ANY.RUN is undoubtedly one of my favourite tools when I am investigating a sample of malware. Whether it’s for searching for additional samples, trying to get a basic overview of malware functionality, or even gathering IOC’s, ANY.RUN is an extremely useful asset to have in your malware analysis arsenal. The aim of this post is … Continue reading Interactive Analysis with ANY.RUN
DBatLoader/ModiLoader Analysis – First Stage
Reversing the First Stage I don’t typically tend to reverse engineer Delphi binaries, as most of the malicious software written in Delphi is actually the wrapper/packer for the main payload written in something like C/C++. However, scrolling through Twitter one day, I noticed @abuse.ch replying to a tweet about a somewhat unknown loader currently spreading … Continue reading DBatLoader/ModiLoader Analysis – First Stage
De-crypting a TrickBot Crypter
Introduction TrickBot has utilized their own crypting service for some time now and it has been frequently updated over time. The latest version utilizes RC4 with a twist and is also a perfect example for writing a simple unpacker while at the same time being forced to analyze a slightly modified encryption routine. Static Analysis … Continue reading De-crypting a TrickBot Crypter
Unpacking Visual Basic Packers – IcedID
Despite the fact that VisualBasic is an age-old programming language, it is still being used to develop malicious software - specifically packers - to this day. As a result, you will often encounter VisualBasic based packers used in a lot of “script-kiddie” malware, such as keyloggers and remote access tools being sold on forums, and … Continue reading Unpacking Visual Basic Packers – IcedID
Setting Up a Malware Analysis Environment
Inside our Zero2Automated course, we didn't really cover how to setup a proper malware analysis environment as it is more of an advanced course rather than a beginner course. However, we had a lot of demand for a post that covers the basics, so this post is all about how I personally setup my VM! … Continue reading Setting Up a Malware Analysis Environment
Dealing with Obfuscated Macros, Statically – NanoCore
Author: Zero2Automated Course Team (Theory from courses.zero2auto.com) When analyzing Maldocs, you will mostly be dealing with obfuscated macros, and until a new vulnerability (or “feature”) is discovered and exploited, that is unlikely to change. Therefore, it’s quite important to know how to analyze these macros, both statically, and dynamically. Dynamic analysis is by far the … Continue reading Dealing with Obfuscated Macros, Statically – NanoCore
Netwalker Ransomware – From Static Reverse Engineering to Automatic Extraction
Author: Zero2Automated Course Team (preview from courses.zero2auto.com) Netwalker ransomware has been around since at least 2019* and has recently been in the news from a TrendMicro report detailing it being leveraged embedded in a PowerShell script[1]. We will briefly go over how to recover the DLL files from the first script, it contains a large … Continue reading Netwalker Ransomware – From Static Reverse Engineering to Automatic Extraction