Youtube

Triaging Files on VirusTotal

admin

The video provides an in-depth look at how to effectively use VirusTotal for triaging files, a crucial step for malware analysts in identifying and analyzing potential threats. The presenter, an experienced malware analyst, offers a systematic approach to evaluating files on VirusTotal, illustrating the nuances of interpreting the results. Here are the main points discussed:

  • ๐Ÿ” Understanding VirusTotal’s Capabilities: The presenter begins by explaining the features of VirusTotal, particularly highlighting the differences between having a standard account and an intelligence account. The latter provides more detailed information, which is crucial for deeper analysis.
  • ๐Ÿ› ๏ธ Triaging Process: The video demonstrates the process of triaging files, starting from selecting files that aren’t clearly malicious but show potential signs of being threats due to alerts from at least two antivirus engines.
  • ๐Ÿ“Š Interpreting Antivirus Results: The importance of not solely relying on antivirus detection names is emphasized. Instead, the presenter suggests looking at the context of the detections and considering them as indicators rather than definitive proof of maliciousness.
  • ๐Ÿ”ฌ Deep Dive into Samples:
    • Analyzing Ambiguous Files: For files with ambiguous or unclear status, the presenter shows how to delve deeper by examining the file’s properties, submission history, and the specific alerts triggered by various antivirus engines.
    • Practical Examples: The video includes practical demonstrations where files are analyzed in real-time, providing insights into the thought process of an experienced analyst. This includes checking file signatures, understanding the role of packers and obfuscators, and considering the file’s behavior during execution.
  • 00:00 Intro
  • 01:16 Sample 1 unlocker-1-9-2.zip – protected archive
  • 05:10 Sample 2 OfficeAiry.exe, InnoSetup PUP
  • 07:09 Sample 3 WinRAR.exe and DefaultSFX
  • 13:18 Sample 4 ethical-encodedT0.exe – shellcode, Bitdefender domination
  • 16:46 Sample 5 TeethandLove.exe – RenPy launcher
  • 21:02 Sample 6 not_suspic1ous.exe
  • 23:07 Sample 7 dnplayer.exe – invalid certificate
  • 24:49 Sample 8 SkinH_EL.dll – shellcode signature, UPX
  • 28:20 Sample 9 sha256.file – Xorist signature, SFX
No tags for this post.