Of course the file execution is what grabs our attention so let’s extract these files and have a look at them. On the right-hand side, we can see the SFX script which details the path to where these files will extract, file execution after unpacking, silent install and file overwriting. Let’s open up this archive in WinRAR and see what it contains: If we go into the manifest, we can see that it tells us that it’s a WinRAR SFX:įile Extraction with WinRAR - Firestorm.exe the debug file name is sfxrar.pdb which indicates a self-extracting archive, most likely WinRAR.it references cryptographic functions which may indicate some sort of obfuscation.it references file streams so it may write to disk,.it attempts to appear as a Microsoft executable IEXPLORE.exe which is Internet Explorer,. We can see here there are quite a few flags being raised, most notably: So, using pestudio, I may be able to get some hints. Since VT wasn’t helpful, I needed to get a better understanding of what this file is and what it can do. Okay, so there are some detections but it seems to be a pretty generic and it doesn’t really help me much. The first thing I do is upload the sample to VirusTotal (VT) to see if this has already been detected or not, or just to try and get a general overview of what I might be dealing with. With all things hacking, recon should be the first step towards understanding the target. Nothing extraordinary, these are entirely optional and is not needed to understand the analysis.Īnalysis Static Analysis VirusTotal - Firestorm.exe
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |