The third and final part in our series on the new Pikabot core! In this stream complete our custom emulator to automatically extract encrypted strings from the malware and create a few yara rules for hunting.
Fun fact, the string extractor also works on the Pikabot loader!
Sample
39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206
Notes
2023-12-02 02:42:47 +0000 UTC
View Post
The second part in our series on the new Pikabot core! In this stream we begin to build a custom emulator to automatically extract encrypted strings from the malware.
Just a heads up... at the end of the stream I run into a very obvious bug that I don't solve until the next stream... if you spot it feel free to yell at the screen 😅
Sample
39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206
Notes...
2023-12-02 02:40:27 +0000 UTC
View Post
Pikabot is back! New loader, new string encryption, indirect syscalls and more! Join us for our initial triage of the core module. In this stream we focus on the dynamic API resolution and string decryption. The majority of the stream we are using some tricks in x64dbg to automatically decrypt the strings, next stream we will attack this statically.
Stay tuned to the end for a surprise (last 10 min!).
Sample
39...
2023-11-18 16:12:52 +0000 UTC
View Post
In this Twitch stream we continue our work on an automated string recover tool for ADVObfuscator by extending it to handle custom variants with globals and AVX instructions.
Samples
- 765d19b4728008c1589f222d1fa49f1cb7310204c7a4574eb9f930d0544bed7b
- 3a987fd51423f186242c3fbbdab59113c11d4ac67109e90ab948d5d0591699fb
- a08c766724927d41cf29f736eca1ef557ba45debd3e29fa066180ec66426dc4f
- ...
2023-11-05 21:52:12 +0000 UTC
View Post
In this Twitch stream we begin building a tool to assist with string recovery for malware that is protected with ADVObfuscator.
Since ADVObfuscator is an open source tool we built our own test sample instead of using malware when developing the tool. Notes with source code can be found here...
In this Twitch stream we build a config extractor for Mystic Stealer that is able to handle their "custom" obfuscation.
NOTE: We are troubleshooting some issues with Patreon video embeds. If you can't see/watch the video please let me know (comment or DM, whichever you prefer).
Samples
2023-10-24 14:00:05 +0000 UTC
View Post
In this Twitch stream we continue our previous work on Garble Go string decryption to tackle another type of obfuscator used for GoLang that creates in-line obfuscated strings (similar to ADV) instead of using functions.
This is really a development stream with a lot of distractions along the way but in the end w...
2023-10-18 13:00:32 +0000 UTC
View Post
In this Twitch stream we extend our previous work on Garble Go string decryption to tackle another type of obfuscator used for GoLang that creates in-line obfuscated strings (similar to ADV) instead of using functions. The source/name of the obfuscator is currently unknown but the obfuscation pattern in the compiled bi...
2023-10-18 12:59:20 +0000 UTC
View Post
A light Twitch stream taking a look at possibly world's worst cryptor... totally FUD until you upload to VirusTotal lol! This is just a silly stream but sometimes you have to call it out when you see it ... we will be back on schedule next week!
Samples
11c38fc24bf7b29cd6e974670bc11d7f92af124d8b7edcd89482500f4de3d442...
2023-09-26 15:30:01 +0000 UTC
View Post
In this Twich stream we take a closer look at Limerat and open source .NET RAT that has become very popular. Our goal is to build a stand alone configuration extractor that will extract all of the config settings not just the C2!
Samples
6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334
Notes
<...
2023-09-26 15:01:01 +0000 UTC
View Post
In this Twitch stream we continue our efforts to recover strings encrypted with the Garble GoLang obfuscator. We manage to identify a common pattern that not only allows us to identify Go samples where Garble has been used but also provides a pattern match for our string decryption tool.
Spoiler alert - we have a nice PoC tool by the end of the stream : )
Samples
2023-09-01 14:35:01 +0000 UTC
View Post
In this Twitch stream we take a look at Bandit, a new infostealer written in GO that primarily targets browser credentials and crypto wallets. The collected information is uploaded to Telegram with the operator's telegram ID and channel ID hard coded in the binary but there is a separate C2 hosted panel which we have some fun exploring...
One of the main themes that emerges from this stream is how to deal with GoLang obfuscators, s...
2023-09-01 14:30:02 +0000 UTC
View Post
Emulating The Windows Environment
This is the last part in our five-part tutorial series on emulation. In this module we learn how to use a full User-Mode emulator capable of running a PE file. The focus is mainly on Dumpulator and its applications vs. Unicorn (and other CPU only emulators). The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
References
- Mandiant Sp...
2023-08-29 22:35:04 +0000 UTC
View Post
Advanced Unicorn Techniques
This is the fourth part in our five-part tutorial series on emulation. In this module we expand our capabilities with Unicorn using the Unicorn hooks. We build a tracing engine and lay the groundwork for a full binary instrumentation tool. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
Unicorn Cheat Sheet (Alex Hanel)
2023-08-29 22:23:16 +0000 UTC
View Post
Reverse Engineering With Emulation
This is the third part in our five-part tutorial series on emulation. In this module we learn how to apply emulation to common reverse engineering tasks. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
Please Note - Based on feedback this is the most difficult module in the series as the examples and labs build on previous reverse engin...
