XaiJu
oalabs

oalabs

patreon


oalabs posts

Live Stream VOD: Dumpulator vs. Guloader VEH Obfuscation

In this twitch stream we take another look at Guloader's VEH obfuscation using Dumpulator. With Dumpulator we are able to bypass the obfuscation to extract the encrypted strings, as well as create a simple instruction color trace in IDA to identify the program flow.

Sample

View Post

Live Stream VOD: Unicorn Emulation Tricks (Guloader Part 5)

In this twitch stream we explore some of the more advanced features available for emulation with unicorn. We revisit Guloader for a fifth time and write a fully automated string decryption script with the emulator.

Sample

E3A8356689B97653261EA6B75CA911BC65F523025F15649E87B1AEF0071AE107

Notes

2023-01-13 19:34:18 +0000 UTC View Post

Live Stream VOD: Guloader ( Part 4 ) Deobfuscation

In this twitch stream we take a fourth look at Guloader and finally fully deobfuscate the control flow (VEH redirect) and write a simple string decryptor.

This stream is sort of a wrap up of all the previous streams, we fully fix the control flow obfuscation and use an IDA plugin to removed the VEH redirection. We also write a simple Unicorn emulator script to handle the constant-unfolded-data used to build the encrypted strings.

Sample

2023-01-13 19:29:16 +0000 UTC View Post

Live Stream VOD: Guloader ( Part 3 ) String Decryption and Debugging

In this twitch stream we take a third look at Guloader and begin our analysis of the final stage shell code. The code has been updated from the first sample we looked at but some of the same structure is present which helps with analysis (bindiff!).

Heads up: Once we get stuck on trying to find the decryption key you can skip to the end and save yourself some time 😂 but there are a few tricks that might be interesting if you watch the full way though (dead lock debug...

View Post

Live Stream VOD: Reverse Engineering AMA 2022

This stream was a bit different... we invited eight reverse engineers on to answer your questions! Due to the nature of the stream the VOD has been edited into segments that are loosely organized around a specific question.

A big thanks to everyone who joined to help us out!


Rattle (Jesko)

https://twitter.com/huettenhain 

View Post

Live Stream VOD: Guloader NSIS Delivery Analysis

In this twitch stream we take a second look at Guloader with a focus on its highly obfuscated delivery chain. An NSIS loader is used to execute multiple layers of obfuscated PowerShell which eventually lead to the Guloader shell code.

The goal of this stream is to better understand the obfuscated NSIS delivery techniques used by Guloader and compare them to other iterations of their delivery chain with an aim to identify commonalities. 

This stream ends up being just Part 1 a...

View Post

Live Stream VOD: Guloader Shellcode Analysis

In this twitch stream we take on Guloader. Our approach combines both static and dynamic analysis to bypass the the numerous anti-analysis techniques which make this malware infamous. 

The stream goal is not a full analysis of all of the anti-analysis tricks (10 streams later lol) but instead we want to understand enough about the shell code to write our own static config extractor.

Sample

2022-12-20 04:54:21 +0000 UTC View Post

Live Stream VOD: Brute Ratel Analysis with @BoymoderRE

In this twitch stream we collaborate with @BoymoderRE and take a second look at Brute Ratel. We are using IDArling to share IDB files and while she works on the actual reverse engineering of the binary I attempt to write a static unpacker... this turns into a race which she wins handily! 

Heads up: This stream is...

View Post

Live Stream VOD: More GoLang Malware Reverse Engineering - Static Strings Extraction from Titan Stealer

In this twitch stream we continue our GoLang reverse engineering journey with a focus on static extraction of strings with Python. The malware sample we will be testing our methods on is called Titan Stealer, a credential stealer that is sold openly on the internet.

Sample

A7DFB6BB7CA1C8271570DDCF81BB921CF4F222E6E190E5F420D4E1EDA0A0C1F2  View Post

Live Stream VOD: Reverse Engineering GO Featuring Laplas Clipper

In this twitch stream we start to take a serious look at reverse engineering GoLang malware. We use the Laplas Clipper malware to test some IDA tools and generally get a better understanding of how to approach GO.

