ethical.blue Magazine

// Cybersecurity clarified.

Detect File Type of Malware Sample

2022-06-02   Dawid Farbaniec
...
Sometimes the payload may be delivered for analysis as a binary file without the extension and without information about the file. You should then use tools that will identify the type of the file. This text introduces one such tool. This is TrID / 32 - File Identifier - © 2003-16 By M. Pontello.



There are some sample unidentified files.



Calling the TrID/32 program.
C:\Users\x\Desktop\trid.exe C:\Users\x\Desktop\malware_samples\*.* -ae

Converting unidentified files to files with the extension.
TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello

Definitions found:  14616
Analyzing...

File: C:\Users\x\Desktop\malware_samples\14a388b154b55a25c66b1bfef9499b64
64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\20f2885ae3ffb24d8a905b8714207d5b
61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\282c9c3ec7ffed97693709297772c923
72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\29d9976d73aabf191eafe0f8b045cc85
61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\37f68678914c4b15b4f1768037d3b3a1
64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\413ca1f198008a2980f7891c059bc188
72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\459a093eb5e65eaa2ea203129f6fc91b
64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\81afa08f1a1acfa3fd9f52ecadda2f55
38.0% (.EXE) Win64 Executable (generic) (10523/12/4)

File: C:\Users\x\Desktop\malware_samples\93e11d77cbe4ba9e38b6e4cdb7af8428
72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

File: C:\Users\x\Desktop\malware_samples\99d846bbf242277134ba3b6cb92ab2eb
72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)

10 file(s) renamed.



Well done, TrID. :-)

Bibliography

https://mark0.net/soft-trid-e.html [access: 2022-05-23]