Live Stream VOD: Dumpulator vs. Guloader VEH Obfuscation
In this twitch stream we take another look at Guloader's VEH obfuscation using Dumpulator. With Dumpulator we are able...
2023-01-26 19:17:48 +0000 UTC View Post
In this twitch stream we take another look at Guloader's VEH obfuscation using Dumpulator. With Dumpulator we are able...
2023-01-26 19:17:48 +0000 UTC View Post
In this twitch stream we explore some of the more advanced features available for emulation with unicorn. We revisit Guloader for a fifth time and write a fully automated string decryption script w...
2023-01-13 19:34:18 +0000 UTC View Post
In this twitch stream we take a fourth look at Guloader and finally fully deobfuscate the control flow (VEH redirect) and write a simple string decryptor.
This stream is sort of a wrap up of ...
2023-01-13 19:29:16 +0000 UTC View Post
In this twitch stream we take a third look at Guloader and begin our analysis of the final stage shell code. The code has been updated from the first sample we looked at but some of the same struct...
2023-01-13 19:19:47 +0000 UTC View Post
This stream was a bit different... we invited eight reverse engineers on to answer your questions! Due to the nature of the stream the VOD has been edited into segments that are loosely organized a...
2022-12-28 04:34:55 +0000 UTC View Post
In this twitch stream we take a second look at Guloader with a focus on its highly obfuscated delivery chain. An NSIS loader is used to execute multiple layers of obfuscated PowerShell which eventu...
2022-12-20 05:23:04 +0000 UTC View Post
In this twitch stream we take on Guloader. Our approach combines both static and dynamic analysis to bypass the the numerous anti-analysis techniques which make this malware infamous.
T...
2022-12-20 04:54:21 +0000 UTC View Post
In this twitch stream we collaborate with @BoymoderRE and take a second look at Brute Ratel. We are using 2022-12-20 02:41:09 +0000 UTC View Post
In this twitch stream we continue our GoLang reverse engineering journey with a focus on static extraction of strings with Python. The malware sample we will be testing our methods on is called Tit...
2022-12-06 23:26:08 +0000 UTC View Post
In this twitch stream we start to take a serious look at reverse engineering GoLang malware. We use the Laplas Clipper malware to test some IDA tools and generally get a better understanding of how...
2022-12-06 18:56:36 +0000 UTC View Post
In this twitch stream we attempt our first ever N00bs Night where we cover simple reverse engineering topics with an aim to make the stream accessible to everyone! That being said....
2022-11-28 03:55:23 +0000 UTC View Post
In this twitch stream we take a look at Tofsee a simple spambot written in C++ with a funny string encryption trick. We also discuss some methods for automatically locating string references in ass...
2022-11-28 03:49:09 +0000 UTC View Post
In this twitch stream we use AgentTesla as an example to learn more about automated .NET parsing using dnlib and Python. We are able to locate and decrypt the strings table protected with the open ...
2022-11-20 18:57:18 +0000 UTC View Post
In this twitch stream we take a look at a new variant of Amadey with an emphasis on putting our new C++ STL reversing skill to the test. We manage to create a very clean marked up IDB which signifi...
2022-11-20 18:52:20 +0000 UTC View Post
In this twitch stream we attempt to define a repeatable process for identifying MSVC STL types in compiled C++. Dealing with these types has been an issue for us during previous malware analy...
2022-11-08 04:06:32 +0000 UTC View Post
In this twitch stream we conclude our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted a...
2022-10-30 03:11:19 +0000 UTC View Post
In this twitch stream we continue our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted a...
2022-10-30 03:07:10 +0000 UTC View Post
In this twitch stream we take our first look at RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.
The fun...
2022-10-30 02:59:31 +0000 UTC View Post
In this twitch stream we complete our mini two part series on Threat Intelligence by building a simple malware tracker for DbatLoader.
In this twitch stream we talk about what Threat Intelligence means in practice; how companies use intelligence products, how the products are developed, and how reverse engineering malware fits int...
2022-10-16 23:02:35 +0000 UTC View Post
In this twitch stream we take a look at a new .NET RAT openly sold as Icarus. The stream takes an interesting turn when we discover the C2 infrastructure is incorrectly configured...
In this twitch stream we take a look at Gozi / ISFB / RM3 etc. and develop a config extractor which works on the latest variants. This is mostly a coding stream where we update an old extractor and...
2022-10-16 22:54:41 +0000 UTC View Post
This is the third and final part in our three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at process memory protections and specifically ...
2022-10-16 02:05:53 +0000 UTC View Post
This is the second part in our short three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at the heap and how to investigate heap memory wit...
2022-10-07 01:52:39 +0000 UTC View Post
In this Twitch stream we take a look at the recently leaked LockBit Ransomware Builder. We compare our previous RE analysis of the ransomware binary with the actual builder config (some surprises, ...
2022-09-26 18:38:33 +0000 UTC View Post
This is the first in a short three-part series on memory allocation with a focus on tracking memory with a debugger. In this tutorial we look at the basics, how is memory allocated, and how to foll...
2022-09-25 16:13:56 +0000 UTC View Post
In this Twitch stream we take a look at a simple malware (great for practicing RE) that is used to steal crypto by substituting wallet addresses that are copy pasted from the clipboard.
In this twitch stream we take a look at PrivateLoader, a pay-per-install malware that contains a lot of anti-analysis tricks (junk code, stack strings, etc.) Our main focus in the stream is buildin...
2022-09-22 16:50:55 +0000 UTC View Post
In this twitch stream we take a look at dbatloader, a simple Delphi downloader that is used to download and execute other malware. This would be a straightforward analysis except the binary is writ...
2022-09-22 16:40:57 +0000 UTC View Post
The conclusion to our analysis of SmokeLoader! All the secrets are revealed and it's grrr-eat! We finally figure out the missing piece for the API hashes and resolve them. This leads us to the miss...
2022-09-03 04:37:38 +0000 UTC View Post