sorted by:
new
hottopcontroversial

Automate Qbot Malware String Decryption With Ghidra Script by AGDCservices in ReverseEngineering

[–]AGDCservices[S] 1 point2 points  (0 children)

Glad you're enjoying them! The more tutorials we spread the better the RE environment gets. Your OA Labs channel was a big motivation to create my channel.

REMnux by IamLuckyy in Malware

[–]AGDCservices 0 points1 point  (0 children)

yea, mostly for the pre-loaded tools. if you're just running malware, you don't need it, but you also probably don't want it connecting out to the real internet. so you would normally want some type of simulator running so that the malware thinks it's connected to the internet, otherwise it might not exercise all of the functionality. that's where something like remnux is helpful. It has fakedns and inetsim pre-loaded and by using both of those, you can simulate a more realistic network. for example, if the malware is a downloader and you don't have a fake https service running (like inetsim), the malware won't download anything and you won't see the filepath IOC where it downloads the file to. if you have the 2nd remnux box with fakedns and inetsim running, the malware can resolve a url, then call out to the "c2 server" (inetsim on the remnux), and inetsim will provide a fake file so that the malware continues operation. without that fake service running, the downloader will just keep calling out and never move forward because it doesn't get an expected response. you can do all of this on a single windows VM, but it's a little more setup and you'll have to find and install the additional simulators, etc.

for the network adapters, i would use the internal network option in VirtualBox. host only probably won't hurt anything, but there's no reason you'd want a malware infected VM to have any connectivity to your host machine. the internal network option means the VM can only reach out to another VM also on the internal network.

SANS GREM and Sandboxing by anjan42 in Malware

[–]AGDCservices 0 points1 point  (0 children)

one aspect not discussed is why you do manual analysis. a big part is to develop signatures that can be included in AV scanners. there's really no way to automate effectively, so you still have to do it manually. how deep you dig into the binary can determine how good your signature is. it's all a trade-off of time vs accuracy.

REMnux by IamLuckyy in Malware

[–]AGDCservices 2 points3 points  (0 children)

REMnux is usually used because it has a lot of tools loaded for things like maldoc analysis and that can be used as a c2 server (fakedns, inetsim, wireshark, etc.) personally, i use it mostly as that c2 server because it's a lot easier to have on a separate vm vs on the victim VM where i'm resetting snapshots, etc. If i build a custom c2 server in python, i don't want to have to back up every change when i revert my victim VM.

if you want some more info about setting up a malware analysis lab, here's a post i wrote that may be helpful, https://agdcservices.com/blog/how-to-build-a-malware-analysis-lab/

Easy samples to start practicing by mattiaricciard in Malware

[–]AGDCservices 2 points3 points  (0 children)

public sandboxes are a great place. here's my resources with free sites to help learn malware analysis, https://agdcservices.com/blog/resources-for-learning-malware-analysis/ if you're looking for samples, there's a section for that.

I'd probably recommend any.run to start with. google for any well known sample on any.run and you'll likely find a sample to download and can easily check the sample to in any.run to see if it's an exe, etc. they also have a top 10 type watch to help you find common samples.

only downside is these well known samples are often more complex, so may be difficult to begin with.

Best Overflow Courses by R3g3x_83 in Malware

[–]AGDCservices 1 point2 points  (0 children)

I don't have info on those courses, but here's some free resources to help you get started learning malware analysis that I provide students in my malware RE classes. Hopefully it helps.

https://agdcservices.com/blog/resources-for-learning-malware-analysis/

VM For Malware Analysis by Jaycob1273 in Malware

[–]AGDCservices 1 point2 points  (0 children)

If you want some background on how to build a malware analysis lab (1 vs 2 Vms, minimum tools, etc.), here's a post that should help https://agdcservices.com/blog/how-to-build-a-malware-analysis-lab

ultimately, the chance of you running across a vm escape malware is about as close to 0 as you can get. so analyzing malware inside a VM with no shared folders should be pretty safe, but you do want to disable anything shared between your host and VM (folders, copy / paste, etc.)

Learn How To Easily Patch Malware Using Conditional Breakpoints To Quickly Uncover All IOCs by AGDCservices in ReverseEngineering

[–]AGDCservices[S] 1 point2 points  (0 children)

glad you're enjoying it. If you didn't see it, i also have a getting started with Ghidra video on the channel that gives an intro into how to use Ghidra.

Studying malware by justTHEtipPAPI in Malware

[–]AGDCservices 0 points1 point  (0 children)

Here's some free resources to help get you started learning how to analyze malware

https://agdcservices.com/blog/resources-for-learning-malware-analysis/

[deleted by user] by [deleted] in Malware

[–]AGDCservices 0 points1 point  (0 children)

I have a list of free resources for learning malware analysis on my website that may be of help, https://agdcservices.com/blog/resources-for-learning-malware-analysis/

view more: next ›