NokiMo
oalabs

oalabs

patreon


oalabs posts

Live Steam VOD: PyInstaller Malware Triage - Creal Stealer

In this live stream we triage Creal Stealer, a Python stealer which has been packed with PyInstaller. We cover the differences between Python byte code disassembly and decompiling as well as provid...

View Post

Zombieware Part 2 - Reverse Engineering The COSMU File Infector

Part two of our live stream looking at Zombieware and in this part we fully reverse engineer the file infector COSMU and build an extractor tool to recover files that have been infected by it.

<...

View Post

Zombieware Part 1 - Malware That Never Dies

Self-replicating malware, long abandoned by its operators, continues to contribute significant volume and noise to malware feeds. We investigate this trend, which we refer to as Zombieware!

...

View Post

Syscall Tracing With x64dbg

Just a quick tip taking advantage of a new feature in x64dbg and the WOW64 translation layer to trace syscalls. Since we are tracing all syscalls that go through the WOW64 translation this also cat...

View Post

Live Stream VOD: Lumma Stealer Deobfuscation - Part 2

This is the second part of our series on removing the code obfuscation from the latest version of Lumma Stealer. The stream is more of a short re-cap of the completed tool from the first stream whe...

View Post

IDA Quick Tip - SP Analysis Failed

Stack pointer analysis failed, it's happened to us all. This is just a quick tip with an overview of why this is happening and how to troubleshoot it.

Sample

The sample being examine...

View Post

Live Stream VOD: Lumma Stealer Deobfuscation - Part 1

This is the first part of our series on removing the code obfuscation from the latest version of Lumma Stealer. In this VOD we identify the opaque predicate patterns that are preventing IDA from re...

View Post

Dynamic Malware Analysis - Tips For Faster Static Reverse Engineering

This tutorial outlines how to use dynamic analysis to speed up static analysis by dynamically identifying high value reverse engineering targets in the target binary. Our example is a Danabot malwa...

View Post

Delphi Reverse Engineering Tips

This tutorial provides an overview of the Delphi reverse engineering tips that we have covered in past streams. The key is using IDR to extract compiler information from the binary and apply it to ...

View Post

Live Stream VOD: Breaking Themida Protected C2 Config for Socks5Systemz

In this stream we attack a Themida protected C2 config using tracing in x64dbg and some other tricks. The malware analyzed is an older socks proxy botnet called Socks5Ssystemz which has been operat...

View Post

Welcome To OALABS!

At OALABS it is our mission to bring you the kind of reverse engineering tutorials that we wished we had when we were first learning to analyze malware. Our tiers are organized into three simple ca...

View Post

Live Stream VOD: GCleaner

In this stream we take a look at a new version of GCleaner with a particularly weak string encryption algorithm. Instead of attacking this statically we used some advanced breakpoint features in x6...

View Post

Live Stream VOD: GitHub Bug Used to Infect Game Hackers With Lua Malware

In this stream we analyze a unique delivery chain that uses a bug in GitHub to mimic popular repositories and deploy malware. We also do a deep dive into Lua malware!

The first 30min are desc...

View Post

Live Stream VOD: Indirect Syscalls and The PikaBot Loader

In this stream we take a look at the new PikaBot loader which uses indirect syscalls to evade AV/EDR. As part of the analysis we develop a quick way to trace indirect syscalls with x64dbg and use t...

View Post

Live Stream VOD: Breaking Zeus VM Part 6

The final part of our series on reverse engineering VM protection in VMZeus. We update our Binary Ninja plugin to lift the VM code!

There are no notes for this stream, instead we have setup a...

View Post

Live Stream VOD: Breaking Zeus VM Part 5

This is the fifth pare in our series on reverse engineering VM protection in VMZeus. We convert our disassembler into a Binary Ninja plugin! 


There are no notes for this strea...

View Post

Live Stream VOD: Breaking Zeus VM Part 4

This is the fourth part of our series on reverse engineering the VM protection in VMZeus. Finally we finish our disassembler! We finish the instruction definitions then spend the majority of the st...

View Post

Live Stream VOD: Breaking Zeus VM Part 3

This is the third part of our series on reverse engineering the VM protection in VMZeus.

This is a grind stream where we build the framework for our custom disassembler and begin to implement...

View Post

Live Stream VOD: Breaking Zeus VM Part 2

This is the second part of our series on reverse engineering the VM protection in VMZeus.

This is a grind stream where we work through each instruction handlers, reverse engineer the semantic...

View Post

Introduction to YARA Part 4 - Writing Efficient YARA Rules

Unlocked For Everyone 🔓

This is the final part of our four-part tutorial series covering YARA ba...

View Post

Introduction to YARA Part 3 - Rule Use Cases

Unlocked For Everyone 🔓

This is the third part of our four-part tutorial series covering YARA ba...

View Post

Introduction to YARA Part 2 - Hunting on UnpacMe

Unlocked For Everyone 🔓

This is the second part of our four-part tutorial series covering YARA b...

View Post

Introduction to YARA Part 1 - What is a YARA Rule

Unlocked For Everyone 🔓

This is the first part of our four-part tutorial series covering YARA ba...

View Post

Live Stream VOD: Breaking Zeus VM Part 1

Our first stream of 2024 and we are taking a slightly different approach! We are going to reverse engineer the VM protection in VMZeus.

In this stream we outline our method of attack and iden...

View Post

Live Stream VOD: Live Ledger Crypto Wallet Attack Analyzed

In this stream we analyze a unique crypto stealer that appears to have been built custom to target a hardware wallet. We perform a full analysis of the malware to determine how it works, and invest...

View Post

Live Stream VOD: SparkRAT Open Source GO RAT Triage

In this stream we analyze the SparkRAT GO malware using GoReSym and write a config extractor. This is a good introduction to GO malware.

Sample

6c4cb9d518f725b5c92f68699992f5525592328...

View Post

Live Stream VOD: Is Origin Logger Agent Tesla's Successor

We take a look at this .NET stealer that is possibly a clone or new version of Agent Tesla.

There is also a horrific 🕷️ surprise around the 27min mark....

Sample

b1114c27be...

View Post

Live Stream VOD: Danabot Core Triage Part 2 - Delphi Structs and IDA

In this stream we continue our analysis of Danabot with a focus on the core component. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.

B...

View Post

Live Stream VOD: Danabot Loader Triage Part 1 - Delphi and IDA

In this stream we take a look at a version of the Danabot Loader. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer. 

First we use View Post

Dynamic String Decryption With x64dbg

A short tutorial demonstrating how to use x64dg to dynamically decrypt the encrypted strings in Pikabot. Though we are using Pikabot as an example this technique is generally applicable to any stri...

View Post