2023-08-29 22:15:39 +0000 UTC
View Post
Unicorn CPU Emulator
This is the second part in our five-part tutorial series on emulation. In this module we learn how to use the Unicorn emulator for simple emulation tasks. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
References
Emulator Fundamentals
This is the first part in our five-part tutorial series on emulation. In this module we begin by learning how an emulator works under the hood. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.
References
In this stream we take a look at a lightly obfuscated version of Glupteba. This malware has multiple components but our focus is on the loader.
Samples
Notes
2023-08-20 01:23:47 +0000 UTC
View Post
In this stream we take a look at this RootTeam is a GO stealer that can be built via a Telegram channel. Originally we confused this with BanditStealer but it is separate ... also we try of this neat GO symbol recovery tool GO IDA parser!
Samples
e0cd16b3de1f8b6c91b3483e383199f691e935d3d4e1ed9e77f6f9aea929b68b
Notes
2023-08-20 01:16:16 +0000 UTC
View Post
In this stream we take a look at TruBot which has been in the news thanks to a recent Cybersecurity and Infrastructure Security Agency (CISA) report. Stick around for some ... interesting ... yara rules lol.
Sample
717beedcd2431785a0f59d194e47970e9544fbf398d4...
2023-07-27 17:49:30 +0000 UTC
View Post
In this stream we take a look at a new stealer that might be named "StatusRecorder" according to its C2 panel? The malware itself is very straight forward and we quickly create a Yara rule and start hunting for similar samples...
Heads Up!
At the beginning of the stream we discover some unusual connections between a security researcher and the malware. All of these connections have been documented in our notes. It is important to...
2023-07-24 15:00:05 +0000 UTC
View Post
In this stream we take a close look at a multi-stage malware delivery system which is used to prepare the target so the final payload is not detected. There are a few tricky parts but this is a very accessible stream... N00bs Night!
Samples
8661bf09583ac5882e4183052c4273c26771...
2023-07-19 18:11:20 +0000 UTC
View Post
This is a bit of a different stream where we investigate a novel idea from @mishap where emulation is performed only on memory based instructions. The concept is that this may end up being a useful (fast) tool for generic string decryption problems.
The stream itself is a bit boring and sort of a failure as we realize a lot more work is required to get the emulator to ...
2023-07-18 00:48:33 +0000 UTC
View Post
This is a crazy 7h long dev stream! We probably won't do another one of these but if you like you can watch in real time I as build a generic string decryption tool for the xorstr library.
What?
The idea for this tool was developed over the past few streams and I just wanted to test it out. In the end this approach is still fairly brittle, the notes do a better job of explaining all the limitations, but it does work well for the ...
2023-07-06 01:49:00 +0000 UTC
View Post
In this twitch stream we continue our analysis of RisePro but shift our focus to the string encryption library xorstr. The main focus of this stream is investigating use of the xorstr library in malware and building a universal string decryption tool... this is the stream that kicks off our exciting/boring series of development streams...
Samples
2023-07-05 18:20:40 +0000 UTC
View Post
In this twitch stream we take a look at RisePro a stealer that shares a lot of code with PrivateLoader. The main focus of the stream is investigating the similarities between PrivateLoader and RisePro but we also create a simple string decryption and attempt to build a decent Yara rule.
Samples
2023-07-05 18:14:30 +0000 UTC
View Post
In this Twitch stream we continue our triage of this new loader that uses AMSI bypasses to avoid detection. In this part we focus on the injected X64 shell code. The shell code uses relative offsets to access data within itself which poses some challenges for IDA, and it contains multiple encrypted strings as well as another PE file.
Sample
2023-06-20 15:01:02 +0000 UTC
View Post
In this Twitch stream we begin to triage a new loader that uses AMSI bypasses to avoid detection. The loader itself is .NET but as we dig deeper we discover that the AMSI bypass is implemented in PowerShell, native X64 shell code is used (no yet analyzed) and the final payload is a Async RAT.
For the first half of the stream we triage the .NET loader and PowerShell, then turn our attention to the shell code. The shell code analysis has a...
2023-06-20 14:59:02 +0000 UTC
View Post
Join us as you help us rank the worst malware we have ever reverse engineered!
Special thanks to @huettenhain for helping to host, and everyone who sent us submissions and voted in the chat!
🏆 Congrats to @struppige for submitting the winning sample!
2023-06-15 14:59:02 +0000 UTC
View Post
In this Twitch stream we triage Metastealer creating a Yara rule and config extractor.
Sample
6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac
Notes
...
2023-06-04 14:59:01 +0000 UTC
View Post