This article outlines the process of analyzing malware samples as a Cyber Threat Intelligence Analyst at PandaProbe Intelligence. The steps include downloading malware samples, conducting automated and manual analyses, correlating findings with global threat intelligence, and compiling a comprehensive report for mitigation. Affected: TryHackMe, PandaProbe Intelligence
Keypoints :
- Acting as a Cyber Threat Intelligence Analyst at PandaProbe Intelligence.
- Downloading malware samples in a secure environment.
- Using automated tools for preliminary malware analysis.
- Conducting a manual analysis to understand malware behavior.
- Correlating findings with global threat intelligence databases.
- Compiling a report with mitigation and recovery steps.
- Using FlareVM for isolated malware analysis.
- Retrieving file hashes for CTI analysis.
- Identifying the malware framework and MITRE ATT&CK techniques.
- Utilizing CyberChef for defanging URLs and IP addresses.
MITRE Techniques :
- TA0002: Execution – The malware utilizes pRsm.dll as an audio capture plugin.
- TA0005: Credential Access – The malware framework MgBot is linked to credential access techniques.
- TA0011: Command and Control – The malware communicates with a C&C server using defanged IP addresses.
Indicator of Compromise :
- [file hash] ae5d92ef69074050a822f6669fe267b6 (bmrpa.dll)
- [file hash] cc6e4be68c511637a5727a2cc02c1161 (maillfpassword.dll)
- [file hash] 07df8d223f8a370cd703d177d7e93a36 (pRsm.dll)
- [file hash] 889a7ae42fb44390ab99af071dd3d6b0 (qmsdp.dll)
- [file hash] 011f7a50fd410bfa0666f1150b2c3351 (wcdbcrk.dll)
- Check the article for all found IoCs.