IRC Botnet Reverse Engineering Part 1 - Preparing Binary for Analysis in IDA PRO OALabs 2020-05-31 | The first part of our in-depth malware reverse engineering series analyzing an IRC worm from 2010. In this part we use IDA Pro and Python to decrypt the strings and resolved the dynamic imports to prepare the binary for analysis.... -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Automated Malware Unpackingunpac.meUnpacked binary (malshare)malshare.com/sample.php?action=detail&hash=51e49a9ca65fac6e43827738f90bc475SHA256 hash:4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619IDA Pro string decryption scriptgist.github.com/herrcore/72b0d1e32f7f9b3c193fe368eb75c6f5Hex Copy IDA plugin for fast data copy-pastegist.github.com/herrcore/01762779ae4ac130d3beb02bf8e99826In-depth string decryption and import resolving video series with REvil ransomware:youtube.com/watch?v=0raUaL4TIo4&list=PLGf_j68jNtWG_H85OLEBpvkMSsREubo7n MalwareAnalysisForHedgehogs - Network Worm Basicsyoutu.be/LxajkPFJsIoFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#IDAPro #Botnet #MalwareAnalysis
M1 Mac Malware Analysis VM Setup with Windows 11 (Free) OALabs 2022-11-11 | * Chapters *0:00 Intro1:40 Hypervisor Overview3:37 ARM VM Overview6:17 Installing VMWare Fusion 22H26:35 Free Copy of Windows 11 ARM (beta)7:25 Converting VHDX to VMDK8:23 Create Windows VM11:15 Disable Windows Defender13:31 FLARE-VM for Windows 11 ARM-----OALABS PATREONpatreon.com/oalabsOALABS DISCORDdiscord.gg/6h5Bh5AMDUTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----UTM https://mac.getutm.app/VMWare Fusion Tech Preview 22H2 for M1customerconnect.vmware.com/downloads/get-download?downloadGroup=FUS-PUBTP-22H2Windows Insider Registrationinsider.windows.com/en-us/registerWindows 11 ARM Beta Releasemicrosoft.com/en-us/software-download/windowsinsiderpreviewARM64?wa=wsignin1.0Convert VHDX to VMDKthunderysteak.github.io/vhd-2-vmdkWindows ARM Install Guide for VMWare Fusioncommunities.vmware.com/t5/Fusion-22H2-Tech-Preview/Tips-and-Techniques-for-the-Apple-Silicon-Tech-Preview-22H2/ta-p/2893986LazyAdmin Disable Windows Defenderhttps://lazyadmin.nl/win-11/turn-off-windows-defender-windows-11-permanently/FLARE-VM Windows 11 Profile (OALABS GitHub)github.com/OALabs/flare-vm/tree/windows11
The Vitali Metric OALabs 2022-11-05 | Rest In Peace @vk_intelgofundme.com/f/vitali-kremez-community-memorial
Process Memory Basics for Reverse Engineers - Tracking Memory With A Debugger [ Patreon Unlocked ] OALabs 2022-09-26 | Full Patreon tutorial (with examples): patreon.com/posts/process-memory-1-72454056-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Your VPN Sucks for Malware Analysis [ Twitch Rant ] OALabs 2022-09-23 | Why are you using a VPN? What is the right VPN to use when you want to call out to a C2 while analyzing malware? Why are you running?! These questions and more will be answered! See more actual reverse engineering on... patreon.com/oalabs -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Career / Interview Advice for Reverse Engineers [ Twitch Clip ] OALabs 2022-09-03 | We get a lot of questions from reverse engineers about career advice, interview tactics, and how to pick the right job... I figure I may as well just clip some responses and put them out there... just my thoughts, we all have different perspectives... See more actual reverse engineering on... patreon.com/oalabs -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Vulnerable Antivirus Driver Used by Ransomware - We Reverse Engineer How!!? OALabs 2022-08-05 | How was a vulnerable AV driver used to deploy ransomware? Join us as we reverse engineer this unique deployment tool!Mandiant Blog:mandiant.com/resources/unc2596-cuba-ransomwareAon Blog:aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driverTrendMicro Blog:trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.htmlPowerShell Script:virustotal.com/gui/file/8fcfa67e1fde51f7d99c3714f80b7672a0bb0d31c6cafdb5e7670b845d4dee98-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Understanding