How to do malware OSINT

Step one for any suspected malware sample should be to scan it with a bunch of antiviruses. But, seeing as it’s unlikely that you’ll have access to all the AVs in the world, some other resources might come in handy. Also, you probably don’t wanna upload the actual sample to online scanners, as adversaries might be monitoring those, and if they all of a sudden see that their malware is recognised, they know you’re on to them.

So stick to the ones where you can submit a hash of your sample instead, at least as a first step. If you know that they know, then you can consider uploading your sample to full-on sandboxes for automated analysis.

Sites to do you initial hash lookups:

https://www.virustotal.com/gui/home/search

https://totalhash.cymru.com

https://metadefender.opswat.com/#!/

https://avcaesar.malware.lu/

https://malwr.com/

If you want to do it CLI, https://www.team-cymru.com/mhr.html#whois lets you submit MD5 and SHA1 hashes via whois, like so:

whois -h hash.cymru.com <insert hash here>

This will give you back the percentage of AVs that detected this hash (or the file of which it’s derived) as malware (the last number)

https://www.hybrid-analysis.com/

Hybrid Analysis also lets you upload the file, it will look it up for you on VirusTotal, MetaDefender, CrowdStrike Falcon, and will run it in a sandbox and show you the screenshot of it running.