Blog

Interactive Analysis with ANY.RUN

ANY.RUN is undoubtedly one of my favourite tools when I am investigating a sample of malware. Whether it’s for searching for additional samples, trying to get a basic overview of malware functionality, or even gathering IOC’s, ANY.RUN is an extremely useful asset to have in your malware analysis arsenal. The aim of this post is…

DBatLoader/ModiLoader Analysis – First Stage

Reversing the First Stage I don’t typically tend to reverse engineer Delphi binaries, as most of the malicious software written in Delphi is actually the wrapper/packer for the main payload written in something like C/C++. However, scrolling through Twitter one day, I noticed @abuse.ch replying to a tweet about a somewhat unknown loader currently spreading…

De-crypting a TrickBot Crypter

Introduction TrickBot has utilized their own crypting service for some time now and it has been frequently updated over time. The latest version utilizes RC4 with a twist and is also a perfect example for writing a simple unpacker while at the same time being forced to analyze a slightly modified encryption routine. Static Analysis…

Unpacking Visual Basic Packers – IcedID

Despite the fact that VisualBasic is an age-old programming language, it is still being used to develop malicious software – specifically packers – to this day. As a result, you will often encounter VisualBasic based packers used in a lot of “script-kiddie” malware, such as keyloggers and remote access tools being sold on forums, and…

Setting Up a Malware Analysis Environment

Inside our Zero2Automated course, we didn’t really cover how to setup a proper malware analysis environment as it is more of an advanced course rather than a beginner course. However, we had a lot of demand for a post that covers the basics, so this post is all about how I personally setup my VM!…

Dealing with Obfuscated Macros, Statically – NanoCore

Author: Zero2Automated Course Team (Theory from courses.zero2auto.com) When analyzing Maldocs, you will mostly be dealing with obfuscated macros, and until a new vulnerability (or “feature”) is discovered and exploited, that is unlikely to change. Therefore, it’s quite important to know how to analyze these macros, both statically, and dynamically. Dynamic analysis is by far the…

Netwalker Ransomware – From Static Reverse Engineering to Automatic Extraction

Author: Zero2Automated Course Team (preview from courses.zero2auto.com) Netwalker ransomware has been around since at least 2019* and has recently been in the news from a TrendMicro report detailing it being leveraged embedded in a PowerShell script[1]. We will briefly go over how to recover the DLL files from the first script, it contains a large…


Follow My Blog

Get new content delivered directly to your inbox.