XaiJu
oalabs

oalabs

patreon


oalabs posts

Live Stream VOD: StrelaStealer Exposed

In this Twitch stream we take a close look at an email stealer that has been flying under the radar for years and expose a small e-crime operation in the process! 

Due to your positive feedback on the past few VODs I have left in more of the stream banter. Things devolve a bit into a meme stream in the middle of the recording but if you skip ahead we get back into the technical stuff.

As always, looking for your feedback on this format. More banter, less banter? Let me know w...

View Post

Understanding PE Parsing for Reverse Engineers Part 1 - PE Headers

This is the first in a four-part series on PE parsing from a reverse engineering perspective. In this tutorial we walk through the PE headers and demonstrate how to mark up code that is parsing these headers in IDA.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

Further Reading

Understanding PE Parsing for Reverse Engineers Part 2 - The Section Table

This is the second in a four-part series on PE parsing from a reverse engineering perspective. In this tutorial we take a deep dive into the PE section table and discuss the difference between mapped and unmapped PE files.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

Understanding PE Parsing for Reverse Engineers Part 3 - Data Directory and Imports

This is the third in a four-part series on PE parsing from a reverse engineering perspective. In this tutorial we explore parsing the PE import table. We also introduce a new structure PE_BASE to help with marking up pseudocode in IDA.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

Understanding PE Parsing for Reverse Engineers Part 4 - Data Directory and Exports

This is the final tutorial in our four-part series on PE parsing from a reverse engineering perspective. In this tutorial we explore parsing the PE export table. We conclude the tutorial with a complete PEB walk example parsing the exports from NTDLL.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patterns that can be used in IDA when marking up pseudocode.

Live Stream VOD: LegionLoader (OALABS Podcast?)

This Twitch stream is a little chaotic... you aren't hearing voices... anyone from the Discord and Patreon is free to join in the conversation as we test a new interactive RE concept.

The voices you heard in no particular order...

Understanding The PEB for Reverse Engineers Part 1 - Accessing The PEB

This is the first in a short two-part series on the Process Environment Block (PEB) and the Thread Environment Block (TEB). In this tutorial we introduce the PEB and the TEB and provide some background on how these data structures are accessed programmatically. We also provide some tips for identifying and marking up PEB access in IDA.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structu...

View Post

Understanding The PEB for Reverse Engineers Part 2 - Walking The PEB

This is the second in a short two-part series on the Process Environment Block (PEB) and the Thread Environment Block (TEB). In this tutorial we focus on how a processes’ modules (DLLs) can be accessed via the PEB. We also introduce the concept of “walking the PEB”, the CONTAINING_RECORD macro, and shifted pointers.

Code References

The following are links to the code that was used in the tutorial. These are handy to keep as references as they have the structures and patter...

View Post

Live Stream VOD: in2al5dp3in4er Drops Aurora Stealer

In this Twitch live stream we unpack in2al5dp3in4er loader which is using CreateDXGIFactory to detect sandboxes based on their lack of graphics card and triage its payload Aurora Stealer.

Samples

66383d931f13bcdd07ca6aa50030968e44d8607cf19bdaf70ed4f9ac704ac4d1 

Notes

2023-05-04 06:28:53 +0000 UTC View Post

Live Stream VOD: CryptNET Ransomware

In this Twitch stream we take a look at CryptNET ransomware a ransomware written in .NET and protected with .NET Reactor.

Samples

2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775 

Notes

CryptNET Ransomware: New DOTNET ra...

View Post

Live Stream VOD: Automated XORStringsNet Decryptor

In this Twitch stream we build an automated strings decryptor for the .NET XORStringsNet cryptor adopted by AgentTesla, Redline, and others.

Samples

d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2 

Notes

2023-04-22 15:00:04 +0000 UTC View Post

Live Stream VOD: Quasar Chaos

In this Twitch stream we analyze a version of Chaos Ransomware builder that has been backdoored with Quasar RAT!


Samples

141056b82cd0a20495822cd2bcd5fae5c989c6d24dac5a5e3c3916f1b406bdb9 


Notes

Quasar Chaos: ...

View Post

Live Stream VOD: IcedID GZip Loader vs. Photo Loader

In this Twitch stream we investigate the difference between IcedID's older photo loader and newer gzip loader. 

Samples

Live Stream VOD: AresLoader Fun

In this Twitch stream we have some fun reverse engineering all the stages in AresLoader. 

This VOD is a little wilder than our usual streams, I decided to leave in some more of the banter etc. You guys let me know if you want more of this or if you prefer the more edited cleaner streams?

Samples

7572b5b6b1f0ea8e857de568898cf97139c4e5237b835c61fea7d91a6f1155fb ...

View Post

Live Stream VOD: 3CX Supply Chain Attack Malware Analyzed

In this Twitch lives stream we reverse engineer the 3CX software backdoor and associated downloader chain.

Samples

Live Stream VOD: VBScript Emulation Research Part 3 - Dumpulator Emulation!

In this Twitch stream we complete our 3-part research series on emulating VBScript with a fully emulated VBScript running on Dumpulator.

Note: This is a research stream so it is long and progress is slow as I make a lot of mistakes, also near the end I'm so tired... but we prevail! 

Extra big thank you to Mishap who really carried this one <3 

Emotet WScript Sample

2023-03-29 07:37:27 +0000 UTC View Post

Live Stream VOD: VBScript Emulation Research Part 2 - Debugging VBScript.dll

In this Twitch stream we continue our 3-part research series on emulating VBScript with a deep dive into the vbscript.dll.

