TryHackMe File and Hash Threat Intel Full Walkthrough 2025

This room seeks to teach on enriching file and hash artefacts using threat intelligence.

Room Link: https://tryhackme.com/room/fileandhas...

🐞Learning Objectives🐞

By completing this room, you will be able to:

🪲Interpret suspicious filepaths and filenames using heuristics.
🪲Generate and validate file hashes.
🪲Leverage VirusTotal and MalwareBazaar to enrich newly observed binaries.
🪲Extract behaviour from sandbox telemetry and map it to MITRE ATT&CK.

🐞Room Tasks 🐞

🤖 Filenames and Paths
One file displays one of the indicators mentioned. Can you identify the file and the indicator? (Answer: file, property)
🔥 File Hash Lookup
What is the SHA256 hash of the file bl0gger?
On VirusTotal, what is the threat label used to identify the malicious file?
When was the file first submitted for analysis? (Answer format: YYYY-MM-DD HH:MM:SS)
According to MalwareBazaar, which vendor classified the Morse-Code-Analyzer file as non-malicious?
On VirusTotal, what MITRE technique has been flagged for persistence and privilege escalation for the Morse-Code-Analyzer file?

😸 Sandbox Analysis:
What tags are used to identify the bl0gger.exe malicious file on Hybrid Analysis? (Answer: Tag1, Tag2, Tag3)
What was the stealth command line executed from the file?
Which other process was spawned according to the process tree?
The payroll.pdf application seems to be masquerading as which known Windows file?
What associated URL is linked to the file?
How many extracted strings were identified from the sandbox analysis of the file?

🛸 Threat Intelligence Challenge
What is the SHA256 hash of the file?
What family labels are assigned to the file on VirusTotal?
How many security vendors have flagged the file as malicious?
Name the text file dropped during the execution of the malicious file.
What PowerShell script is observed to be executed?
What is the MITRE ATT&CK ID associated with this execution?

🐕Websites Used in this video:🐕

🔥Virustotal: https://www.virustotal.com
🔥Hybrid Analysis: https://hybrid-analysis.com
🔥MalwareBazaar: https://bazaar.abuse.ch/
🔥MITRE ATT&CK: https://attack.mitre.org/versions/v14/


⚠️ Educational Purpose Only
This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems.


Don't forget to 👍 LIKE and 🔔 SUBSCRIBE for more cybersecurity tutorials!

#TryHackMe