Invite Only Tryhackme Walkthrough
we investigate suspicious indicators flagged during an incident response investigation. Using VirusTotal, we analyze a malicious hash and IP address to uncover related files, execution chains, and dropped malware. The investigation ultimately reveals the AsyncRAT malware family and links the activity to a real-world threat report.
You are an SOC analyst on the SOC team at Managed Server Provider TrySecureMe. Today, you are supporting an L3 analyst in investigating flagged IPs, hashes, URLs, or domains as part of IR activities. One of the L1 analysts flagged two suspicious findings early in the morning and escalated them. Your task is to analyse these findings further and distil the information into usable threat intelligence.
Flagged IP: 101[.]99[.]76[.]120
Flagged SHA256 hash: 5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f
We recently purchased a new threat intelligence search application called TryDetectThis2.0. You can use this application to gather information on the indicators above.
Just start the Virtual Machine by clicking “Start Virtual Machine.” Once the VM is booted up, double-click the launcher on the desktop to start the TryDetectThis2.0 application. - It will open VirusTotal
Answer the questions below
- What is the name of the file identified with the flagged SHA256 hash?
Ans: syshelpers.exe
- What is the file type associated with the flagged SHA256 hash?
Ans: Win32 EXE
3. What are the execution parents of the flagged hash? List the names chronologically, using a comma as a separator. Note down the hashes for later use.
Ans: 361GJX7J,installer.exe
Under “Relations” tab:
we can see this malware file contacted Domains, IPs, Execution Parents, Bundled Files and dropped Files.
Copy Both hash Values of these execution parent files.
047c5eec0445746862710d20e50a5dd04510b7e625fa5c1f5d48ce078001c0de - 361GJX7J
fa102d4e3cfbe85f5189da70a52c1d266925f3efd122091cdc8fe0fc39033942 -installer.exe
4. What is the name of the file being dropped? Note down the hash value for later use.
Ans: Aclient.exe
#Dropped File of syshelpers.exe
dd02c105809e4ca41a5489e585ba025eddb89a91703b73a566c9903e6406a08c - AClient.exe
5. Research the second hash in question 3 and list the four malicious dropped files in the order they appear (from up to down), separated by commas.
Ans: searchhost.exe,syshelpers.exe,nat.vbs,runsys.vbs
installer.exe hash value lookup
6. Analyse the files related to the flagged IP. What is the malware family that links these files?
Ans: asyncrat
Upon looking up the IP, we observed multiple files communicating with this IP during execution.
Each file was individually analyzed, and all of them shared the same malware family label: AsyncRAT, indicating a common malware infrastructure
7. What is the title of the original report where these flagged indicators are mentioned? Use Google to find the report.
Ans: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
8. Which tool did the attackers use to steal cookies from the Google Chrome browser?
Ans: ChromeKatz
9. Which phishing technique did the attackers use? Use the report to answer the question.
Ans: ClickFix
10. What is the name of the platform that was used to redirect a user to malicious servers?
Ans: Discord
Thank you for reading this walkthrough—I hope you enjoyed it!
