Today we’re going to analyze a case on LetsDefend.io platform which detects there has been malware on the network.
Case Details
Event time : March 21,2021, 1:04 P.M
Source Address : 172.16.17.5
Source Hostname : SusieHost
File Name : winrar600.exe
File Hash : c74862e16bcc2b0e02cadb7ab14e3cd6
Analysis
Static Analysis
- Doing a simple
filecommand on the executable, it returns
winrar600.exe: PE32 executable (GUI) Intel 80386, for MS Windows- Since it’s an executable file for windows, we may need to analyze it on a Windows VM instead of a linux VM.
- Opening up the executable in PE Studio it looks clean and the version says WinRAR which is a famous archive tool for Windows
- If that still doesn’t convince you that this is legitimate software, we can take a look at the certificate signed with this software under properties.
- This certificate is from a valid issuer and certificates are meant to sign software to make sure it came from the software publisher.
Conclusion
- Since this is legitimate software, there is no reason for us to flag this as malware and we can close the alert as a false positive.
- Also, check the software for certificates to ensure that they came from the software publisher. A malware can always have the name as legitimate software but a certificate never lies.