Note: The stream starts a bit slow and we spend the first 45 minutes doing some recon on the very poor OPSEC of the malware developers. Skip ahead about 45 minutes to get to the GO reversing.

Sample

2022-12-06 18:56:36 +0000 UTC View Post

Live Stream VOD: N00bs Night 1 - PowerShell Loader and Shellcode Markup

In this twitch stream we attempt our first ever N00bs Night where we cover simple reverse engineering topics with an aim to make the stream accessible to everyone! That being said... I'm not sure how well we succeeded 😅

The first half deals with extracting shell code from a PowerShell loader, and the second half we attempt to mark up some simple x86 shell code in IDA. Things get a bit spicy with the IDA types...

Samples

2022-11-28 03:55:23 +0000 UTC View Post

Live Stream VOD: Tofsee String Decryption Another C++ Win!

In this twitch stream we take a look at Tofsee a simple spambot written in C++ with a funny string encryption trick. We also discuss some methods for automatically locating string references in assembly.

Samples

96baba74a907890b995f23c7db21568f7bfb5dbf417ed90ca311482b99702b72 

Notes

2022-11-28 03:49:09 +0000 UTC View Post

Live Stream VOD: AgentTesla Config Extraction with Automated .NET Parsing (dnlib and Python)

In this twitch stream we use AgentTesla as an example to learn more about automated .NET parsing using dnlib and Python. We are able to locate and decrypt the strings table protected with the open source .NET obfuscator called obfuscar.


Samples

20f4ec03549be469302c0fcb5f55307680fd189aa733f90eb5...

View Post

Live Stream VOD: Amadey Analysis Getting Good at C++ STL Struct Reconstruction

In this twitch stream we take a look at a new variant of Amadey with an emphasis on putting our new C++ STL reversing skill to the test. We manage to create a very clean marked up IDB which significantly speeds up our RE!

Sample

18A38FA6F5B306243D99621556AF948A61DAED29619AB755E25010F9E254C6BD

Notes

Amadey Loader 

View Post

Live Stream VOD: Reverse Engineering C++ STL Types (First Attempt)

In this twitch stream we attempt to define a repeatable process for identifying  MSVC STL types in compiled C++. Dealing with these types has been an issue for us during previous malware analysis adventures and we want to figure out a sane approach... though we do make some headway we are ultimately left with three topics that need further research...

Sorry for the potato quality! Just before stream I updated OBS (lol bad move) and of course it broke all my setting...

View Post

Live Stream VOD: BitRat Analysis (C++) - Part 3

In this twitch stream we conclude our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.

The functionality of this RAT is fairly straight forward but its use of the C++ Standard Template Library makes reverse engineering a challenge. In this stream we finally setup the correct std::string type and our IDB magically begins to look like something readable... we then complete...

View Post

Live Stream VOD: BitRat Analysis (C++) - Part 2

In this twitch stream we continue our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.

The functionality of this RAT is fairly straight forward but its use of the C++ Standard Template Library makes reverse engineering a challenge. In this stream we try use BinDiff to annotate our IDB with the ...

View Post

Live Stream VOD: BitRat Analysis (C++) - Part 1

In this twitch stream we take our first look at RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.

The functionality of this RAT is fairly straight forward but its use of the C++ Standard Template Library makes reverse engineering a challenge. This simple analysis turned into a three-part series where we attempted various C++ analysis plugins and techniques rather than focusing on the RAT specifically.<...

View Post

Live Stream VOD: Building A Simple Malware Tracker for DbatLoader

In this twitch stream we complete our mini two part series on Threat Intelligence by building a simple malware tracker for DbatLoader. 

Notes

Threat Intel - Building A Simple Botnet Tracker

View Post

Live Stream VOD: What is Threat Intelligence and Why Do We Reverse Engineer Malware

In this twitch stream we talk about what Threat Intelligence means in practice; how companies use intelligence products, how the products are developed, and how reverse engineering malware fits into the picture...

