NokiMo
oalabs

oalabs

patreon


oalabs posts

Live Stream VOD: Dumpulator vs. Guloader VEH Obfuscation

In this twitch stream we take another look at Guloader's VEH obfuscation using Dumpulator. With Dumpulator we are able...

View Post

Live Stream VOD: Unicorn Emulation Tricks (Guloader Part 5)

In this twitch stream we explore some of the more advanced features available for emulation with unicorn. We revisit Guloader for a fifth time and write a fully automated string decryption script w...

View Post

Live Stream VOD: Guloader ( Part 4 ) Deobfuscation

In this twitch stream we take a fourth look at Guloader and finally fully deobfuscate the control flow (VEH redirect) and write a simple string decryptor.

This stream is sort of a wrap up of ...

View Post

Live Stream VOD: Guloader ( Part 3 ) String Decryption and Debugging

In this twitch stream we take a third look at Guloader and begin our analysis of the final stage shell code. The code has been updated from the first sample we looked at but some of the same struct...

View Post

Live Stream VOD: Reverse Engineering AMA 2022

This stream was a bit different... we invited eight reverse engineers on to answer your questions! Due to the nature of the stream the VOD has been edited into segments that are loosely organized a...

View Post

Live Stream VOD: Guloader NSIS Delivery Analysis

In this twitch stream we take a second look at Guloader with a focus on its highly obfuscated delivery chain. An NSIS loader is used to execute multiple layers of obfuscated PowerShell which eventu...

View Post

Live Stream VOD: Guloader Shellcode Analysis

In this twitch stream we take on Guloader. Our approach combines both static and dynamic analysis to bypass the the numerous anti-analysis techniques which make this malware infamous. 

T...

View Post

Live Stream VOD: Brute Ratel Analysis with @BoymoderRE

In this twitch stream we collaborate with @BoymoderRE and take a second look at Brute Ratel. We are using 2022-12-20 02:41:09 +0000 UTC View Post

Live Stream VOD: More GoLang Malware Reverse Engineering - Static Strings Extraction from Titan Stealer

In this twitch stream we continue our GoLang reverse engineering journey with a focus on static extraction of strings with Python. The malware sample we will be testing our methods on is called Tit...

View Post

Live Stream VOD: Reverse Engineering GO Featuring Laplas Clipper

In this twitch stream we start to take a serious look at reverse engineering GoLang malware. We use the Laplas Clipper malware to test some IDA tools and generally get a better understanding of how...

View Post

Live Stream VOD: N00bs Night 1 - PowerShell Loader and Shellcode Markup

In this twitch stream we attempt our first ever N00bs Night where we cover simple reverse engineering topics with an aim to make the stream accessible to everyone! That being said....

View Post

Live Stream VOD: Tofsee String Decryption Another C++ Win!

In this twitch stream we take a look at Tofsee a simple spambot written in C++ with a funny string encryption trick. We also discuss some methods for automatically locating string references in ass...

View Post

Live Stream VOD: AgentTesla Config Extraction with Automated .NET Parsing (dnlib and Python)

In this twitch stream we use AgentTesla as an example to learn more about automated .NET parsing using dnlib and Python. We are able to locate and decrypt the strings table protected with the open ...

View Post

Live Stream VOD: Amadey Analysis Getting Good at C++ STL Struct Reconstruction

In this twitch stream we take a look at a new variant of Amadey with an emphasis on putting our new C++ STL reversing skill to the test. We manage to create a very clean marked up IDB which signifi...

View Post

Live Stream VOD: Reverse Engineering C++ STL Types (First Attempt)

In this twitch stream we attempt to define a repeatable process for identifying  MSVC STL types in compiled C++. Dealing with these types has been an issue for us during previous malware analy...

View Post

Live Stream VOD: BitRat Analysis (C++) - Part 3

In this twitch stream we conclude our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted a...

View Post

Live Stream VOD: BitRat Analysis (C++) - Part 2

In this twitch stream we continue our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted a...

View Post

Live Stream VOD: BitRat Analysis (C++) - Part 1

In this twitch stream we take our first look at RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.

The fun...

View Post

Live Stream VOD: Building A Simple Malware Tracker for DbatLoader

In this twitch stream we complete our mini two part series on Threat Intelligence by building a simple malware tracker for DbatLoader. 

Notes

2022-10-30 02:35:54 +0000 UTC View Post

Live Stream VOD: What is Threat Intelligence and Why Do We Reverse Engineer Malware

In this twitch stream we talk about what Threat Intelligence means in practice; how companies use intelligence products, how the products are developed, and how reverse engineering malware fits int...

View Post

Live Stream VOD: Icarus Stealer Analysis

In this twitch stream we take a look at a new .NET RAT openly sold as Icarus. The stream takes an interesting turn when we discover the C2 infrastructure is incorrectly configured...

Samples...

View Post

Live Stream VOD: Building a Config Extractor for ISFB

In this twitch stream we take a look at Gozi / ISFB / RM3 etc. and develop a config extractor which works on the latest variants. This is mostly a coding stream where we update an old extractor and...

View Post

Process Memory Basics for Reverse Engineers Module 3 - Memory Protections

This is the third and final part in our three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at process memory protections and specifically ...

View Post

Process Memory Basics for Reverse Engineers Module 2 - Heap Memory

This is the second part in our short three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at the heap and how to investigate heap memory wit...

View Post

Live Stream VOD: Leaked LockBit Ransomware Builder Analyzed

In this Twitch stream we take a look at the recently leaked LockBit Ransomware Builder. We compare our previous RE analysis of the ransomware binary with the actual builder config (some surprises, ...

View Post

Process Memory Basics for Reverse Engineers Module 1 - Watching Memory Allocations With a Debugger

This is the first in a short three-part series on memory allocation with a focus on tracking memory with a debugger. In this tutorial we look at the basics, how is memory allocated, and how to foll...

View Post

Live Stream VOD: Clipboard Hijacking Detection

In this Twitch stream we take a look at a simple malware (great for practicing RE) that is used to steal crypto by substituting wallet addresses that are copy pasted from the clipboard. 

View Post

Live Stream VOD: PrivateLoader Analysis

In this twitch stream we take a look at PrivateLoader, a pay-per-install malware that contains a lot of anti-analysis tricks (junk code, stack strings, etc.) Our main focus in the stream is buildin...

View Post

Live Stream VOD: DbatLoader Analysis

In this twitch stream we take a look at dbatloader, a simple Delphi downloader that is used to download and execute other malware. This would be a straightforward analysis except the binary is writ...

View Post

Live Stream VOD: SmokeLoader Analysis Part 3 - Stage 3 Decrypted and Config Extracted

The conclusion to our analysis of SmokeLoader! All the secrets are revealed and it's grrr-eat! We finally figure out the missing piece for the API hashes and resolve them. This leads us to the miss...

View Post