Defensive Security Tooling: FlareVM: Arsenal of Tools (TryHackMe)

In this article, I will write a write-up for FlareVM: Arsenal of Tools that covers Arsenal of Tools, Commonly Used Tools for Investigation: Overview, and Analyzing Malicious Files!

1. Which tool is an Open-source debugger for binaries in x64 and x32 formats? x64dbg

2. What tool is designed to analyze and edit Portable Executable (PE) files? CFF Explorer

3. Which tool is considered a sophisticated memory editor and process watcher? Process Hacker

4. Which tool is used for Disc image acquisition and analysis for forensic use? FTK Imager

5. What tool can be used to view and edit a binary file? HxD

6. Which tool was formerly known as FLARE Obfuscated String Solver? FLOSS

7. Which tool offers in-depth insights into the active processes running on your computer? Process Explorer

8. By using the Process Explorer (procexp) tool, under what process can we find smss.exe? System

   

9. Which powerful Windows tool is designed to help you record issues with your system's apps? Procmon

10. Which tool can be used for Static analysis or studying executable file properties without running the files? PEStudio

11. Using the tool PEStudio to open the file cryptominer.bin in the Desktop\Sample folder, what is the sha256 value of the file? E9627EBAAC562067759681DCEBA8DDE8D83B1D813AF8181948C549E342F67C0E

    

12. Using the tool PEStudio to open the file cryptominer.bin in the Desktop\Sample folder, how many functions does it have? 102

    

13. What tool can generate file hashes for integrity verification, authenticate the source of system files, and validate their validity? CFF Explorer

14. Using the tool CFF Explorer to open the file possible_medusa.txt in the Desktop\Sample folder, what is the MD5 of the file? 646698572AFBBF24F50EC5681FEB2DB7

    

15. Use the CFF Explorer tool to open the file possible_medusa.txt in the Desktop\Sample folder. Then, go to the DOS Header Section. What is the e_magic value of the file? 5A4D

    

16. Using PEStudio, open the file windows.exe. What is the entropy value of the file windows.exe? 7.999

    

17. Using PEStudio, open the file windows.exe, then go to manifest (administrator section). What is the value under requestedExecutionLevel? requireAdministrator

18. Which function allows the process to use the operating system's shell to execute other processes? set_UseShellExecute

19. Which API starts with R and indicates that the executable uses cryptographic functions? RijndaelManaged

20. What is the Imphash of cobaltstrike.exe? 92EEF189FB188C541CBD83AC8BA4ACF5

    

21. What is the defanged IP address to which the process cobaltstrike.exe is connecting? 47[.]120[.]46[.]210

22. What is the destination port number used by cobaltstrike.exe when connecting to its C2 IP Address? 81

    

    

23. During our analysis, we found a process called cobaltstrike.exe. What is the parent process of cobaltstrike.exe? explorer.exe

    

Thank you for reading my article. Please leave any questions or comments on improving my learning journey and the Lab THM challenges.