MiTec Windows Registry Recovery is an application that allows to read files containing Windows 9x,NT,2K,XP,2K3,7,8 and 10 registry hives. It extracts many useful information about configuration and windows installation settings of host machine.
tshark is a famous network protocol analyzer tool that let you see what is happening on your network at a microscopic level. It is the cli counterpart of the GUI analyzer tool Wireshark.
ApateDNS is a tool that can be used for controlling DNS responses through an easy-to-use GUI. This tool can let you spoof DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine.
DriverView is a tool derives from the name itself where let the user to view the drivers installed inside the system.
FakeNet-NG is a tool that can be used as network simulator. This tool can let you observe the network activity of the sample you are analyzing that is connecting outside your isolated environment. It also logs a pcap file after and can be found inside the FakeNet directory.
Using FakeNet as a network simulator can give us rich information. It also generates a pcap file inside the FakeNet directory when the executable is terminated.
In our sample, FakeNet logs the http communication of a sample connecting outside the environment, and this artifact can be used as a network based IOC.
GMER is a rootkit detection tool let you view the hooking executable and the hooked function inside the system.
GMER can give us details about the name of the executable that performs the hooking and the module it hooks.
In our sample, GMER detects a Win32.AgentTesla.exe[2820] hooks user32.dll’s GetKeyboardState API.
Agent Tesla is a known variant of information-stealing malware.
RegShot is a tool that let you take a clean snapshot of a registry that can be used later for comparison after the malware sample is executed. This can reveal information about the changes in the registry, particularly when the malware modifies registry keys to persist on the system.
Ring3 API Hook Scanner by NoVirusThanks.org that is gmer a like and detects API Hooking inside the kernel. This tool logs the executable responsible for hooking and the the API that is being hooked.
The Ring3 API Hook Scanner has a set of categories.
One is the one who owns or hooks the API module.
The other is the API name.
In our case, the image below shows how Ring3 detects Win32.AgentTesla.exe hooks DeleteFileW API.
SSDT View by NoVirusThanks is a tool that checks all function inside the SSDT table for possible hooking.
SSDT View has a set of categories.
One is the service or function.
the other is the module or the owner of the service or function.
Finally, there is an indicator that indicates whether or not the service is hooked.
#tip: any service not owned by ntoskrnl.exe module is regarded hooked and malicious.
Wireshark is a famous network protocol analyzer tool that let you see what is happening on your network at a microscopic level.
⚠️ YOU ARE TRYING TO DOWNLOAD A FILE THAT CONTAINS MALICIOUS EXECUTABLE ⚠️
eyehatemalwares is “PAY WHAT YOU CAN” project.
The zip file associated with this lab is password protected.
For hands-on experience, click the “Donate” button and you will be redirected to eyehatemalwares Paypal donation homepage or scan the QR Code below.
Click the “Download” button again to download the lab zip file.
After successful donation, email us the zip file name and the Paypal transaction details for the password.
Thank you for helping us build this community!
We will make sure that your donation will be use to bring more value to the community.
Contact us: About
– EHM Team