When investigating a specific (e.g. certain regional flavors) malware campaign, the involved group of seemingly different samples may be large, but the actual infrastructure dropping the next stage malware usually is not. If you have a big database of latest malware, using our new context/similarity search, it has become a lot easier to quickly assess the scope and download network connections in bulk. That data can then be used to cross-reference check your corporate network and/or update your firewalls/defenses.
Let us start out with a recent financial malware campaign (note: to follow the steps, please login with your user account) that was immitating a financial group: https://www.hybrid-analysis.com/sample/e1b31fa2c0fb0744d449042298003c4d5471b86445267c8b953eccf58ab3cfae?environmentId=100
- Check the top of the report or process tree/extracted files section for the "Show similar samples" or "Seen in another context" buttons:
- You can also broaden the scope using the respective button in the submission list:
- ... or do a "domain" or "ip" search based on what you see in the network area:
- Then download all contacted hosts (CSV) once you have a very specific group of samples:
- Take note of the "flagged" column (contacted hosts file):
The more malware you share with the community at either https://www.hybrid-analysis.com/ or https://www.reverse.it/, the better we will be able to give back relevant data to the community. If you have any feature requests/comments or recommendations, drop us a line at [email protected] or https://twitter.com/payloadsecurity