The Importance of Malware Triage

Published: 2023-06-27
Last Updated: 2023-06-27 18:49:59 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

When dealing with malware analysis, you like to get "fresh meat".  Just for hunting purposes or when investigating incidents in your organization, it’s essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you don’t need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you don’t have time to analyze all samples!

How to perform your malware triage? It will help if you have tools for this (executed from a sandbox). There are a lot of tools to achieve this. Still, another critical element is "automation": Your collected samples must feed a pipe of tools that will try to guess the malware family, extract config, … and why not archive and index everything? For this purpose, I'm using a local instance of mwdb[1] (MalwareDB). Coupled with karton [2]. For example, I'm extracting samples from catch-all mailboxes and sending them to the triage process via the REST API's:

Mail > MIME-Extract > mwdb > karton > Analysis modules (sandbox, YARA, ...)

But sometimes, you need to perform a quick analysis of a suspicious file manually, and you need "manual" tools. Recently, Jim (also FOR610 Instructor) found an interesting tool to achieve this task: Qu1ckSc0pe[3]. Why is this tool interesting? It can analyze multiple types of files: Windows, Linux, OSX binaries, Document files, APK files, and Archive files.

Written in Python, such tools usually require a lot of third-party modules and, therefore, are good candidates to be executed from a Docker container (to avoid pollution of your core OS with a lot of files and libraries). A simple Docker file is provided with the tool, but it was impossible to have a stable installation. So, I create my Dockerfile:

FROM ubuntu:22.04
MAINTAINER Xavier Mertens <>

# Update & install required packages
RUN DEBIAN_FRONTEND=noninteractive apt update && apt -y upgrade && apt -y install sudo git python3-pip wget unzip

# Install main app
COPY . .

# Stupid fix to allow non-interactive install
RUN sed -i "s/apt install/DEBIAN_FRONTEND=noninteractive apt -y install/g"
RUN chmod a+x

# Another simple fix to avoid breaking the setup script
RUN ln -s /root /home/root
RUN ./

# Missing dependencies
RUN pip3 install pycryptodome

# Install Radare2
RUN git clone
RUN radare2/sys/

ENTRYPOINT ["/app/"]

How to build the tool?

remnux@remnux:/opt$ git clone

Replace the existing Dockerfile with mine and build the image:

remnux@remnux:/opt/Qu1ckSc0pe$ docker build -t xme/quickscope . 

Now, to use the tool, map a volume containing your samples:

Here is an example against a Word document with a VBA macro:

The Dockerfile must still be fine-tuned (for example, to create a volume to keep the YARA rules updated), but it already does the job.

Qu1ckScope has many features that I did not cover here.  If interested, look at the repository that provides multiple examples of usage.


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

2 comment(s)


<a href="" target="_blank">Python Course in Pune</a>

Diary Archives