Identifying Malware Using Virustotal’s Graph Feature

Lets say I’ve come across a relatively new piece of malware and all I have is a hash that’s been blocked by a firewall or other security gateway. With a little bit of digging I can determine what family of malware this file belongs to even if the information on the “Detections” page of Virustotal is vague or generic.

First step: Look up the hash of the malware on VT

Step 2: Lets take a look at Best.exe¬† under “Bundled files”

There is no conclusive info on what malware we are dealing with, just indicators that the file may be unsafe. Often a good way to find out what a file is doing is to run it through a more detailed sandbox like Any.Run or Hybrid-Analysis.

Step 3: Google the bundled file hash

Google does a pretty good job of indexing search results from Any.Run and Hybrid-Analysis so its a pretty good bet that this file has not been run through either platform. I did a search of this hash on both platforms but didn’t find it.

Step 4: Visualize the related files/IPs on Virustotal’s graph feature

By default contacted domains, IPs, and URLs are graphed.

Step 5: Determine what other files known to Virustotal communicate with the same IPs/URLs

We can assume that if more than one file communicates with the same URL/IP that it is probably being deployed by the same group/threat actor. Lets start by adding any files that communicate with www[dot]marinerinternationaltravel[dot]com.

Lets see if any of the other files that contact this domain are about the same size or have the same file name.

The 4 related files are within 4 kb of the file we are investigating and communicate with the same compromised host. None of the 4 hashes when googled have any sandbox results so we can move on to a different URL/IP.

Lets try graphing www[dot]katiemcgowanmakeup[dot]net

There are no sandbox results for these 3 hashes but we have found a file of the exact same size as the file we are investigating so we are on the right track.

Lets try www[dot]thebehim[dot]com

Only one of the hashes hasn’t already been checked – the other 3 were checked when we were investigating the first two domains.
Step 6:Lets google the selected hash.
Ok now we’re cooking with heat – there’s an any.run entry for this hash (https://any.run/report/cf97285aafb87aa7d1d6fef61e0b4d9b51cd957eb7cac41eda63f9e1129abf5a/a81643da-4f84-4e47-9e0f-271cb8d111e7)
The report identifies this piece of malware as formbook – an infostealer.
To confirm further that the file we have an any.run report for and the file we just have a hash for are related I graphed which domains the two files BOTH contacted.
There is more than one compromised domain that both files communicate with so this confirms that the two files were probably deployed by the same threat group and are the same or similar iterations of the same malware.
And just like that we have gone from just knowing the hash of a piece of malware to a full analysis in a sandbox in a few steps.
Bonus: Digging into the Any.Run report

It looks like spoolsv.exe is the process that’s doing the nasty stuff – data exfiltration. If we click on “more info” we can find out more about what files this process is creating and what data is sending back to the compromised domains.

The modified files tab is a good place to start since stealer malware often writes stolen data to a file before it tries to exfil it. if we inspect the first .ini file on the list we see stolen Outlook credentials. The data is all packaged up and ready to be sent out:

**************************************************

Outlook Recovery
clsid {ED475414-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 2324036977
Service UID
Service Name OMSAB
MAPI Provider 2
Account Name Mobile Address Book
Preferences UID

clsid {ED475414-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 2324036977
Service UID
Service Name CONTAB
MAPI Provider 2
Account Name Outlook Address Book
Preferences UID

clsid {ED475414-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 590346705
Service UID
Service Name MSUPST MS
MAPI Provider 4
Account Name Outlook Data File
Preferences UID

clsid {ED475411-B0D6-11D2-8C3B-00104B2A6676}
Mini UID 224868084
Account Name honey@pot.com
Display Name HoneyPot Mail
Email honey@pot.com
POP3 Server 192.168.1.1
SMTP Server 192.168.1.1
POP3 User honey@pot.com
POP3 Password honeypass356
SMTP Secure Connection 0
Leave on Server 917507
Delivery Store EntryID  l C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst
Delivery Folder EntryID

************************************************

Looking through the rest of the files created by this malware, we can see other data that would be very useful to an attacker like an attempt to steal internet explorer data and a screenshot.

 

Leave a Reply

Your email address will not be published. Required fields are marked *