I’ll show you an example of how a report looks like.
Let’s use a file detected as trojan: https://www.virustotal.com/de/file/b7dfa88e556a1309c7cd37e055e5c3017809fde6e79eba79d6cebe7c7dfb898d/analysis/
This file was initially detected by my FortiSandbox before detection of AV and VT.
Let’s see what that file does on a XPVM:
First you can see, that it does a loot of things on the filesystem and registry. This is a little bit difficult in the beginnings.
But this one is also interesting:Â hxxp://vehanmace.ru/sliva/gate.php
You can use Automater from TekDefense or VT to see results of the URL:
____________________ Results found for: vehanmace.ru/sliva/gate.php ____________________
[+] Fortinet URL Category: Malicious Websites
No results found in the Un Redirect
[+] IP from URLVoid: 220.127.116.11
[+] Blacklist from URLVoid: No results found
[+] Domain Age from URLVoid: 2015-12-14 (14 days ago)
[+] Geo Coordinates from URLVoid: 52.35 / 4.9167
[+] Country from URLVoid: (NL) Netherlands
[+] pDNS data from VirusTotal: No results found
[+] pDNS malicious URLs from VirusTotal: No results found
[+] Malc0de Date: No results found
[+] Malc0de IP: No results found
[+] Malc0de Country: No results found
[+] Malc0de ASN: No results found
[+] Malc0de ASN Name: No results found
[+] Malc0de MD5: No results found
No results found in the THIP
[+] McAfee Web Risk: High
[+] McAfee Web Category: Malicious Downloads
[+] McAfee Last Seen: 2015-12-27
To close the circle….
With FortiSandbox you know now a lot of things before AV is detecting this malicious file and it’s versions.
- you are able to block “vehanmace.ru” on your proxy or webfilter
- you can check logs for other files with same name
- you can check proxy logs to see if someone is still connected to this malicious website
- you can report to VT and/or FortiGuard Team