Pointers for Reverse Engineers - Pointer Basics in Assembly [ Patreon Unlocked ] OALabs 2022-07-08 | Full Patreon tutorial (with examples): patreon.com/posts/understanding-1-68718093-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ] OALabs 2022-05-25 | Stop wasting time trying to reverse engineer packed samples in IDA Pro, quickly understand what you are are looking at and use the correct tools...Full stream: patreon.com/oalabs Packed Sample:https://bazaar.abuse.ch/sample/bbb1db25b2b54928d97b0a0caf8726e5d62501ab6cdcf9b4aa2e192f59958aa6/-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Emotet 64-bit Emulation and String Decryption with Dumpulator [Twitch Clip ] OALabs 2022-05-09 | Using emulation to reverse engineer the new Emotet 64-bit version. Expand to see more... Full stream: patreon.com/oalabs Research nots including a config extractor and Yara rule:research.openanalysis.net/emotet/malware/2022/04/30/emotet_x64.htmlDumpulator:github.com/mrexodia/dumpulator-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
x64dbg System Breakpoint Explained OALabs 2022-04-23 | What is the System Breakpoint in x64dbg. Why does your debugger always stop at a random place when you start debugging? Expand for more...See more on patreon.com/oalabs Our 7-part tutorial series on debugging fundamentals: patreon.com/oalabs/posts?filters%5Btag%5D=Debugging%20Fundamentals-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
How Does a Debugger Work - Debug Events Explained OALabs 2022-04-22 | How does a windows debugger work under the hood? What are debug events and how are they used to control a target? Expand for more...See more on patreon.com/oalabs Our 7-part tutorial series on debugging fundamentals: patreon.com/oalabs/posts?filters%5Btag%5D=Debugging%20Fundamentals-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
The Thread Context - Debugging Explained OALabs 2022-04-16 | What is the thread context and how does it help with debugging? Learn more about how threads work, and GetThreadContext, SetThreadContext, expand for more... See more on patreon.com/oalabs Our 7-part tutorial series on debugging fundamentals: patreon.com/oalabs/posts?filters%5Btag%5D=Debugging%20Fundamentals-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
What is a Breakpoint - Debugging Explained OALabs 2022-04-09 | What is a breakpoint and how does it work under the hood of a debugger? Learn more about how both hardware and software breakpoints work, expand for more...See more on patreon.com/oalabs Our 7-part tutorial series on debugging fundamentals: patreon.com/oalabs/posts?filters%5Btag%5D=Debugging%20Fundamentals-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Control Flow Flattening Obfuscation Explained Practically [ Twitch Clip ] OALabs 2022-03-26 | Twitch Clip - A practical explanation of control flow flattening obfuscation linking the concept to actual code in IDA Pro. See more on patreon.com/oalabs -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Research notes with Deobfuscation code for IDA Pro and Dumpulator: research.openanalysis.net/pandora/ransomware/malware/unpacking/dumpulator/emulation/2022/03/19/pandora_ransomware.htmlSample: 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b
Botleggers Exposed - Analysis of The Conti Leaks Malware OALabs 2022-03-02 | Join us for analysis of the leaked Conti malware, what is BazarLoader, how is Conti operated, and what does all this mean for your security team. These are our first thoughts as the situation unfolds...Twitter account for the leaker: twitter.com/ContiLeaks-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Assembly Calling Conventions For Reverse Engineers [Patreon Unlocked] OALabs 2022-02-17 | A practical look at x86 calling conventions from a reverse engineering perspective. We take a look at __cdecl __stdcall __fastcall __thiscallFull Patreon tutorial (with examples): patreon.com/posts/62676631-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Quick Tips For Learning Assembly and Reverse Engineering at The Same Time OALabs 2022-02-10 | Just a few quick tips that might help if you are trying to learn how to reverse engineer at the same time you are learning assembly...