In this Twitch stream we take a close look at an email stealer that has been flying under the radar for years and expose a small e-crime operation in the process!
Due to your positive feedback on the past few VODs I have left in more of the stream banter. Things devolve a bit into a meme stream in the middle of the recording but if you skip ahead we get back into the technical stuff...
2023-05-26 17:39:33 +0000 UTC
View Post
This is the first in a four-part series on PE parsing from a reverse engineering perspective. In this tutorial we walk through the PE headers and demonstrate how to mark up code that is parsing these headers in IDA.
Code References
The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that ...
2023-05-24 23:53:18 +0000 UTC
View Post
This is the second in a four-part series on PE parsing from a reverse engineering perspective. In this tutorial we take a deep dive into the PE section table and discuss the difference between mapped and unmapped PE files.
Code References
The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and pattern...
2023-05-24 23:53:07 +0000 UTC
View Post
This is the third in a four-part series on PE parsing from a reverse engineering perspective. In this tutorial we explore parsing the PE import table. We also introduce a new structure PE_BASE to help with marking up pseudocode in IDA.
Code References
The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structure...
2023-05-24 23:52:50 +0000 UTC
View Post
This is the final tutorial in our four-part series on PE parsing from a reverse engineering perspective. In this tutorial we explore parsing the PE export table. We conclude the tutorial with a complete PEB walk example parsing the exports from NTDLL.
Code References
The following are links to the code that was used in the tutorial. These are handy to keep as references as they ha...
2023-05-24 23:52:21 +0000 UTC
View Post
This Twitch stream is a little chaotic... you aren't hearing voices... anyone from the Discord and Patreon is free to join in the conversation as we test a new interactive RE concept.
The voices you heard in no particular order...
This is the first in a short two-part series on the Process Environment Block (PEB) and the Thread Environment Block (TEB). In this tutorial we introduce the PEB and the TEB and provide some background on how these data structures are accessed programmatically. We also provide some tips for identifying and marking up PEB access in IDA.
Code References
The following are links to th...
2023-05-23 00:40:35 +0000 UTC
View Post
This is the second in a short two-part series on the Process Environment Block (PEB) and the Thread Environment Block (TEB). In this tutorial we focus on how a processes’ modules (DLLs) can be accessed via the PEB. We also introduce the concept of “walking the PEB”, the CONTAINING_RECORD macro, and shifted pointers.
Code References
The following are links to the code that wa...
2023-05-23 00:40:27 +0000 UTC
View Post
In this Twitch live stream we unpack in2al5dp3in4er loader which is using CreateDXGIFactory to detect sandboxes based on their lack of graphics card and triage its payload Aurora Stealer.
Samples
66383d931f13bcdd07ca6aa50030968e44d8607cf19bdaf70ed4f9ac704ac4d1
N...
2023-05-04 06:28:53 +0000 UTC
View Post
In this Twitch stream we take a look at CryptNET ransomware a ransomware written in .NET and protected with .NET Reactor.
Samples
2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775
Notes
2023-05-04 06:20:51 +0000 UTC
View Post
In this Twitch stream we build an automated strings decryptor for the .NET XORStringsNet cryptor adopted by AgentTesla, Redline, and others.
Samples
d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef...
2023-04-22 15:00:04 +0000 UTC
View Post
In this Twitch stream we analyze a version of Chaos Ransomware builder that has been backdoored with Quasar RAT!
Samples
141056b82cd0a20495822cd2bcd5fae5c989c6d24dac5a5e3c3916f1b406bdb9
Notes
2023-04-22 15:00:04 +0000 UTC
View Post
In this Twitch stream we investigate the difference between IcedID's older photo loader and newer gzip loader.
Samples
In this Twitch stream we have some fun reverse engineering all the stages in AresLoader.
This VOD is a little wilder than our usual streams, I decided to leave in some more of the banter etc. You guys let me know if you want more of this or if you prefer the more edited cleaner streams?
Samples
2023-04-11 00:22:24 +0000 UTC
View Post
In this Twitch lives stream we reverse engineer the 3CX software backdoor and associated downloader chain.
Samples
In this Twitch stream we complete our 3-part research series on emulating VBScript with a fully emulated VBScript running on Dumpulator.
Note: This is a research stream so it is long and progress is slow as I make a lot of mistakes, also near the end I'm so tired... but we prevail!
