THOR Process Memory Matches with Surrounding Strings

Following THOR’s approach of showing suspicious elements, it is not feasible to completely avoid false positives. Therefore we always try to provide as much information as possible for an analyst to assess such a suspicious element as quickly as possible.

Users liked the DeeDive feature in which a string match on a chunk of data does not only include the matching string but also the surrounding strings, which help enormously to evaluate the criticality of a matching YARA signature. 

The TechPreview version of THOR 10.6 now introduces this extra information in many other modules. 

The following example shows a false positive in which the string ‘ -p 0x53A4C60B’ matched on the process memory of the ‘svchost.exe’ process with the full command line as ‘svchost.exe -k ClipboardSvcGroup -p’.   

In previous versions THOR you would only see the matching string, but the new versions will also show the 40 bytes before and after the string match. (in the example it has been set to 100 bytes by using `–string-context 100`)

This helps analysts to assess the match more easily without having a process memory dump. In the example above, analyst can review that data block in which the string match occurred and see that it has been within HTML text that has been copied to memory. It could be an analyst system on which someone handling forensic reports copied sections from one document to another, but it’s certainly not the threat, which the YARA rule tried to detect. 

This feature will be available in the upcoming THOR TechPreview 10.6.4. 

New Features: Progress Bar and HTML Report Filter Functions

We would like to inform you about three new comfort features that will be available in the upcoming THOR versions including THOR Lite. 

Improved HTML Reports

The new HTML reports allow analysts to filter elements that turn out to be false positives and remove them from the current view. It also adds useful lookup functions for Virustotal, RiskIQ and VALHALLA. 

Filter and remove false positives in your analysis

Apply filters directly from the modules menu and reduce the events to events from module X only

Direct lookups on Virustotal, RiskIQ and VALHALLA right from the report

The new report functions will be available in the upcoming THOR v10.5.10 and THOR TechPreview v10.6.3, which will be released in January 2021. 

Smart Progress Bar

Due to ongoing demand, we’ve added a progress bar to all longer running modules and a progress indicator to all the other modules. So far, we’ve avoided adding a progress bar or any kind of command line output that works with control characters to reduce the risks of side effects caused by THOR running in non-interactive sessions, e.g. with Splunk Forwarders’ scripted input. 

But THOR version 10 is able to determine if it is running in an interactive session and enables the progress bar only in these cases.

Progress bar in “Filescan” module

Progress bar in “Eventlog” module

New Option in Interrupt Menu

Another feature to highlight is the option to skip a module that doesn’t finish or seems to be stalled. 

The interrupt menu (CTRL+C) offers another option (X) to skip the current module and continue with the next one.

THOR Lite – Free YARA and IOC Scanner

THOR Lite – Free YARA and IOC Scanner

We are proud to announce the release of THOR Lite. It is a trimmed-down version of THOR v10 with a reduced feature set and the open source signature base used in LOKI and the now obsolete scanner SPARK Core.

It uses the completely rewritten code base of THOR v10 “Fusion” and is therefore faster, more thorough and stable than SPARK.

 

As you can see in the table below, we’ve come a long way since 2012. We’ve phased out the old THOR version based on Python and SPARK in 2019. Today, we’re replacing the community version of SPARK named SPARK Core with a community version of THOR v10, named THOR Lite. 

There are two main differences between THOR Lite and THOR: 

  1. Reduced feature set
  2. Open source signature base

Apart from that, you’ll get a fully maintained and tested scanner pre-compiled for the Windows, Linux and macOS platform. A limited support is available via the issues section on the github page for auxiliary scripts.

Upgrading from SPARK Core

There is no direct upgrade path from SPARK Core, since SPARK Core and THOR Lite are completely different products and have different upgrade paths.

New users have to subscribe to the newsletter to get download links and a free license. You can subscribe and download THOR Lite using the link on the product page

SPARK Core users that already have a valid license can use the following download links to download THOR Lite:

THOR Lite for Windows
THOR Lite for Linux
THOR Lite for macOS

Important: These download packages do not include a license. You need to subscribe on the product page to receive a valid license OR use your existing SPARK Core license with THOR Lite. 

Issues

Please report problems in the issues section of THOR Lite’s helper scripts github page