~/portfolio / write-ups / invite-only
TryHackMe Threat Intelligence Easy Mar '26

Invite Only

Threat intelligence analysis on two flagged indicators (IP and SHA256 hash). Traced execution parents, dropped files, and malware family using VirusTotal. Identified AsyncRAT as the malware family, ClickFix as the phishing technique, and Discord invite hijacking as the delivery mechanism.

Easy
Difficulty
100%
Completion
TryHackMe
Platform
TOOLS USED
VirusTotal
Google Threat Intel
01

Hash and File Analysis

1. What is the name of the file identified with the flagged SHA256 hash?

using VirusTotal, I identified the file flagged by the L1 analyst.

VirusTotal detection page for the flagged SHA256 hash
Answer: syshelpers.exe
2. What is the file type associated with the flagged SHA256 hash?

looking further to the VirusTotal report, we can see the associated file type

VirusTotal file details section showing win32 exe type
Answer: win32, exe
3. What are the execution parents of the flagged hash? List the names chronologically, using a comma as a separator. Note down the hashes for later use.

moving to the Relations tab we can see the execution parents and their respective hashes

VirusTotal Relations tab showing 361GJX7J and installer.exe as execution parents
Answer: 361GJX7J, installer.exe
4. What is the name of the file being dropped? Note down the hash value for later use.

still in the relations tab, we can see the dropped file

VirusTotal Relations tab showing Aclient.exe as dropped file
Answer: Aclient.exe
5. Research the second hash in question 3 and list the four malicious dropped files in the order they appear (from up to down), separated by commas.

the second hash in question 3 comes from the installer.exe fa102d4e3cfbe85f5189da70a52c1d266925f3efd122091cdc8fe0fc39033942. searching this hash from VT gives us this information:

VirusTotal dropped files for installer.exe hash — first two files VirusTotal dropped files for installer.exe hash — remaining files
Answer: searchHost.exe, syshelpers.exe, nat1.vbs, runsys.vbs
02

IP Analysis and Attribution

6. Analyse the files related to the flagged IP. What is the malware family that links these files?

we know that the flag IP is 101.99.76.120. looking it up at Virus total report for the relations tab we will see this:

VirusTotal relations tab for 101.99.76.120 showing multiple associated files

and one name keeps popping up in the family labels

VirusTotal family labels consistently showing AsyncRAT
Answer: Asyncrat
7. What is the title of the original report where these flagged indicators are mentioned? Use Google to find the report.

checking the community notes, we found an article about asyncrat.

VirusTotal community note linking to the Trust to Threat article
Answer: Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
8. Which tool did the attackers use to steal cookies from the Google Chrome browser?

searching for the word "Cookies" in the article we found the tool the attackers used to steal cookies.

article section showing ChromeKatz as the cookie stealing tool
Answer: ChromeKatz
9. Which phishing technique did the attackers use? Use the report to answer the question.

searching for the word technique, we found the main phishing technique the attackers used as well as more details about their attack.

article section describing ClickFix phishing technique
Answer: ClickFix
10. What is the name of the platform that was used to redirect a user to malicious servers?

according to the report, the attackers used discord, most especially their authorization bot captchaguard.

article showing CaptchaGuard Discord bot used for redirection Discord platform confirmation in article
Answer: Discord
Key Takeaways
  • the Relations tab in VirusTotal is where you start. execution chain, dropped files, related hashes, it's all right there
  • one hash leads to another through shared infrastructure. following that thread is how you get the full picture of how the deployment actually worked
  • ClickFix sidesteps attachment scanning by making the victim run the payload themselves. no attachment, nothing to flag
  • community notes on VirusTotal are worth reading. other analysts leave context there that ties IOCs back to actual threat reports
← Prev Tempest Next → Vantage