LetsDefend.io SOC 104 — Malware Detected!

Today we’re going to analyze a case on LetsDefend.io platform which detects there has been malware on the network.

Case Details

Event time : March 21,2021, 1:04 P.M

Source Address : 172.16.17.5

Source Hostname : SusieHost

File Name : winrar600.exe

File Hash : c74862e16bcc2b0e02cadb7ab14e3cd6

Analysis

Static Analysis

  • Doing a simple file command on the executable, it returns
winrar600.exe: PE32 executable (GUI) Intel 80386, for MS Windows
  • Since it’s an executable file for windows, we may need to analyze it on a Windows VM instead of a linux VM.
  • Opening up the executable in PE Studio it looks clean and the version says WinRAR which is a famous archive tool for Windows
  • If that still doesn’t convince you that this is legitimate software, we can take a look at the certificate signed with this software under properties.
  • This certificate is from a valid issuer and certificates are meant to sign software to make sure it came from the software publisher.

Conclusion

  • Since this is legitimate software, there is no reason for us to flag this as malware and we can close the alert as a false positive.
  • Also, check the software for certificates to ensure that they came from the software publisher. A malware can always have the name as legitimate software but a certificate never lies.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FarisArch

FarisArch

Student that loves FOSS and hacking