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked] OALabs 2022-02-01 | In this tutorial we unpack Night Sky Ransomware (x64) which is protected with VMProtect 3. We use VMPDump to dump and fix the imports and then re-create the virtualized entry point manually. No other functions are virtualized!Full tutorial on Patreon: patreon.com/posts/how-to-unpack-3-61935110-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Additional Learning Resources Sandbox Tricks For Faster Reversingyoutu.be/rDQmh1yFWGU MSVC Entry Point and Security Init Cookie patreon.com/posts/why-is-pe-entry-61343353Unpacking VMP - Part 1 patreon.com/posts/how-to-unpack-1-61634765Unpacking VMP - Part 2patreon.com/posts/how-to-unpack-2-61636825 Unpacking VMP - Part 3 patreon.com/posts/how-to-unpack-3-61639901Packed sample:8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0VMPDump:github.com/0xnobody/vmpdumpLab-Notes:github.com/OALabs/Lab-Notes/blob/main/NightSky/nightsky.ipynb#Unpacking #VMProtect #Malware
Why Is The PE Entry Point Not The Same As Main SEH and The _security_init_cookie [Patreon Unlocked] OALabs 2022-01-18 | In this tutorial we examine why the entry point for MSVC console applications is not the same as main. We also dive into understandingthe __security_init_cookie and __scrt_common_main_seh functions. Expand for more... In this tutorial is part of our RE101 series on Patreon where we discuss basic reverse engineering concepts. The full tutorial article including links for further reading and self-study examples is here:patreon.com/posts/why-is-pe-entry-61343353-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Bypassing BlackMatter Anti-Debug With x64dbg [Patreon Unlocked] OALabs 2022-01-06 | In this tutorial we demonstrate how to bypass the anti-debug checks in BlackMatter ransomware with x64dbg. Expand for more... -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----BlackMatter sample:malshare.com/sample.php?action=detail&hash=22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
Debugging a DLL Export With x64dbg [Patreon Unlocked] OALabs 2022-01-06 | In this tutorial we demonstrate how to debug a DLL export (ordinal) with x64dbg. The sample is an unpacked SquirrelWaffle payload which we debug to dynamically extract the config. Expand for more ...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Unpacked sample:malshare.com/sample.php?action=detail&hash=6095f96dd5eca96a3fb9338eec4ab574921c0febb36f6a6db60aae1aeb9ffcab
View Disassembly and Pseudocode Windows Synchronize Side-by-Side In IDA Pro [ Patreon Unlocked ] OALabs 2022-01-06 | How to view disassembly and pseudocode windows side-by-side in IDA Pro. Subscribe for more tips: patreon.com/oalabs-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Setup IDA Pro Type Libraries For Windows Malware Analysis [ Patreon Unlocked ] OALabs 2022-01-06 | How to setup IDA Pro type libraries for analysis of windows malware. Subscribe for more tips: patreon.com/oalabs-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
How To Identify Dynamic Imports In Malware [ Patreon Unlocked ] OALabs 2022-01-06 | How to identify dynamically resolved APIs in malware using IDA Pro and static analysis. Subscribe for more tips: patreon.com/oalabs-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----
Dumpulator - Using Binary Emulation To Automate Reverse Engineering OALabs 2021-12-16 | Join us with special guest mrexodia for a demonstration of dumpulator a python emulator that can emulate minidumps! Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Special thanks to Duncan (mrexodia) the main developer for x64dbg and creator of dumpulator. Let's show him some love:github.com/sponsors/mrexodiaDumpulator GitHub:github.com/mrexodia/dumpulatorx64dbg mindump plugin:github.com/mrexodia/MiniDumpPluginString decryption demo program:github.com/mrexodia/dumpulator/releases/download/v0.0.1/StringEncryptionFun.7zString decryption demo dumps:github.com/mrexodia/dumpulator/releases/download/v0.0.1/StringEncryptionFun_x64.dmpgithub.com/mrexodia/dumpulator/releases/download/v0.0.1/StringEncryptionFun_x86.dmpBreaking State-of-the-Art Binary Code Obfuscation via Program Synthesisyoutube.com/watch?v=0SvX6F80qg8