Extra big thank you to Mishap who really carried this one <3
Em...
2023-03-29 07:37:27 +0000 UTC
View Post
In this Twitch stream we continue our 3-part research series on emulating VBScript with a deep dive into the vbscript.dll.
Note: This is a research stream so it is long and progress is slow as I make a lot of mistakes while learning how all the components in the scripting engine work together.
Emotet WScript Sample
2023-03-29 06:21:56 +0000 UTC
View Post
In this Twitch stream we start our 3-part research series on emulating VBScript by looking at the new Emotet OneNote docs being used to execute WScript malware.
The first part of the stream we quickly triage the OneNote document, extract the WScript and manually deobfuscate the script.
The rest of the stream is dedicated to starting our automated VBScript deobfuscation project as we...
2023-03-29 04:57:00 +0000 UTC
View Post
In this Twitch stream we triage CryptBot a C++ INFOSTEALER that has been in operation since 2019.
The main focus of the stream is building a decent config extractor and a good yara rule for this malware but we have a little fun looking up its origins along the way.
Sample
...
2023-03-19 01:01:09 +0000 UTC
View Post
In this Twitch stream we take a look at QVoid Stealer an open source .NET INFOSTEALER that has been dropped along with RedLine.
Set your expectations low for this one... really F-Tier stealer but we push through the cringe and write a Yara rule and a Config extractor.
Sample
2023-03-19 00:57:06 +0000 UTC
View Post
In this Twitch stream we complete our analysis of PikaBot and write a static config extractor to pull out the PS loader code and C2.
Samples
In this Twitch stream we complete our analysis of the PikaBot loader. We use Dumpulator and some IDA scripting to resolve all of the encrypted stack strings and the dynamic imports, then we analyze the functionality.
Note* at the end of the stream I miss an important function call in the binary...
2023-03-12 17:57:07 +0000 UTC
View Post
In this Twitch stream we take a look at a new loader called PikaBot! This stream is dedicated to the preparation of the binary for analysis, decrypting strings, resolving dynamic imports etc.
Note* We waste the majority of this stream trying to get the DLL to load in a debugger properly. The DLL is not relocatable but for some reason the VM I am using insists on relocatin...
2023-03-12 17:52:38 +0000 UTC
View Post
In this Twitch stream we work through the process of triaging a bad Yara rule and disambiguating the relationship between SoulSearcher Malware and a mystery worm!
Yara Rule
Malpedia SoulSearcher
Soul Searcher Samples
All samples available on 2023-03-03 22:50:49 +0000 UTC
View Post
Fo this Twitch stream we are joined by special guest @dr4k0nia for a deep dive into .NET reverse engineering!
Drakonia takes us through multiple layers of unpacking while answering your .NET questions from chat. If you want to follow along at home the sample she is analyzing is available on Malshare...
2023-02-21 21:54:33 +0000 UTC
View Post
Special guest @fwosar gives us a live tutorial covering ransomware cryptography, and takes us through an example breaking ransomware and recovering encrypted files.
Sample
The reference sample used in the Tutorial is GetCrypt ransomware.
2023-02-12 23:27:09 +0000 UTC
View Post
In this twitch stream we complete our config extractor for the final stage of the Rhadamanthys loader.
Surprisingly most of the work can be done statically but we do use dumpulator to speed up a few things.
Samples
Packed Parent
2023-02-07 03:56:14 +0000 UTC
View Post
In this twitch stream we take a look at Stage 3 of Rhadamanthys. This is the final stage of the loader. This stage is also position independent shell code and we spend the entirety of the stream marking up relative offsets and resolving APIs to make the code readable in IDA.
Samples
Packed Parent
2023-01-30 19:56:59 +0000 UTC
View Post
In this twitch stream we take a look at Stage 2 of Rhadamanthys and use Dumpulator to create a simple unpacker.
We spend the first hour marking up the Stage 2 shell code, the emulation work starts at the 1h 13min mark.
Samples
Packed Parent
2023-01-30 19:47:42 +0000 UTC
View Post
In this twitch stream we take a look at Rhadamanthys, a stealer malware that uses multiples stages of shell code to protect its payload.
We start out unpacking the first stage but end up spending a lot of time trying to make a simple PEB walk look nice in IDA using Shifted Pointers. This is one tip that we shouldn't soon forget!
Sample
2023-01-26 19:25:16 +0000 UTC
View Post