download
# VT malware download
curl -k --insecure --request GET -L --output my_malware --url https://www.virustotal.com/api/v3/files/<my_malware_id>/download --header 'x-apikey:'
re_dyn
re_stat
# get file type
file
#
get-authenticodesignature mlwr.exe | fl *
#
sigverif
#
strings -a -t d -e l process.0xffff1234567890.dmp >> mlwr.uni
#
bstrings -p
bstrings -f minidump.dmp --lr ipv4
bstrings -f minidump.dmp --lr win_path
#
densityscout -r -pe -p 0.1 -o density_ouput.txt C:\Windows
# sigcheck V1 - VT lookup
sigcheck -s -c -e -h -v -vt -w G:\malware\sigcheck-results.csv e:\C\Windows
# sigcheck V2 - no VT lookup
sigcheck -s -c -e -h -w sigcheck_output_.csv C:\Windows
#
capa -v mlwr.exe
upx -d mlwr.exe -o mlwr.exe.unpacked
rules
yara
#
yara64.exe -C yara-rules -rw C:\Windows > C:\windows\temp\yara_out.txt
sources:
- yara.readthedocs.io/en/stable/writingrules.html
- github.com/elastic
-
[stalkphish PhishingKit](#https://github.com/t4d/PhishingKit-Yara-Rules) - yara-ci.cloud.virustotal.com)