IDA Pro Plugins For Malware Reverse Engineering OALabs 2021-12-07 | Here are our 5 most used IDA plugins for reverse engineering malware. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Python3 Environment Basics For IDA Pro (Windows)patreon.com/posts/python3-basics-58467121Hexcopygithub.com/OALabs/hexcopy-idaHashDBgithub.com/OALabs/hashdb-idaFlare-IDAgithub.com/mandiant/flare-idaCapagithub.com/mandiant/capaCapa Rulesgithub.com/mandiant/capa-rulesIntezer Pluginyoutube.com/watch?v=fY-2wqmVWWA&t=574sBinDiffyoutube.com/watch?v=BLBjcZe-C3I
Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps... OALabs 2021-11-23 | Join us with special guest @c3rb3ru5d3d53c for a deep dive into Binlex, an open source tool that can extract binary traits useful for quickly building Yara rules and the first steps to building a machine learning model. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Binlex source (GitHub):github.com/c3rb3ru5d3d53c/binlexFollow @c3rb3ru5d3d53c on twitter: twitter.com/c3rb3ru5d3d53cYara Rule:gist.github.com/herrcore/94fc677238db8b402d100e8003605773Interesting reading: en.wikipedia.org/wiki/Fitness functionen.wikipedia.org/wiki/Genetic programming capstone-engine.orgMusic / Instrumental by Aries Beats: youtube.com/watch?v=lAVYmC8qFbEyoutube.com/watch?v=3lF8Op_3YtU
RedTeam Tricks Exposed - Reversing Engineering Syscalls To Evade Detection OALabs 2021-11-13 | Join us with special guest RedTeam-Rob (m0rv4i ) for a deep dive into syscalls and how they are used to evade detection. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Syscalls demo source code:github.com/m0rv4i/syscallsexampleSyscalls Blog:jmpesp.me/malware-analysis-syscalls-exampleMusic / Instrumental by Aries Beats: youtube.com/watch?v=lAVYmC8qFbEyoutube.com/watch?v=3lF8Op_3YtU
Identify Unknown Malware Using Four Free Threat Intelligence Services OALabs 2021-11-10 | If you are reverse engineering a new malware sample and can't identify it here are our four favourite free threat intel resources that might help! Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsTwitchtwitch.tv/oalabsliveOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----VirusTotalvirustotal.comMalware Bazaarhttps://bazaar.abuse.ch/Malpediahttps://malpedia.caad.fkie.fraunhofer.de/Intezeranalyze.intezer.comSample:malshare.com/sample.php?action=detail&hash=22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
Blackmatter Ransomware - Livestream Lunch and Learn: Reverse Engineering and Binary Attribution OALabs 2021-10-29 | Join us for a look into Blackmatter Ransomware. We will examine how it operates, and how it was attributed to the developers of Darkside Ransomware. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Blackmatter Sample:https://bazaar.abuse.ch/sample/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6/---- Music / Instrumental by Aries Beats: youtube.com/watch?v=lAVYmC8qFbEyoutube.com/watch?v=3lF8Op_3YtU
HashDB - Malware API Hashing Obfuscation Solved Forever (Not Clickbait) OALabs 2021-10-13 | Join us for the release of HashDB a free community-source solution to malware API hashing! Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----HashDB:hashdb.openanalysis.netHashDB IDA Plugin:github.com/OALabs/hashdb-idaHashDB GitHub:github.com/OALabs/hashdbUnpacked malware samples to test:malshare.com/sample.php?action=detail&hash=132fa71af952927e1961f735e68ae38a3305e7ae8d7197c170d071f74db60d1cmalshare.com/sample.php?action=detail&hash=c7990f1e72fdfa84552f02f9d11cabb74251b0508291af5366fefcee646f9c91malshare.com/sample.php?action=detail&hash=22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
