# Static Analysis of Sample Files **1. Getting File Hashes** * **Tools**: Use tools to calculate MD5 and SHA-256 hashes of files. * **Example**: For `re_lotsastuff.exe`, calculate MD5 and SHA-256 hashes to identify the file. **2. Identifying File Type** * **Tool**: Detect it using `Detect It Easy (DIE)`. * **File Type**: `P32` (indicates a PE file for 32-bit architecture). * **Additional Info**: Includes addresses for code and disassembly. **3. Viewing File Contents** * **Tool**: Use `HxD` (Hex Editor). * **Signature**: PE files start with `4D 5A` (MZ signature). * **Offset**: At offset `0x3C`, read the address in little-endian format to find the PE header. **4. Analyzing PE Headers** * **Tool**: Use `PEiD` or similar PE analysis tools. * **MZ Header**: Indicates the start of the PE file. * **PE Header**: Contains important information about the file structure, including: * **Entry Point**: Offset where code execution begins. * **Base of Code/Data**: Addresses where code and data start. * **Section Headers**: Details about code and data sections (e.g., `.text`, `.data`, `.rsrc`). **5. Inspecting Imports** * **Details**: * **Imports**: Lists API functions from DLLs used by the file. * **Common DLLs**: * **Kernel32.dll**: System functions (e.g., file operations, process management). * **Advapi32.dll**: Registry functions. * **Shell32.dll**: File execution functions. * **Ws2\_32.dll**: Network functions. **6. Viewing File Strings** * **Tool**: Use `strings` command-line tool. * **Command**: `strings re_lotsastuff.exe > lotsastuff.txt` * **Review**: Look for interesting strings and API functions. **7. Analyzing PowerShell Scripts** * **File**: `A_message.ps1` (suggests a PowerShell script). * **Action**: Open with Notepad++. * **Decoding**: * **Base64**: Decode using CyberChef. * **SORE Algorithm**: Decrypt using CyberChef with the appropriate key. **8. Tools for Static Analysis** * **HxD**: Hex editor for viewing raw file contents. * **PEiD**: Tool for analyzing PE file headers. * **CyberChef**: Tool for decoding and decrypting encoded data. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nuclei-av.gitbook.io/malware-handbook/malware-analysis/malware-analysis-methodologies/static-analysis/static-analysis-of-sample-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.