TryHackMe File and Hash Threat Intel Full Walkthrough 2025

This room seeks to teach on enriching file and hash artefacts using threat intelligence. Room Link: https://tryhackme.com/room/fileandhashthreatintel 🐞Learning Objectives🐞 By completing this room, you will be able to: 🪲Interpret suspicious filepaths and filenames using heuristics. 🪲Generate and validate file hashes. 🪲Leverage VirusTotal and MalwareBazaar to enrich newly observed binaries. 🪲Extract behaviour from sandbox telemetry and map it to MITRE ATT&CK. 🐞Room Tasks 🐞 🤖 Filenames and Paths - One file displays one of the indicators mentioned. Can you identify the file and the indicator? (Answer: file, property) 🔥 File Hash Lookup - What is the SHA256 hash of the file bl0gger? - On VirusTotal, what is the threat label used to identify the malicious file? - When was the file first submitted for analysis? (Answer format: YYYY-MM-DD HH:MM:SS) - According to MalwareBazaar, which vendor classified the Morse-Code-Analyzer file as non-malicious? - On VirusTotal, what MITRE technique has been flagged for persistence and privilege escalation for the Morse-Code-Analyzer file? 😸 Sandbox Analysis: - What tags are used to identify the bl0gger.exe malicious file on Hybrid Analysis? (Answer: Tag1, Tag2, Tag3) - What was the stealth command line executed from the file? - Which other process was spawned according to the process tree? - The payroll.pdf application seems to be masquerading as which known Windows file? - What associated URL is linked to the file? - How many extracted strings were identified from the sandbox analysis of the file? 🛸 Threat Intelligence Challenge - What is the SHA256 hash of the file? - What family labels are assigned to the file on VirusTotal? - How many security vendors have flagged the file as malicious? - Name the text file dropped during the execution of the malicious file. - What PowerShell script is observed to be executed? - What is the MITRE ATT&CK ID associated with this execution? 🐕Websites Used in this video:🐕 🔥Virustotal: https://www.virustotal.com 🔥Hybrid Analysis: https://hybrid-analysis.com 🔥MalwareBazaar: https://bazaar.abuse.ch/ 🔥MITRE ATT&CK: https://attack.mitre.org/versions/v14/ ⚠️ Educational Purpose Only This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems. Don't forget to 👍 LIKE and 🔔 SUBSCRIBE for more cybersecurity tutorials! #TryHackMe