Analyzing Hancitor DLL Live - Lets Build A Config Extractor! OALabs 2021-10-05 | Join us as we reverse engineer the Hancitor DLL and write a config extractor for it in python. Expand for more ...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Original Sample:malware-traffic-analysis.net/2021/09/02/index.htmlUnpacked Sample:malshare.com/sample.php?action=detail&hash=39ae285d4a7436eec52ee4da032da13132cdf259768de8a0e396ad20245fe330Python Lab-Notes:github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb---- Music / Instrumental by Aries Beats: youtube.com/watch?v=lAVYmC8qFbEyoutube.com/watch?v=3lF8Op_3YtU
Live Coding A Squirrelwaffle Malware Config Extractor OALabs 2021-09-28 | Join us as we reverse engineer Squirrelwaffle and write a config extractor for it in python. Expand for more ...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Unpacked sample:malshare.com/sample.php?action=detail&hash=6095f96dd5eca96a3fb9338eec4ab574921c0febb36f6a6db60aae1aeb9ffcabLab-Notesgithub.com/OALabs/Lab-Notes/blob/main/SquirrelWaffle/SquirrelWaffle.ipynb---- Music / Instrumental by Aries Beats: youtube.com/watch?v=lAVYmC8qFbEyoutube.com/watch?v=3lF8Op_3YtU
RE Tools Spotlight: Binary Refinery - High Octane Malware Triage Analysis OALabs 2021-08-25 | Join us for a test drive of a new malware triage tool suite called Binary Refinery! Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Chapters:0:56 What is Binary Refinery 3:24 Installation 6:23 Getting Started With The Documentation9:36 Tutorial Extracting PowerShell Dropper Payload24:09 Tutorial Extracting Netwalker Config32:50 Contributing a New Refinery Unit To The Code Base36:33 Ghidra Training Automated unpacking:unpac.me/#Binary Refinery GitHub:github.com/binref/refinerySay hi to Jesko:twitter.com/huettenhainGhidra Training:https://mal.re/RE blog:https://blag.nullteilerfrei.de/Feedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#MalwareTriage #Tools #BinaryRefinery
Leaked Conti Ransomware Playbook - Red Team Reacts OALabs 2021-08-10 | Red Team reacts to leaked Conti hacking handbook. These techniques actually work?! How can we defend against them? Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Big thanks to Rob for his RedTeam perspective twitter.com/m0rv4i More info on detection including IOCs:labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromiseAlso thanks to twitter.com/James_inthe_box for the translated document:github.com/silence-is-best/files/blob/main/translate_f.pdfInteresting reports on the Conti kill chain from DFIR Report:thedfirreport.com/2021/05/12/conti-ransomwarethedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strikeFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net
Python3 Tips For Reverse Engineers OALabs 2021-07-30 | Five tips to level up your reverse engineering with Python 3. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Chapters:0:44 Tip 1. Use Jupyter Notebooks and Github 5:16 Tip 2. Remember Byte Strings Are Not Strings8:46 Tip 3. Hex Encode Binary Data For Easy Copying Between Tools12:02 Tip 4. Use Struct To Extract Types From Binary Data16:28 Tip 5. Use Custom Struct Classes To Parse Binary StreamsAutomated unpacking:unpac.me/#OALabs Jupyter Notebooks:github.com/OALabs/Lab-NotesFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #Python #HowTo
Warzone RAT Config Extraction With Python and IDA Pro OALabs 2021-07-21 | Join us as we build a configuration extractor for Warzone Rat! Expand for more details....-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Chapters:0:00 Introduction0:59 Locating The .bss PE Section3:19 PE Section Structure4:15. Encrypted Configuration Structure8:15 RC4 Decryption13:51 Python Config Extractor24:26 Parsing The Decrypted Configuration Automated unpacking:unpac.me/#Unpacked samplemalshare.com/sample.php?action=detail&hash=48ff98ed6ae74da9c1fef59b40699baePython Jupyter Notebook:github.com/OALabs/Lab-Notes/blob/main/WarzoneRat/WarzoneConfig.ipynbIDC script (download don't copy paste):gist.github.com/herrcore/ccf46adc5f68dd4b3c74f74e1317e235The following tutorials may help with some of the basic concepts presented in this video.C++ Reversing Basicsyoutube.com/watch?v=o-FFGIloxvEIDA Pro Microcode and x86 Calling Conventionsyoutube.com/watch?v=T0tdj1WDioMRC4 Cryptoyoutube.com/watch?v=CiJocXXMXK4Feedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #Malware #WarZoneRat
