Hello, thank you for the site, it's very useful. I've been trying to extract IOCs from several Excel files infected with the Emotet/Abracadabra Trojan.
I can successfully extract the IOCs but I noticed that the hash of the downloaded file never corresponds to the hash I requested. On closer inspection it is due to the dowloaded file having a few extra bytes at the start.
This happens both with md5 and sha256 hashes.
I can easily fix the hashes by running:
tail -c +13 downloaded_file > fixed_file
For example for the file with sha256 56e665d85d3621e561d7848e2175ff184d81d0543ab5f84675b4a7e2ac7dfa86
Probably this is by design and it's explained somewhere , but, since I couldn't find this behavior in the documentation, I'm just asking here to make sure it's not a bug.
Hello, thank you for the site, it's very useful. I've been trying to extract IOCs from several Excel files infected with the Emotet/Abracadabra Trojan.
I can successfully extract the IOCs but I noticed that the hash of the downloaded file never corresponds to the hash I requested. On closer inspection it is due to the dowloaded file having a few extra bytes at the start.
This happens both with md5 and sha256 hashes.
I can easily fix the hashes by running:
tail -c +13 downloaded_file > fixed_file
For example for the file with sha256 56e665d85d3621e561d7848e2175ff184d81d0543ab5f84675b4a7e2ac7dfa86
tail -c +13 56e665d85d3621e561d7848e2175ff184d81d0543ab5f84675b4a7e2ac7dfa86 > 56e665d85d3621e561d7848e2175ff184d81d0543ab5f84675b4a7e2ac7dfa86.fixed
And I then get the proper results:
Probably this is by design and it's explained somewhere , but, since I couldn't find this behavior in the documentation, I'm just asking here to make sure it's not a bug.
Thanks again.