VirusTotal & hash lists
We'll take UAC's md5 hash output and query VirusTotal's API to search for malicious binaries.
If you execute UAC and select an appropriate profile (like full, or ir_triage) you'll have a list of hashes of executables which were running at the time of acquisition. Within process folder within live_response, you'll hash_running_process.md5 and .sha1
Edit those and strip the first column. If you're using Notepad++, you can just open the file, press Alt + Shift and select the second column and delete it. Save this as a new file, called process.md5 (you need the original listing to identify the process and map it back to pstree/cmd).
Download VirusTotal search from Didier Stevens' website (https://blog.didierstevens.com/programs/virustotal-tools/)
Fetch an API key from VirusTotal (free for small volume queries)
Make sure you have Python2.7 installed
Execute the following command
This will display the results via the console, as well as save it as a CSV file.
Last updated