VirusTotal & hash lists

We'll take UAC's md5 hash output and query VirusTotal's API to search for malicious binaries.

If you execute UAC and select an appropriate profile (like full, or ir_triage) you'll have a list of hashes of executables which were running at the time of acquisition. Within process folder within live_response, you'll hash_running_process.md5 and .sha1

Edit those and strip the first column. If you're using Notepad++, you can just open the file, press Alt + Shift and select the second column and delete it. Save this as a new file, called process.md5 (you need the original listing to identify the process and map it back to pstree/cmd).

Download VirusTotal search from Didier Stevens' website (https://blog.didierstevens.com/programs/virustotal-tools/)
Fetch an API key from VirusTotal (free for small volume queries)
Make sure you have Python2.7 installed
Execute the following command

$ python2.7 virustotal-search.py -k APIKEY hashes.md5

This will display the results via the console, as well as save it as a CSV file.

PreviousIvanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887 NextUnix-like Artifacts Collector (UAC)

Last updated 2 years ago

Was this helpful?