get-filehash .\<file.exe>
Mandiant's 'flare-floss' to identify obfuscated strings:
https://github.com/mandiant/flare-floss
floss.exe <filename>
1.4
Open DiE > drag file in
Note: DiE performs automated check to see if the target file is packed against database signatures. It may miss in some instances
Review the following
Resource Section Check
Automated sandbox check
Adv hash search
artifact discovered - 3 - Static Analysis
strings.exe <filename>
1.3
PE Studio calculates SHA256 hash of the PE as well as the hash of the PE sections. See the "Footprint" tab
Query the hashes against:
1.2
Retrieve the file's hash with CFF Explorer or a similar tool
exiftool -v <filename>
The idea behind the initial triage is to obtain as much information about the file as possible, without actually executing it. This will help in determining whether the file may be malicious or not. If the file does appear to be malicious it may also help in determining what class of malware it is. At this stage, you should ask some of the following basic questions.
| Questions to ask |
|---|
| What is the filetype? |
| Is the hash known to be malicious? |
| Are there suspicious strings? |
| Is it likely packed? |
| Any interesting WinAPI functions? |
| How does it behave in a sandbox execution? |
| Are specific sections know to be malicious? |
file command on Linux
file <filename>
filetype
hash search and VT
1.1
Review the "magic bytes" and file structure
hexdump -C file.exe | more (in a terminal)Packer and Compiler - Section Entropy
String search
obtain imphash
import pefile
print(pefile.PE(f"C:\path\to\file.exe").get_imphash())
Attackers may reuse mlwr while changing specific parts of the code and recompiling it.
It is possible to perform Hash comparisons with Sections of a PE instead of the hash of a full PE.
To do this analysis you need to have 2 or more files and compare their PE sections
PE Studio > footprint
1.8.3
import pefile
for sec in pefile.PE(f"C:\path\to\file.exe").sections:
print(f"{sec.Name}\nMD5:{sec.get_hash_md5()}\nSHA256:{sec.get_hash_sha256()}")
Note
this analysis technique may be bypassed with section name obfuscation or by dynamically generating section names
PE Studio > footprint
Imported modules
artifact discovered - 3 - Static Analysis
1.8
Query the 'imphash' against:
imphash:<hash> or similarCalculate a 'fuzzy' / broad hash of the file which matches against 'similar' files
Obtain fuzzy hash
ssdeep file.exe
1.8.1
1.8.2
PEs with identical imported modules, in the same sequence, will share an IMPHASH value.
PE Studio -> Imported Modules -> Filter by "Technique" to view interesting modules
Query the 'SSDEEP' against:
ssdeep:<hash> or similar1.5
1.6
1.7
Look for interesting imported modules see: 2 - WinAPI ref
Determine if the sample is likely packed
x64Dbg -> Modules / Intermodular Calls
If resources are present, click down on the resource > right click > save/export to
TIP
if there are hidden contents discovered within the .rsrc section, extract the contents and perform analysis on them as required.You may need to switch directly to step 3 or 4 to perform analysis.