In this live stream we triage Creal Stealer, a Python stealer which has been packed with PyInstaller. We cover the differences between Python byte code disassembly and decompiling as well as provid...
2024-05-21 01:51:57 +0000 UTC
View Post
Part two of our live stream looking at Zombieware and in this part we fully reverse engineer the file infector COSMU and build an extractor tool to recover files that have been infected by it.
<...
2024-05-05 14:10:01 +0000 UTC
View Post
Self-replicating malware, long abandoned by its operators, continues to contribute significant volume and noise to malware feeds. We investigate this trend, which we refer to as Zombieware!
...
2024-05-05 14:00:08 +0000 UTC
View Post
Just a quick tip taking advantage of a new feature in x64dbg and the WOW64 translation layer to trace syscalls. Since we are tracing all syscalls that go through the WOW64 translation this also cat...
2024-04-26 21:08:27 +0000 UTC
View Post
This is the second part of our series on removing the code obfuscation from the latest version of Lumma Stealer. The stream is more of a short re-cap of the completed tool from the first stream whe...
2024-04-21 14:00:09 +0000 UTC
View Post
Stack pointer analysis failed, it's happened to us all. This is just a quick tip with an overview of why this is happening and how to troubleshoot it.
Sample
The sample being examine...
2024-04-20 17:46:49 +0000 UTC
View Post
This is the first part of our series on removing the code obfuscation from the latest version of Lumma Stealer. In this VOD we identify the opaque predicate patterns that are preventing IDA from re...
2024-04-13 19:43:31 +0000 UTC
View Post
This tutorial outlines how to use dynamic analysis to speed up static analysis by dynamically identifying high value reverse engineering targets in the target binary. Our example is a Danabot malwa...
2024-04-12 14:00:19 +0000 UTC
View Post
This tutorial provides an overview of the Delphi reverse engineering tips that we have covered in past streams. The key is using IDR to extract compiler information from the binary and apply it to ...
2024-04-03 01:55:44 +0000 UTC
View Post
In this stream we attack a Themida protected C2 config using tracing in x64dbg and some other tricks. The malware analyzed is an older socks proxy botnet called Socks5Ssystemz which has been operat...
2024-04-02 18:38:21 +0000 UTC
View Post
At OALABS it is our mission to bring you the kind of reverse engineering tutorials that we wished we had when we were first learning to analyze malware. Our tiers are organized into three simple ca...
2024-03-28 19:08:45 +0000 UTC
View Post
In this stream we take a look at a new version of GCleaner with a particularly weak string encryption algorithm. Instead of attacking this statically we used some advanced breakpoint features in x6...
2024-03-27 14:00:13 +0000 UTC
View Post
In this stream we analyze a unique delivery chain that uses a bug in GitHub to mimic popular repositories and deploy malware. We also do a deep dive into Lua malware!
The first 30min are desc...
2024-03-12 14:16:42 +0000 UTC
View Post
In this stream we take a look at the new PikaBot loader which uses indirect syscalls to evade AV/EDR. As part of the analysis we develop a quick way to trace indirect syscalls with x64dbg and use t...
2024-03-02 19:57:09 +0000 UTC
View Post
The final part of our series on reverse engineering VM protection in VMZeus. We update our Binary Ninja plugin to lift the VM code!
There are no notes for this stream, instead we have setup a...
2024-02-20 01:37:39 +0000 UTC
View Post
This is the fifth pare in our series on reverse engineering VM protection in VMZeus. We convert our disassembler into a Binary Ninja plugin!
There are no notes for this strea...
2024-02-14 20:07:10 +0000 UTC
View Post
This is the fourth part of our series on reverse engineering the VM protection in VMZeus. Finally we finish our disassembler! We finish the instruction definitions then spend the majority of the st...
2024-02-06 20:05:25 +0000 UTC
View Post
This is the third part of our series on reverse engineering the VM protection in VMZeus.
This is a grind stream where we build the framework for our custom disassembler and begin to implement...
2024-01-30 15:00:07 +0000 UTC
View Post
This is the second part of our series on reverse engineering the VM protection in VMZeus.
This is a grind stream where we work through each instruction handlers, reverse engineer the semantic...
2024-01-27 15:00:08 +0000 UTC
View Post
Unlocked For Everyone 🔓
This is the final part of our four-part tutorial series covering YARA ba...
2024-01-17 01:01:35 +0000 UTC
View Post
Unlocked For Everyone 🔓
This is the third part of our four-part tutorial series covering YARA ba...
2024-01-17 00:41:59 +0000 UTC
View Post
Unlocked For Everyone 🔓
This is the second part of our four-part tutorial series covering YARA b...
2024-01-17 00:30:09 +0000 UTC
View Post
Unlocked For Everyone 🔓
This is the first part of our four-part tutorial series covering YARA ba...
2024-01-17 00:22:33 +0000 UTC
View Post
Our first stream of 2024 and we are taking a slightly different approach! We are going to reverse engineer the VM protection in VMZeus.
In this stream we outline our method of attack and iden...
2024-01-12 23:24:53 +0000 UTC
View Post
In this stream we analyze a unique crypto stealer that appears to have been built custom to target a hardware wallet. We perform a full analysis of the malware to determine how it works, and invest...
2023-12-30 21:38:43 +0000 UTC
View Post
In this stream we analyze the SparkRAT GO malware using GoReSym and write a config extractor. This is a good introduction to GO malware.
Sample
6c4cb9d518f725b5c92f68699992f5525592328...
2023-12-30 21:32:46 +0000 UTC
View Post
We take a look at this .NET stealer that is possibly a clone or new version of Agent Tesla.
There is also a horrific 🕷️ surprise around the 27min mark....
Sample
b1114c27be...
2023-12-30 21:27:10 +0000 UTC
View Post
In this stream we continue our analysis of Danabot with a focus on the core component. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.
B...
2023-12-20 01:21:49 +0000 UTC
View Post
In this stream we take a look at a version of the Danabot Loader. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.
First we use
2023-12-12 02:22:14 +0000 UTC
View Post
A short tutorial demonstrating how to use x64dg to dynamically decrypt the encrypted strings in Pikabot. Though we are using Pikabot as an example this technique is generally applicable to any stri...
2023-12-03 01:45:53 +0000 UTC
View Post