Reverse Engineering Warzone RAT - Part 1 OALabs 2021-05-19 | Join us as we reverse engineer Warzone Rat! Expand for more details....-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Chapters:0:00 Introduction4:25 Setting Up IDA 6:15 How to Force hex-rays to Decompile All Functions 7:42 Methodology for Identifying an Embedded Configuration File 9:16 C++ Reversing Basics 18:53 Adding a Struct in IDA 22:10 Fixing Incorrect Struct Size 26:39 Quickly Reversing Functionality 28:42 Reverse Engineering With Structs 32:04 Malware Trick Used to Locate Address in Memory 36:43 Walking a PE File Using Pointers 41:21 Creating and Importing IDC Files Automated unpacking:unpac.me/#Unpacked samplemalshare.com/sample.php?action=detail&hash=48ff98ed6ae74da9c1fef59b40699baeIDC script (download don't copy paste):gist.github.com/herrcore/ccf46adc5f68dd4b3c74f74e1317e235The following tutorials may help with some of the basic concepts presented in this video.C++ Reversing Basicsyoutube.com/watch?v=o-FFGIloxvEIDA Pro Microcode and x86 Calling Conventionsyoutube.com/watch?v=T0tdj1WDioMRC4 Cryptoyoutube.com/watch?v=CiJocXXMXK4Feedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #Malware #WarZoneRat
IDA Pro Decompiler Basics Microcode and x86 Calling Conventions OALabs 2021-01-27 | ** I MADE A MISTAKE **Check out Rolf's excellent explanation of how I got the microcode optimization part wrong:reverseengineering.stackexchange.com/questions/26803/hex-rays-not-properly-showing-strings/26809#26809-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Join us for a look under the hood at how IDA Pro optimizes their microcode (IL) to provide a clean decompiled view. We also reverse engineer a bug in calling convention identification for x86 can lead to cascading issues in the intermediate representation as it is optimized. Automated Malware Unpackingunpac.meIntroduction to IDA's microcodeyoutube.com/watch?v=T-YkhNElvng __fastcalldocs.microsoft.com/en-us/cpp/cpp/fastcall?view=msvc-160__thiscalldocs.microsoft.com/en-us/cpp/cpp/thiscall?view=msvc-160How to force a call typehex-rays.com/products/decompiler/manual/cmd_force_call_type.shtmlLucid IDA Plugin View Microcodegithub.com/gaasedelen/lucidFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #IDAPro #IntermediateRepresentation
Malware Triage Analyzing PrnLoader Used To Drop Emotet OALabs 2020-12-10 | Join us for a deep dive into this interesting malware that was used to drop Emotet. We will reverse engineer the loader and provide a tips and tricks for IDA Pro along the way! -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Automated Malware Unpackingunpac.meAny-Run Sandbox Run of Malicious Documenthttps://any.run/report/dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95/580aa295-111c-4123-957a-ed6c325b0b7fLoader Sample Free Download from Malsharefb07f875dc45e6045735513e75a83c50c78154851bd23a645d43ea853e6800acmalshare.com/sample.php?action=detail&hash=706ea7f029e6bc4dbf845db3366f9a0ePrnLoader decryption script (python)gist.github.com/herrcore/dcbffcdf544b38d87d182c940c5ab24dFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#MalwareAnalysis #IDAPro #PrnLoader
Reverse Engineering COVID Tracker App for Android - Privacy Audit OALabs 2020-08-24 | Join us as we reverse engineer an Android COVID tracker app to prove it is safe to use, and respects your privacy. