In this live stream we triage Creal Stealer, a Python stealer which has been packed with PyInstaller. We cover the differences between Python byte code disassembly and decompiling as well as provide a few tips for decompiling newer versions of Python.
Shout out to Karsten for his YouTube short which covered the same topic in 30 sections instead of an hour... go sub you you aren't already! Reversing PyInstall...
2024-05-21 01:51:57 +0000 UTC
View Post
Part two of our live stream looking at Zombieware and in this part we fully reverse engineer the file infector COSMU and build an extractor tool to recover files that have been infected by it.
Samples
Self-replicating malware, long abandoned by its operators, continues to contribute significant volume and noise to malware feeds. We investigate this trend, which we refer to as Zombieware!
Full Zombieware blog post can be found on our UnpacMe blog here:
Zombieware: Malware That Never Dies...
Ladislav Zezula's excellent talk from BSides Prague can be found here:
<...
2024-05-05 14:00:08 +0000 UTC
View Post
Just a quick tip taking advantage of a new feature in x64dbg and the WOW64 translation layer to trace syscalls. Since we are tracing all syscalls that go through the WOW64 translation this also catches indirect syscalls!
References
This is the second part of our series on removing the code obfuscation from the latest version of Lumma Stealer. The stream is more of a short re-cap of the completed tool from the first stream where we go over the shortcomings and discuss possible future approaches.
There is also a bit of technical difficulty in the middle when Twitch decided to completely drop our stream! Lol thanks Jeff!
P.S.
If anyone knows why the make instruction IDAPython code was not ...
2024-04-21 14:00:09 +0000 UTC
View Post
Stack pointer analysis failed, it's happened to us all. This is just a quick tip with an overview of why this is happening and how to troubleshoot it.
Sample
The sample being examined is from Practical Malware Analysis, the lab binary 15-3. Normally we prefer to use real malware for our examples and not prepared samples but in this case the tip was made in response to a specific question on our discord. Note the sample has already been patched.
This is the first part of our series on removing the code obfuscation from the latest version of Lumma Stealer. In this VOD we identify the opaque predicate patterns that are preventing IDA from reconstructing the control flow and we begin to build an IDAPython script to remove them.
Sample
This tutorial outlines how to use dynamic analysis to speed up static analysis by dynamically identifying high value reverse engineering targets in the target binary. Our example is a Danabot malware that is using a tricky method to hide its configuration C2s.
Tools
This tutorial provides an overview of the Delphi reverse engineering tips that we have covered in past streams. The key is using IDR to extract compiler information from the binary and apply it to IDA prior to starting your reverse engineering.
References
In this stream we attack a Themida protected C2 config using tracing in x64dbg and some other tricks. The malware analyzed is an older socks proxy botnet called Socks5Ssystemz which has been operating under the radar for years.
Note: This stream was was split over two days due to a surprise migraine! The themida RE starts at around the 40min mark.
Samples
At OALABS it is our mission to bring you the kind of reverse engineering tutorials that we wished we had when we were first learning to analyze malware. Our tiers are organized into three simple categories, and our discord is free for everyone!
In this stream we take a look at a new version of GCleaner with a particularly weak string encryption algorithm. Instead of attacking this statically we used some advanced breakpoint features in x64dbg.
Hint -- this approach will work for all encrypted string that are decrypted in the CRT setup functions.
Once we extract the strings we poke around an open directory for one of the C2s and discover how the backend payload delivery works.
Samples
In this stream we analyze a unique delivery chain that uses a bug in GitHub to mimic popular repositories and deploy malware. We also do a deep dive into Lua malware!
The first 30min are describing the GitHub delivery of the malware, the Lua work starts after that. The real Lua work starts around 2h 55m when we build a custom Lua JIT interpreter with our own instrumentation hooks!
Special Thanks
Special thanks to the following people for helping with the Lua and GitH...
2024-03-12 14:16:42 +0000 UTC
View Post
In this stream we take a look at the new PikaBot loader which uses indirect syscalls to evade AV/EDR. As part of the analysis we develop a quick way to trace indirect syscalls with x64dbg and use this method to unpack the final payload.
Syscall work starts around the 40min mark π
Sample
fd8c7df2940c86b821c05d9376f7dc3716306f8e0a933e2e161da09989907ca3 [2024-03-02 19:57:09 +0000 UTC
View Post
The final part of our series on reverse engineering VM protection in VMZeus. We update our Binary Ninja plugin to lift the VM code!
There are no notes for this stream, instead we have setup a GitHub repository for our plugin code: ZVM. References and documentation can be found in the Readme.
Sample
f792997cb36a477fa55102ad6b680c97e3517b2e63c83c802bf8d57ae9ed525e
2024-02-20 01:37:39 +0000 UTC
View Post
This is the fifth pare in our series on reverse engineering VM protection in VMZeus. We convert our disassembler into a Binary Ninja plugin!
There are no notes for this stream, instead we have setup a GitHub repository for our plugin code: ZVM. References and documentation can be found in the Readme.
