# Yellow RAT Lab

Q1) Understanding the adversary helps defend against attacks. What is the name of the malware family that causes abnormal network traffic?

After uploading the hash to VirusTotal, navigate to the `Relations` tab and explore the Graph Summary. This will help you visualize the relationships and associations of the file.

In VirusTotal, under the `Relations` tab, find the Graph Summary and select the PEDLL icon. Use the Visualization to view the Tree representation, where you will see how the malware is detected and linked to the family.

Q2) As part of our incident response, knowing common filenames the malware uses can help scan other workstations for potential infection. What is the common filename associated with the malware discovered on our workstations? 

Start by uploading the hash to VirusTotal and navigate to the `Details` tab.

In the `Details` tab, look for the `Names` section. The first DLL file listed here is the common filename used by this malware.

Q3) Determining the compilation timestamp of malware can reveal insights into its development and deployment timeline. What is the compilation timestamp of the malware that infected our network?

Upload the hash to VirusTotal and begin your analysis by exploring the `Details` tab. This tab contains critical information about the file.

In the `Details` tab, scroll down to the `Portable Executable info` section. Here, you will find the `Compilation Timestamp,` which indicates when the malware was created.

Q4) Understanding when the broader cybersecurity community first identified the malware could help determine how long the malware might have been in the environment before detection. When was the malware first submitted to VirusTotal?

After uploading the hash to VirusTotal, navigate to the `Details` tab to explore the file’s history.

In the `Details` tab, look for the `First Submission` date under the `History` section. This will tell you when the malware was first submitted to VirusTotal.

Q5) To completely eradicate the threat from Industries' systems, we need to identify all components dropped by the malware. What is the name of the .dat file that the malware dropped in the AppData folder?

Try exploring the `Community` tab for threat intelligence reports that offer detailed insights into the malware's behavior, such as dropped files.

In the VirusTotal Community tab, review this Red Canary report for details on dropped files in the AppData folder: <https://redcanary.com/blog/threat-intelligence/yellow-cockatoo/>

Q6) It is crucial to identify the C2 servers with which the malware communicates to block its communication and prevent further data exfiltration. What is the C2 server that the malware is communicating with?

After uploading the hash to VirusTotal, navigate to the `Behavior` tab. This tab provides insight into the malware's actions, including network communication.

In the `Behavior` tab, go to the `Activity Summary` section and look under `Network Communications.` Here, you'll find the `Memory Pattern URLs,` which reveal the C2 server the malware is communicating with.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/yellow-rat-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.