VirusTotal & hash lists
We'll take UAC's md5 hash output and query VirusTotal's API to search for malicious binaries.
If you execute UAC and select an appropriate profile (like full, or ir_triage) you'll have a list of hashes of executables which were running at the time of acquisition. Within process folder within live_response, you'll hash_running_process.md5 and .sha1
Edit those and strip the first column. If you're using Notepad++, you can just open the file, press Alt + Shift and select the second column and delete it. Save this as a new file, called process.md5 (you need the original listing to identify the process and map it back to pstree/cmd).
- 1.Download VirusTotal search from Didier Stevens' website (https://blog.didierstevens.com/programs/virustotal-tools/)
- 2.Fetch an API key from VirusTotal (free for small volume queries)
- 3.Make sure you have Python2.7 installed
- 4.Execute the following command
$ python2.7 virustotal-search.py -k APIKEY hashes.md5
This will display the results via the console, as well as save it as a CSV file.