirusTotal here. We’re over halfway through this lab now, can we get every question from just VirusTotal? Let’s see!

If we head over to the Relations tab and look under the Contacted URLs section you’ll find the domain. Remember, we’re looking for a social media site.

You can also find the answer under the Contacted Domains section. This section only has 27 domains listed as opposed to the 62 in the Contacted URLs. If you’re trying to look for IOCs I would use the Contacted URLs to confirm the entire string, but this question just requires the domain.

Question six

Once the malicious IP addresses are identified, network security devices such as firewalls can be configured to block traffic to and from these addresses. Can you provide the IP address and destination port the malware communicates with?

Unfortunately our VirusTotal-Only run is over. VirusTotal is great at giving us some top-level information but I’ve never seen any ports listed. Correct me if I’m wrong, but we’ll have to rely on the other sandboxes for this answer.

I’ve been a fan of Recorded Future’s Triage platform for a while. After searching for the hash I came across this report. Under the Malware Config section we’re given the C2 IP address and the port.

Question seven

YARA rules are designed to identify specific malware patterns and behaviors. Using MalwareBazaar, what’s the name of the YARA rule created by “Varp0s” that detects the identified malware?

Another question that directs us exactly to the platform, in this case MalwareBazaar, to find the answer. I don’t think there’s anything wrong with this, but it does hold your hand quite a lot.

I suppose that’s expected for a lab that’s marked as being ‘Easy’ difficulty.

MalwareBazaar is fairly easy to search. Just remember to search by a hash you need to use similar syntax to KQL with sha256:248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.

You’ll find the report on MalwareBazaar, and can find the YARA rules (and the answer) quickly!

Question eight

Understanding which malware families are targeting the organization helps in strategic security planning for the future and prioritizing resources based on the threat. Can you provide the different malware alias associated with the malicious IP address according to ThreatFox?

Like in question seven we’re given the platform to look at here, in this case ThreatFox.

ThreatFox and MalwareBazaar are both run by Abuse.ch, so they use similar search syntax. We’ll be searching by the IP identified in the above question using the ioc: syntax.

You’ll find this report that shows the answer in the Malware alias field.

Question nine

By identifying the malware’s imported DLLs, we can configure security tools to monitor for the loading or unusual usage of these specific DLLs. Can you provide the DLL utilized by the malware for privilege escalation?

Final Question!

We can go back to VirusTotal for this one. Under the Details tab we can see the Imports section down the page. This section is for ‘Functionality imported from external dynamically linked libraries.’ and shows the .dlls that are used by the malware sample.

The first .dll listed in this section is our answer.

Conclusion

I was wrong in question six. When I was finding the answer for the final question I actually saw the IP and the port under the Behavior tab (Specifically the IP Traffic section.) We would need to use MalwareBazaar in question seven anyway, but it’s nice to know we had a few different ways of finding the answer.

Thanks for reading!