Note: This is a research stream so it is long and progress is slow as I make a lot of mistakes while learning how all the components in the scripting engine work together.  

Emotet WScript Sample

1c3...

View Post

Live Stream VOD: VBScript Emulation Research Part 1 - Emotet OneNote Malware

In this Twitch stream we start our 3-part research series on emulating VBScript by looking at the new Emotet OneNote docs being used to execute WScript malware.

The first part of the stream we quickly triage the OneNote document, extract the WScript and manually deobfuscate the script.

The rest of the stream is dedicated to starting our automated VBScript deobfuscation project as we learn more about how cscript.exe and vbscript.dll work under the hood.

Emotet WScript Sample...

View Post

Live Stream VOD: CryptBot Malware Triage

In this Twitch stream we triage CryptBot a C++ INFOSTEALER that has been in operation since 2019.

The main focus of the stream is building a decent config extractor and a good yara rule for this malware but we have a little fun looking up its origins along the way.

Sample

7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d 

Notes

View Post

Live Stream VOD: QVoidStealer .NET Cringe

In this Twitch stream we take a look at QVoid Stealer an open source .NET INFOSTEALER that has been dropped along with RedLine.

Set your expectations low for this one... really F-Tier stealer but we push through the cringe and write a Yara rule and a Config extractor.

Sample

ef7bb2464a2b430aa98bd65a1a40b851b57cb909ac0aea3e53729c0ff900fa42 

Notes

View Post

Live Stream VOD: PikaBot Part 3 (Config)

In this Twitch stream we complete our analysis of PikaBot and write a static config extractor to pull out the PS loader code and C2.

Samples

  • Packed
    67c61f649ec276eb57fcfe70dbd6e33b4c05440ee10356a3ef10fad9d0e224ef
  • Unpacked
    05d1b791865c9551ed8da6a170eb6f945a4d1e79cb70341f589cc47bacf78cc3
  • UnpacMe Analysis

Notes View Post

Live Stream VOD: PikaBot Part 2

In this Twitch stream we complete our analysis of the PikaBot loader. We use Dumpulator and some IDA scripting to resolve all of the encrypted stack strings and the dynamic imports, then we analyze the functionality.

Note* at the end of the stream I miss an important function call in the binary which is responsible for the registry key loading, we tackle this in the next stream!

Sample...

View Post

PikaBot VOD: Part 1

In this Twitch stream we take a look at a new loader called PikaBot! This stream is dedicated to the preparation of the binary for analysis, decrypting strings, resolving dynamic imports etc.

Note* We waste the majority of this stream trying to get the DLL to load in a debugger properly. The DLL is not relocatable but for some reason the VM I am using insists on relocating it which causes it to crash. I'm still not sure why this was happening.

Samples

Live Stream VOD: Yara Triage How-To with SoulSearcher Malware and a Mystery Worm

In this Twitch stream we work through the process of triaging a bad Yara rule and disambiguating the relationship between SoulSearcher Malware and a mystery worm!

Yara Rule

Malpedia SoulSearcher 

Soul Searcher Samples

All samples available on UnpacMe 

Live Stream VOD: Unpacking .NET Deep Dive with Drakonia

Fo this Twitch stream we are joined by special guest @dr4k0nia for a deep dive into .NET reverse engineering!

Drakonia takes us through multiple layers of unpacking while answering your .NET questions from chat. If you want to follow along at home the sample she is analyzing is available on Malshare...


First stage (PowerShell script)

2023-02-21 21:54:33 +0000 UTC View Post

VOD Tutorial - Ransomware Decryption: How To Find and Exploit Crypto Flaws with @fwosar

Special guest @fwosar gives us a live tutorial covering ransomware cryptography, and takes us through an example breaking ransomware and recovering encrypted files.

Sample

The reference sample used in the Tutorial is GetCrypt ransomware. 

2023-02-12 23:27:09 +0000 UTC View Post

Live Stream VOD: Rhadamanthys Part 4 - Loader Final Stage C2 Extraction

In this twitch stream we complete our config extractor for the final stage of the Rhadamanthys loader. 

Surprisingly most of the work can be done statically but we do use dumpulator to speed up a few things.

Samples

Packed Parent

dca16a0e7bdc4968f1988c2d...

View Post

Live Stream VOD: Rhadamanthys Part 3 - Stage 3 API Resolving

In this twitch stream we take a look at Stage 3 of Rhadamanthys. This is the final stage of the loader. This stage is also position independent shell code and we spend the entirety of the stream marking up relative offsets and resolving APIs to make the code readable in IDA.

Samples

Packed Parent

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c92...

View Post

Live Stream VOD: Rhadamanthys Part 2 - Emulating Shellcode

In this twitch stream we take a look at Stage 2 of Rhadamanthys and use Dumpulator to create a simple unpacker. 

We spend the first hour marking up the Stage 2 shell code, the emulation work starts at the 1h 13min mark. 

Samples

Packed Parent

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5...

View Post

Live Stream VOD: Rhadamanthys Part 1 - Stage 1 Shellcode and Shifted Pointers

In this twitch stream we take a look at Rhadamanthys, a stealer malware that uses multiples stages of shell code to protect its payload. 

We start out unpacking the first stage but end up spending a lot of time trying to make a simple PEB walk look nice in IDA using Shifted Pointers. This is one tip that we shouldn't soon forget! 

Sample

2023-01-26 19:25:16 +0000 UTC View Post