In this twitch stream we take another look at Guloader's VEH obfuscation using Dumpulator. With Dumpulator we are able to bypass the obfuscation to extract the encrypted strings, as well as create a simple instruction ...
2023-01-26 19:17:48 +0000 UTC
View Post
In this twitch stream we explore some of the more advanced features available for emulation with unicorn. We revisit Guloader for a fifth time and write a fully automated string decryption script with the emulator.
Sample
2023-01-13 19:34:18 +0000 UTC
View Post
In this twitch stream we take a fourth look at Guloader and finally fully deobfuscate the control flow (VEH redirect) and write a simple string decryptor.
This stream is sort of a wrap up of all the previous streams, we fully fix the control flow obfuscation and use an IDA plugin to removed...
2023-01-13 19:29:16 +0000 UTC
View Post
In this twitch stream we take a third look at Guloader and begin our analysis of the final stage shell code. The code has been updated from the first sample we looked at but some of the same structure is present which helps with analysis (bindiff!).
Heads up: Once we get st...
2023-01-13 19:19:47 +0000 UTC
View Post
This stream was a bit different... we invited eight reverse engineers on to answer your questions! Due to the nature of the stream the VOD has been edited into segments that are loosely organized around a specific question.
A big thanks to everyone who joined to help us out!
<...
2022-12-28 04:34:55 +0000 UTC
View Post
In this twitch stream we take a second look at Guloader with a focus on its highly obfuscated delivery chain. An NSIS loader is used to execute multiple layers of obfuscated PowerShell which eventually lead to the Guloader shell code.
The goal of this stream is to better understand the obfu...
2022-12-20 05:23:04 +0000 UTC
View Post
In this twitch stream we take on Guloader. Our approach combines both static and dynamic analysis to bypass the the numerous anti-analysis techniques which make this malware infamous.
The stream goal is not a full analysis of all of the anti-analysis tricks (10 streams later lol) but ...
2022-12-20 04:54:21 +0000 UTC
View Post
In this twitch stream we collaborate with @BoymoderRE and take a second look at Brute Ratel. We are using IDArling to share IDB files and whil...
2022-12-20 02:41:09 +0000 UTC
View Post
In this twitch stream we continue our GoLang reverse engineering journey with a focus on static extraction of strings with Python. The malware sample we will be testing our methods on is called Titan Stealer, a credential stealer that is sold openly on the internet.
Sample
2022-12-06 23:26:08 +0000 UTC
View Post
In this twitch stream we start to take a serious look at reverse engineering GoLang malware. We use the Laplas Clipper malware to test some IDA tools and generally get a better understanding of how to approach GO.
Note: The stream starts a bit slow and we spend the first 45...
2022-12-06 18:56:36 +0000 UTC
View Post
In this twitch stream we attempt our first ever N00bs Night where we cover simple reverse engineering topics with an aim to make the stream accessible to everyone! That being said... I'm not sure how well we succeeded 😅
The first half deals with extracting shell code fro...
2022-11-28 03:55:23 +0000 UTC
View Post
In this twitch stream we take a look at Tofsee a simple spambot written in C++ with a funny string encryption trick. We also discuss some methods for automatically locating string references in assembly.
Samples
2022-11-28 03:49:09 +0000 UTC
View Post
In this twitch stream we use AgentTesla as an example to learn more about automated .NET parsing using dnlib and Python. We are able to locate and decrypt the strings table protected with the open source .NET obfuscator called obfuscar.
Samples
2022-11-20 18:57:18 +0000 UTC
View Post
In this twitch stream we take a look at a new variant of Amadey with an emphasis on putting our new C++ STL reversing skill to the test. We manage to create a very clean marked up IDB which significantly speeds up our RE!
Sample
18A38FA6F5B306243D99621556AF948A61DAED29619AB755E2...
2022-11-20 18:52:20 +0000 UTC
View Post
In this twitch stream we attempt to define a repeatable process for identifying MSVC STL types in compiled C++. Dealing with these types has been an issue for us during previous malware analysis adventures and we want to figure out a sane approach... though we do make some headway we are ul...
2022-11-08 04:06:32 +0000 UTC
View Post
In this twitch stream we conclude our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.
The functionality of this RAT is fairly straight forward but its use of the C++ Standa...
2022-10-30 03:11:19 +0000 UTC
View Post
In this twitch stream we continue our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.
The functionality of this RAT is fairly straight forward but its use of the C++ Standa...
2022-10-30 03:07:10 +0000 UTC
View Post
In this twitch stream we take our first look at RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.
The functionality of this RAT is fairly straight forward but its use of the C++ Standard Template Library m...
2022-10-30 02:59:31 +0000 UTC
View Post
In this twitch stream we complete our mini two part series on Threat Intelligence by building a simple malware tracker for DbatLoader.
Notes
2022-10-30 02:35:54 +0000 UTC
View Post
In this twitch stream we talk about what Threat Intelligence means in practice; how companies use intelligence products, how the products are developed, and how reverse engineering malware fits into the picture...
This is Part 1 of a two part series where we build a simple botnet tracker fo...
2022-10-16 23:02:35 +0000 UTC
View Post
In this twitch stream we take a look at a new .NET RAT openly sold as Icarus. The stream takes an interesting turn when we discover the C2 infrastructure is incorrectly configured...
Samples
2022-10-16 22:58:26 +0000 UTC
View Post
In this twitch stream we take a look at Gozi / ISFB / RM3 etc. and develop a config extractor which works on the latest variants. This is mostly a coding stream where we update an old extractor and make it work with modern samples.
Samples
2022-10-16 22:54:41 +0000 UTC
View Post
This is the third and final part in our three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at process memory protections and specifically how the PAGE_GUARD works, and what a memory "breakpoint" is in x64dbg.
Further Reading
2022-10-16 02:05:53 +0000 UTC
View Post
This is the second part in our short three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at the heap and how to investigate heap memory with x64dbg.
Further Reading
In this Twitch stream we take a look at the recently leaked LockBit Ransomware Builder. We compare our previous RE analysis of the ransomware binary with the actual builder config (some surprises, but we were mostly correct). And we take a look the possibility of the building being used by indivi...
2022-09-26 18:38:33 +0000 UTC
View Post
This is the first in a short three-part series on memory allocation with a focus on tracking memory with a debugger. In this tutorial we look at the basics, how is memory allocated, and how to follow memory allocations with x64dbg.
Further Reading
In this Twitch stream we take a look at a simple malware (great for practicing RE) that is used to steal crypto by substituting wallet addresses that are copy pasted from the clipboard.
We analyze the malware functionality and build some static detection with a Yara rule so we can gen...
2022-09-22 16:56:05 +0000 UTC
View Post
In this twitch stream we take a look at PrivateLoader, a pay-per-install malware that contains a lot of anti-analysis tricks (junk code, stack strings, etc.) Our main focus in the stream is building a working string decryption tool that doesn't rely on IDA.
Sample
2022-09-22 16:50:55 +0000 UTC
View Post
In this twitch stream we take a look at dbatloader, a simple Delphi downloader that is used to download and execute other malware. This would be a straightforward analysis except the binary is written in Delphi and requires a lot of time to untangle... jump ahead to around 3:30 to get to the part...
2022-09-22 16:40:57 +0000 UTC
View Post
The conclusion to our analysis of SmokeLoader! All the secrets are revealed and it's grrr-eat! We finally figure out the missing piece for the API hashes and resolve them. This leads us to the missing piece of the puzzle for extracting Stage 3 - LZSA2 decompression!
Once we have decry...
2022-09-03 04:37:38 +0000 UTC
View Post