Sample
f792997cb36a477fa55102ad6b680c97e3517b2e63c83c8...
2024-02-14 20:07:10 +0000 UTC
View Post
This is the fourth part of our series on reverse engineering the VM protection in VMZeus. Finally we finish our disassembler! We finish the instruction definitions then spend the majority of the stream troubleshooting some very silly mistakes.
During the troubleshooting we also use a debugger to trace the VM which is the "simplest" method for breaking VMs... just run them!
Sample
f792997cb36a477fa55102ad6b680c97e3517b2e63c83c802bf8d57ae9ed525e 2024-02-06 20:05:25 +0000 UTC
View Post
This is the third part of our series on reverse engineering the VM protection in VMZeus.
This is a grind stream where we build the framework for our custom disassembler and begin to implement the instruction definitions using the reverse engineering work from the previous stream. This is a core part of the series and explains the idea behind a disassembler and how to architect one.
πΈ Finally crisp IDA text!!! I think I finally fixed my recording issues!
Sample
...
2024-01-30 15:00:07 +0000 UTC
View Post
This is the second part of our series on reverse engineering the VM protection in VMZeus.
This is a grind stream where we work through each instruction handlers, reverse engineer the semantics of each instruction. At the end of the stream we have our first overview of the entire instruction set and we can see that despite the number of instructions the actual language is very simple and is not Turing complete. Stay tuned for the next stream where we begin to formalize the instructions a...
2024-01-27 15:00:08 +0000 UTC
View Post
Unlocked For Everyone π
This is the final part of our four-part tutorial series covering YARA basics. In this tutorial we cover the foundations of writing efficient YARA rules and provide some tips that can help speed up your YARA hunts.
To accompany this tutorial we also have a post on the UnpacMe site that covers the basics of 2024-01-17 01:01:35 +0000 UTC
View Post
Unlocked For Everyone π
This is the third part of our four-part tutorial series covering YARA basics. In this tutorial we cover different use cases for YARA and how these use cases will impact the rule development and deployment.
Unlike the other tutorials in this series this tutorial is more theoretical and is intended to provide some background on when certain types of rules should and...
2024-01-17 00:41:59 +0000 UTC
View Post
Unlocked For Everyone π
This is the second part of our four-part tutorial series covering YARA basics. In this tutorial we demonstrate how to hunt for malware using the free YARA scanning service on Unpac.Me.
References
Unlocked For Everyone π
This is the first part of our four-part tutorial series covering YARA basics. In this tutorial we cover the basics of YARA, how it works, and how to build a simple rule.
Full documentation for YARA can be found on the YARA Documentation site.
References
Our first stream of 2024 and we are taking a slightly different approach! We are going to reverse engineer the VM protection in VMZeus.
In this stream we outline our method of attack and identify the dispatcher and instruction handlers. This sets us up to reverse and label the instructions on the next stream.
Sample
f792997cb36a477fa55102ad6b680c97e3517b2e63c83c802bf8d57ae9ed525e 2024-01-12 23:24:53 +0000 UTC
View Post
In this stream we analyze a unique crypto stealer that appears to have been built custom to target a hardware wallet. We perform a full analysis of the malware to determine how it works, and investigate it's potential origin.
Sample
3333e2846173468a7bf9dc859e2a0418a4bf1a2840802b397463fce5398fb6d3 [UnpacMe]
Notes
2023-12-30 21:38:43 +0000 UTC
View Post
In this stream we analyze the SparkRAT GO malware using GoReSym and write a config extractor. This is a good introduction to GO malware.
Sample
6c4cb9d518f725b5c92f68699992f5525592328a47517d5897d971aac0ab6539 [UnpacMe]
Notes
SparkRAT - Open ...
2023-12-30 21:32:46 +0000 UTC
View Post
We take a look at this .NET stealer that is possibly a clone or new version of Agent Tesla.
There is also a horrific π·οΈ surprise around the 27min mark....
Sample
b1114c27beb856eae1f9fba0a880450702b7bda007f0fbacc4d5df561d83ec88 [UnpacMe]
Notes
2023-12-30 21:27:10 +0000 UTC
View Post
In this stream we continue our analysis of Danabot with a focus on the core component. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.
Building on our use of IDR in the last stream, we extract the "record" metadata (struct) and use it to identify key information in the binary. We also demonstrate how to diff an older version of the malware records with a...
2023-12-20 01:21:49 +0000 UTC
View Post
In this stream we take a look at a version of the Danabot Loader. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.
First we use IDR to recover the Delphi types then we use HashDB to resolve the dynamic imports and being triaging the binary. We build some structs for the main network ...
2023-12-12 02:22:14 +0000 UTC
View Post
A short tutorial demonstrating how to use x64dg to dynamically decrypt the encrypted strings in Pikabot. Though we are using Pikabot as an example this technique is generally applicable to any string encryption that requires a function call to decrypt each string.
Reference sample:
39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206
The full VOD for th...
2023-12-03 01:45:53 +0000 UTC
View Post