Reversing the First Stage I don’t typically tend to reverse engineer Delphi binaries, as most of the malicious software written in Delphi is actually the wrapper/packer for the main payload written in something like C/C++. However, scrolling through Twitter one day, I noticed @abuse.ch replying to a tweet about a somewhat unknown loader currently spreading … Continue reading DBatLoader/ModiLoader Analysis – First Stage

Introduction TrickBot has utilized their own crypting service for some time now and it has been frequently updated over time. The latest version utilizes RC4 with a twist and is also a perfect example for writing a simple unpacker while at the same time being forced to analyze a slightly modified encryption routine. Static Analysis … Continue reading De-crypting a TrickBot Crypter

Despite the fact that VisualBasic is an age-old programming language, it is still being used to develop malicious software - specifically packers - to this day. As a result, you will often encounter VisualBasic based packers used in a lot of “script-kiddie” malware, such as keyloggers and remote access tools being sold on forums, and … Continue reading Unpacking Visual Basic Packers – IcedID

Inside our Zero2Automated course, we didn't really cover how to setup a proper malware analysis environment as it is more of an advanced course rather than a beginner course. However, we had a lot of demand for a post that covers the basics, so this post is all about how I personally setup my VM! … Continue reading Setting Up a Malware Analysis Environment

Author: Zero2Automated Course Team (Theory from courses.zero2auto.com) When analyzing Maldocs, you will mostly be dealing with obfuscated macros, and until a new vulnerability (or “feature”) is discovered and exploited, that is unlikely to change. Therefore, it’s quite important to know how to analyze these macros, both statically, and dynamically. Dynamic analysis is by far the … Continue reading Dealing with Obfuscated Macros, Statically – NanoCore