This is Part 1 of a two part series where we build a simple botnet tracker for dbatloader.

Notes

2022-10-16 23:02:35 +0000 UTC View Post

Live Stream VOD: Icarus Stealer Analysis

In this twitch stream we take a look at a new .NET RAT openly sold as Icarus. The stream takes an interesting turn when we discover the C2 infrastructure is incorrectly configured...

Samples

8e88de63c132f964891dd00501bee5078f27dfcec7ca122f19bd43f9ed933427 

Notes

2022-10-16 22:58:26 +0000 UTC View Post

Live Stream VOD: Building a Config Extractor for ISFB

In this twitch stream we take a look at Gozi / ISFB / RM3 etc. and develop a config extractor which works on the latest variants. This is mostly a coding stream where we update an old extractor and make it work with modern samples.

Samples

33D6C2BF629E34D4F11F3C680A3EF60501769DBDAC658E3A4A119D5AC81BFF79 

Notes View Post

Process Memory Basics for Reverse Engineers Module 3 - Memory Protections

This is the third and final part in our three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at process memory protections and specifically how the PAGE_GUARD works, and what a memory "breakpoint" is in x64dbg.

Further Reading

Process Memory Basics for Reverse Engineers Module 2 - Heap Memory

This is the second part in our short three-part series on process memory with a focus on tracking memory with a debugger. In this tutorial we look at the heap and how to investigate heap memory with x64dbg.

Further Reading

Live Stream VOD: Leaked LockBit Ransomware Builder Analyzed

In this Twitch stream we take a look at the recently leaked LockBit Ransomware Builder. We compare our previous RE analysis of the ransomware binary with the actual builder config (some surprises, but we were mostly correct). And we take a look the possibility of the building being used by individual unaffiliated Threat Actors (TA) to start their own ransomware campaigns. 

Samples

We aren't going to link to the leaks for reasons that will become apparent by the end of the s...

View Post

Process Memory Basics for Reverse Engineers Module 1 - Watching Memory Allocations With a Debugger

This is the first in a short three-part series on memory allocation with a focus on tracking memory with a debugger. In this tutorial we look at the basics, how is memory allocated, and how to follow memory allocations with x64dbg.


Further Reading

Live Stream VOD: Clipboard Hijacking Detection

In this Twitch stream we take a look at a simple malware (great for practicing RE) that is used to steal crypto by substituting wallet addresses that are copy pasted from the clipboard. 

We analyze the malware functionality and build some static detection with a Yara rule so we can generically identify this behaviour. 

Sample

2022-09-22 16:56:05 +0000 UTC View Post

Live Stream VOD: PrivateLoader Analysis

In this twitch stream we take a look at PrivateLoader, a pay-per-install malware that contains a lot of anti-analysis tricks (junk code, stack strings, etc.) Our main focus in the stream is building a working string decryption tool that doesn't rely on IDA. 

Sample

1aa2d32ab883de5d4097a6d4fe7718a401f68ce95e0d2aea63212dd9...

View Post

Live Stream VOD: DbatLoader Analysis

In this twitch stream we take a look at dbatloader, a simple Delphi downloader that is used to download and execute other malware. This would be a straightforward analysis except the binary is written in Delphi and requires a lot of time to untangle... jump ahead to around 3:30 to get to the part where we begin to make progress.

Sample

2022-09-22 16:40:57 +0000 UTC View Post

Live Stream VOD: SmokeLoader Analysis Part 3 - Stage 3 Decrypted and Config Extracted

The conclusion to our analysis of SmokeLoader! All the secrets are revealed and it's grrr-eat! We finally figure out the missing piece for the API hashes and resolve them. This leads us to the missing piece of the puzzle for extracting Stage 3 - LZSA2 decompression! 

Once we have decrypted and decompressed Stage 3 we quickly locate the encrypted strings table, and the encrypted C2 table building ourselves a static config extractor!

This was a pretty triumphant conclusion if I...

View Post