The third and final part in our series on the new Pikabot core! In this stream complete our custom emulator to automatically extract encrypted strings from the malware and create a few yara rules for hunting.
Fun fact, the string extractor also works on the Pikabot loader!
Sample
39d6f7865949ae7bb846f56bff...
2023-12-02 02:42:47 +0000 UTC
View Post
The second part in our series on the new Pikabot core! In this stream we begin to build a custom emulator to automatically extract encrypted strings from the malware.
Just a heads up... at the end of the stream I run into a very obvious bug that I don't solve until the next stream... if you spot it feel free to ye...
2023-12-02 02:40:27 +0000 UTC
View Post
Pikabot is back! New loader, new string encryption, indirect syscalls and more! Join us for our initial triage of the core module. In this stream we focus on the dynamic API resolution and string decryption. The majority of the stream we are using some tricks in x64dbg to automatically decrypt the strings, next stream w...
2023-11-18 16:12:52 +0000 UTC
View Post
In this Twitch stream we continue our work on an automated string recover tool for ADVObfuscator by extending it to handle custom variants with globals and AVX instructions.
Samples
- 765d19b4728008c1589f222d1fa49f1cb7310204c7a4574eb9f930d0544bed7b
- 3a987fd51423f186242c3fbbdab59113c1...
2023-11-05 21:52:12 +0000 UTC
View Post
In this Twitch stream we begin building a tool to assist with string recovery for malware that is protected with ADVObfuscator.
Since ADVObfuscator is an open source tool we built our own test sample instead of using malware when dev...
2023-11-05 21:46:17 +0000 UTC
View Post
In this Twitch stream we build a config extractor for Mystic Stealer that is able to handle their "custom" obfuscation.
NOTE: We are troubleshooting some issues with Patreon video embeds. If you can't see/watch the video please let me know (comment or DM, whichever you prefer).
Samples
2023-10-24 14:00:05 +0000 UTC
View Post
In this Twitch stream we continue our previous work on Garble Go string decryption to tackle another type of obfuscator used for GoLang that creates in-line obfuscated strings (similar to ADV) instead...
2023-10-18 13:00:32 +0000 UTC
View Post
In this Twitch stream we extend our previous work on Garble Go string decryption to tackle another type of obfuscator used for GoLang that creates in-line obfuscated strings (similar to ADV) instead o...
2023-10-18 12:59:20 +0000 UTC
View Post
A light Twitch stream taking a look at possibly world's worst cryptor... totally FUD until you upload to VirusTotal lol! This is just a silly stream but sometimes you have to call it out when you see it ... we will be back on schedule next week!
Samples
2023-09-26 15:30:01 +0000 UTC
View Post
In this Twich stream we take a closer look at Limerat and open source .NET RAT that has become very popular. Our goal is to build a stand alone configuration extractor that will extract all of the config settings not just the C2!
Samples
2023-09-26 15:01:01 +0000 UTC
View Post
In this Twitch stream we continue our efforts to recover strings encrypted with the Garble GoLang obfuscator. We manage to identify a common pattern that not only allows us to identify Go samples where Garble has been used but also provides a pattern match for our string decryption tool.
Spoiler alert - we have a ...
2023-09-01 14:35:01 +0000 UTC
View Post
In this Twitch stream we take a look at Bandit, a new infostealer written in GO that primarily targets browser credentials and crypto wallets. The collected information is uploaded to Telegram with the operator's telegram ID and channel ID hard coded in the binary but there is a separate C2 hosted panel which we have some fun...
2023-09-01 14:30:02 +0000 UTC
View Post
Emulating The Windows Environment
This is the last part in our five-part tutorial series on emulation. In this module we learn how to use a full User-Mode emulator capable of running a PE file. The focus is mainly on Dumpulator and its applications vs. Unicorn (and other CPU only emulators). The module is accompanied ...
2023-08-29 22:35:04 +0000 UTC
View Post
Advanced Unicorn Techniques
This is the fourth part in our five-part tutorial series on emulation. In this module we expand our capabilities with Unicorn using the Unicorn hooks. We build a tracing engine and lay the groundwork for a full binary instrumentation tool. The module is accompanied by a live demo and a lab ...
