Detection score: This represents a crowdsourced security verdict from various vendors displayed as a ratio. The higher the number, the higher the confidence threat.
Threat labels and categories: These are vendor-specific classifications of the threat, which help confirm the threat's attribution among vendors.
Detection rules: These are the technical signatures used by AV engines to identify threats. Typical classifications are YARA rules, Heuristic patterns, and behavioural triggers.
Properties: This is where the core metadata about the file is found, including the file type, size, and compiled timestamp.
Contained domains and IPs: This information covers the malware's network infrastructure.
Contained files: This section details any files embedded or dropped during the malware's execution.
Malware Samples Upload: Security analysts can upload their malware samples for analysis and build the intelligence database. This can be done through the browser or an API.
Malware Hunting: Hunting for malware samples is possible through various elements, such as :
Malware Family tagging: You will find files classified by their malware families. An example of this use is a file with only 5/70 detections on VirusTotal, but tagged as #IcedID in MalwareBazaar, should be treated as malicious.
YARA rule integration: Many submissions will include rules that detect related samples. As an analyst, you should take note of these rules to be added to the EDR/SIEM for future hunting.
Campaign attribution: Tags such as #TA551, which belong to a threat actor group, help link observed incidents to known adversaries. This can help identify coordinated attacks against an environment.
Sample Availability: Malware samples are available for download and analysis. Reanalysing samples in a sandbox is best practice, which we shall cover in the next task.
Detect It Easy (DiE) is a powerful tool for file type identification, popular among malware analysts, cybersecurity experts, and reverse engineers worldwide. Supporting both signature-based and heuristic analysis, DiE enables efficient file inspections across a broad range of platforms, including Windows, Linux, and MacOS. Its adaptable, script-driven detection architecture makes it one of the most versatile tools in the field, with a comprehensive list of supported OS images. It can also extract strings.