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----In my opinion this app is safe to use, but don't take my word for it, use the tools and techniques we demonstrate to test the application for yourself.Google play appplay.google.com/store/apps/details?id=ca.gc.hcsc.canada.stopcovidApple appapps.apple.com/ca/app/id1520284227Government of Canada docs canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/help.html#7Koodous appkoodous.com/apks/ffc85c359e0dc70ab4cbe1725c6cf79b1dbcdfe0458dce5230c22ef5e4f113cbAPI docsdevelopers.google.com/android/exposure-notifications/exposure-notifications-apiExposure notification sample codegithub.com/google/exposure-notifications-androidSample source for full APPgithub.com/CovidShieldShopify notice about the apphttps://www.covidshield.app/Jd-guihttp://java-decompiler.github.ioAPKtoolibotpeaches.github.io/ApktoolAXMLPrinter2code.google.com/archive/p/android4me/downloadsDex2Jargithub.com/pxb1988/dex2jarReact - Kotlin bridgeproandroiddev.com/react-native-bridge-with-kotlin-b2afde2f70bReact Hermes docshttps://reactnative.dev/docs/hermes/Feedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #Android #PrivacyAudit
How To Sinkhole A Botnet OALabs 2020-07-13 | This is the final part or our in-depth malware reverse engineering series analyzing an IRC worm from 2010. In this part we perform a final high level analysis of the malware then then use our analysis to build a sinkhole for the botnet! -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Automated Malware Unpackingunpac.meIRC Botnet Reverse Engineering Part 1youtube.com/watch?v=JPvcLLYR0tEIRC Botnet Reverse Engineering Part 2 youtu.be/LtgLa1n9EzEUnpacked binary (malshare)malshare.com/sample.php?action=detail&hash=51e49a9ca65fac6e43827738f90bc475SHA256 hash:4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619MalwareAnalysisForHedgehogs - Network Worm Basicsyoutu.be/LxajkPFJsIoShadowServer Foundation shadowserver.orgFakenet-NGgithub.com/fireeye/flare-fakenet-ngFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#Botnet #MalwareAnalysis #Sinkhole
IRC Botnet Reverse Engineering Part 2 - Analyzing Memory Structures with x64dbg and IDA PRO OALabs 2020-06-14 | The second part of our in-depth malware reverse engineering series analyzing an IRC worm from 2010. In this part we use x64dbg and IDA Pro to analyzed injected memory structures and further prepare the binary for analysis. Expand for more .... -----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Automated Malware Unpackingunpac.me ** I ate some really spicy food before filming, sorry for all the coughing... I am not ded don't worry.IRC Botnet Reverse Engineering Part 1youtube.com/watch?v=JPvcLLYR0tEUnpacked binary (malshare)malshare.com/sample.php?action=detail&hash=51e49a9ca65fac6e43827738f90bc475SHA256 hash:4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619BinDiff tutorialyoutube.com/watch?v=BLBjcZe-C3IFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#MemoryInjection #Botnet #MalwareAnalysis
BinDiff and IDA Pro - Reverse Engineering Speed Hacks OALabs 2020-03-05 | Join us for some quick tips on how to use BinDiff and IDA Pro to speed up your malware triage! BinDiff is much more than just a binary diffing tool, expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Free Automated Malware Unpacking (and so much more):unpac.meDownload BinDiff here for:zynamics.com/software.htmlDownload Orca MSI editor here:technipages.com/download-orca-msi-editorFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #IDAPro #BinDiff
IDA Pro Automated String Decryption For REvil Ransomware OALabs 2020-01-27 | Use IDA Pro and python to automatically decrypt the RC4 strings in REvil (Sodinokibi) ransomware. Expand description for details...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Try our free automated malware unpacking service!unpac.meREVil build imports with IDA Pro:youtube.com/watch?v=R4xJou6JsIEIdentifying RC4 encryption in malware:youtube.com/watch?v=CiJocXXMXK4Clean unpacked REvil sample:5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93malshare.com/sample.php?action=detail&hash=890a58f200dfff23165df9e1b088e58fIDA helper functions script (gist):gist.github.com/OALabs/04ef6b2d6203d162c5b3b0eefd49530cIDA 7.xx API backward compatibility with 6.xxhex-rays.com/products/ida/7.0/docs/api70_porting_guide.shtmlBest IDA scripting book ever!!! (pay-what-you-can)leanpub.com/IDAPython-BookFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#MalwareAnalysis #IDAPro #Ransomware