2023-08-29 22:23:16 +0000 UTC
View Post
Reverse Engineering With Emulation
This is the third part in our five-part tutorial series on emulation. In this module we learn how to apply emulation to common reverse engineering tasks. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
Please Note - Ba...
2023-08-29 22:15:39 +0000 UTC
View Post
Unicorn CPU Emulator
This is the second part in our five-part tutorial series on emulation. In this module we learn how to use the Unicorn emulator for simple emulation tasks. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
References
- Unicorn Ov...
2023-08-29 21:59:13 +0000 UTC
View Post
Emulator Fundamentals
This is the first part in our five-part tutorial series on emulation. In this module we begin by learning how an emulator works under the hood. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
References
- Windows Stack Over...
2023-08-29 21:42:04 +0000 UTC
View Post
In this stream we take a look at a lightly obfuscated version of Glupteba. This malware has multiple components but our focus is on the loader.
Samples
In this stream we take a look at this RootTeam is a GO stealer that can be built via a Telegram channel. Originally we confused this with BanditStealer but it is separate ... also we try of this neat GO symbol recovery tool GO IDA parser!
Samp...
2023-08-20 01:16:16 +0000 UTC
View Post
In this stream we take a look at TruBot which has been in the news thanks to a recent Cybersecurity and Infrastructure Security Agency (CISA) report. Stick around for some ... interesting ... yara rules lol.
Sample
2023-07-27 17:49:30 +0000 UTC
View Post
In this stream we take a look at a new stealer that might be named "StatusRecorder" according to its C2 panel? The malware itself is very straight forward and we quickly create a Yara rule and start hunting for similar samples...
Heads Up!
At the beginning of the stream we discover some unusual connections betwe...
2023-07-24 15:00:05 +0000 UTC
View Post
In this stream we take a close look at a multi-stage malware delivery system which is used to prepare the target so the final payload is not detected. There are a few tricky parts but this is a very accessible stream... N00bs Night!
Samples
2023-07-19 18:11:20 +0000 UTC
View Post
This is a bit of a different stream where we investigate a novel idea from @mishap where emulation is performed only on memory based instructions. The concept is that this may end up being a useful (fast) tool for generic string decryption problems.
T...
2023-07-18 00:48:33 +0000 UTC
View Post
This is a crazy 7h long dev stream! We probably won't do another one of these but if you like you can watch in real time I as build a generic string decryption tool for the xorstr library.
What?
The idea for this tool was developed over the past few streams and I just wanted to test it out. In the end this appro...
2023-07-06 01:49:00 +0000 UTC
View Post
In this twitch stream we continue our analysis of RisePro but shift our focus to the string encryption library xorstr. The main focus of this stream is investigating use of the xorstr library in malware and building a universal string decryption tool... this is the stream that kicks off our exciting/boring series of developme...
2023-07-05 18:20:40 +0000 UTC
View Post
In this twitch stream we take a look at RisePro a stealer that shares a lot of code with PrivateLoader. The main focus of the stream is investigating the similarities between PrivateLoader and RisePro but we also create a simple string decryption and attempt to build a decent Yara rule.
Samples
2023-07-05 18:14:30 +0000 UTC
View Post
In this Twitch stream we continue our triage of this new loader that uses AMSI bypasses to avoid detection. In this part we focus on the injected X64 shell code. The shell code uses relative offsets to access data within itself which poses some challenges for IDA, and it contains multiple encrypted strings as well as another ...
2023-06-20 15:01:02 +0000 UTC
View Post
In this Twitch stream we begin to triage a new loader that uses AMSI bypasses to avoid detection. The loader itself is .NET but as we dig deeper we discover that the AMSI bypass is implemented in PowerShell, native X64 shell code is used (no yet analyzed) and the final payload is a Async RAT.
For the first half of the s...
2023-06-20 14:59:02 +0000 UTC
View Post
Join us as you help us rank the worst malware we have ever reverse engineered!
Special thanks to @huettenhain for helping to host, and everyone who sent us submissions and voted in the chat!
đ Congrats to 2023-06-15 14:59:02 +0000 UTC
View Post