Module 5 · Malware Triage 🔒

When an alert fires and the SOC ends up holding a suspicious binary — extracted from a phishing attachment, pulled off an infected endpoint, or flagged by EDR — somebody has to decide quickly: is this actually malicious, what does it do, and how bad is the exposure? That is malware triage. Not full reverse engineering (that takes days per sample) but a fast, structured assessment that answers the operational questions in under 30 minutes. This module walks through static triage, behavioural triage in a sandbox, the tools that matter, and the decision points that mark when to escalate to a dedicated reverse engineer.

Triage vs reverse engineering

Reverse engineering is a deep discipline: disassembly, control-flow graphs, identifying crypto constants, recovering C2 protocol. It is expensive and slow. Triage is the fast first-pass that determines whether reverse engineering is worth doing, and extracts actionable indicators (IPs, domains, hashes, filenames, registry keys) so the SOC can hunt for other affected hosts while the RE work proceeds.

Triage answers: “Is it malicious? What family? What does it do at a high level? What indicators do we hunt on right now?”

Safety first — the workspace

Never open a sample on your workstation. Never. The setup:

• Isolated VM — Flare-VM or REMnux image, snapshotted clean. Revert after each sample
• Host-only networking or NAT’d to an internet-simulated environment (INetSim, FakeNet). Never your production network
• No sensitive data on the analysis host — no corporate credentials, no VPN profiles, no browser sessions
• Separate email for vendor sandbox submissions — VirusTotal, Hybrid Analysis, Joe Sandbox
• Password-protected ZIPs when storing or sharing samples (convention: password is infected)

Before any hands-on work, acknowledge that the sample may exhibit anti-analysis behaviour: sandbox detection, timestamp checks, VM-fingerprinting. A tidy-looking benign result can be a decoy.

Phase 1 — Hash and lookup

First and cheapest step:

# Hash it
sha256sum sample.exe
md5sum sample.exe

# Look up on VirusTotal (hash-only, does not upload)
# API: GET https://www.virustotal.com/api/v3/files/{sha256}

A VirusTotal hit with 20+ engine detections and a recent first-seen date ends triage immediately: it is known malicious, pull the family name, extract IOCs, hunt. If no hit — continue.

Do not upload samples to public sandboxes by default. Uploads go into vendor corpora and are visible to threat actors who monitor them. Many APTs specifically watch VirusTotal for their own implants to detect that a victim is investigating. Use hash-only lookups until you have decided the sample is not targeted, or use a private sandbox tier.

Phase 2 — Static triage

Static analysis looks at the file without running it. Fast, safe, and often decisive.

file sample.bin
# sample.bin: PE32 executable (GUI) Intel 80386, for MS Windows

# Or in Python
pip install pefile
python -c "import pefile; p=pefile.PE('sample.exe'); print(p.OPTIONAL_HEADER.SizeOfImage)"

strings -n 8 sample.exe | less        # ASCII only
strings -el -n 8 sample.exe | less    # little-endian Unicode (common on Windows)

# What to look for:
# - URLs / IPs / domains (C2 candidates)
# - Registry paths (persistence hints)
# - Process names (target injection candidates)
# - User-Agent strings (HTTP-based malware)
# - Command-line flags (CLI-driven tooling)
# - Error messages in foreign languages (origin hints)
# - Crypto constants ("AES", "RC4", hardcoded keys)
# - Specific AV product names (AV-aware malware)