UnpacMe Automated Malware Unpacking - How We Built It and Why OALabs 2020-01-06 | unpac.meAutomated malware unpacking! Expand description for more info...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Video Bookmarks:Terminology 4:31Packer Basics 7:27Packer Evolution 10:07Unpacking Basics 25:18Automated Unpacking 26:44Building UnpacMe 1.0 35:58Building UnpacMe 2.0 39:41Some research notes...Saffron BlackHat Talkblackhat.com/presentations/bh-usa-07/Quist_and_Valsmith/Presentation/bh-usa-07-quist_and_valsmith.pdfPacker Attacker Talkslideshare.net/EC-Council/attacking-packing-captain-hook-beats-down-on-peter-packerPintool Unpacking PoChttp://jbremer.org/malware-unpacking-level-pintoolOpen Sourced Frida Based Unpacker (Proof of Concept)github.com/OALabs/frida-extractEndGame Process Injection Techniquesendgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-processFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#MalwareAnalysis #Unpacking #Automation
IDA Pro Scripting Intro - Automate Dynamic Import Resolving for REvil Ransomware OALabs 2019-12-01 | Join us for an introduction to IDA Python scripting. In this tutorial we automate resolving the dynamic imports for REvil ransomware. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Automated Malware Unpackingunpac.meThis is the 3rd video in a series where we learn some malware reverse engineering fundamentals using the REvil ransomware sample.Part 1 - Unpacking REvil malware:youtu.be/0raUaL4TIo4Part 2 - Reversing the import hash algorithm:youtu.be/hM2Zvsak3GMClean unpacked REvil sample:5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93malshare.com/sample.php?action=detail&hash=890a58f200dfff23165df9e1b088e58fIDA python REvil import builder script:gist.github.com/OALabs/fc68ad4d63fd68c910f32d66fa5e981dDLL export dictionary builder script:gist.github.com/OALabs/94ff4fc02bf02d55a8161068cafd11c0Exports DB (json):gist.github.com/OALabs/536fede0b4ef58fe6ba4d5bde12a78d5Excellent IDA Python book:leanpub.com/IDAPython-BookFireEye Flare Hash Tool:github.com/fireeye/flare-ida/tree/master/shellcode_hashesExcellent blog post on dynamic API hashes:https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/Feedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #IDAPro #IDAPython
IDA Pro Tutorial - Reverse Engineering Dynamic Malware Imports OALabs 2019-10-20 | A step-by-step IDA Pro tutorial on reverse engineering dynamic imports in malware. Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Automated Malware Unpackingunpac.meClean unpacked REvil ransomware sample that we analyze:5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93malshare.com/sample.php?action=detail&hash=890a58f200dfff23165df9e1b088e58fPart 1 - Unpacking REvil malware:youtu.be/0raUaL4TIo4C++ Reverse Engineering Tutorialyoutu.be/o-FFGIloxvECorkami PE102 visual poster:github.com/corkami/pics/tree/master/binary/pe102Dr. Fu's Security Bloghttp://fumalwareanalysis.blogspot.com/2011/12/malware-analysis-tutorial-8-pe-header.htmlFeedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#ReverseEngineering #IDAPro #MalwareAnalysis
Remcos RAT Unpacked From VB6 With x64dbg Debugger OALabs 2019-08-23 | We rip apart a VB6 packer with a single breakpoint and x64dbg! Exposing Remcos RAT! Expand for more...-----OALABS DISCORDdiscord.gg/6h5Bh5AMDUOALABS PATREONpatreon.com/oalabsOALABS TIP JARko-fi.com/oalabsOALABS GITHUBgithub.com/OALabsUNPACME - AUTOMATED MALWARE UNPACKINGunpac.me/#-----Old VB6 unpacking tutorial:youtu.be/ylWInOcQy2sPacked sample:88a02967d6fa5c0eff65f71b9fae969b8125a20115c2d2ee21053832fdc2fc2bmalshare.com/sample.php?action=detail&hash=15fdc5c025e9d1645df07110c455aa09Unpacked sample:76f21c59dad19f6ed2793e0b744346b9b46dfdd275ad8875365f83b4a84adf1cmalshare.com/sample.php?action=detail&hash=a2cc4bfb996c892cc6c170fadad94a99Feedback, questions, and suggestions are always welcome : )Sergei twitter.com/herrcoreSean twitter.com/seanmwAs always check out our tools, tutorials, and more content over at openanalysis.net#x64dbg #Remcos #Unpacking
