Are you interested in reverse engineering and software security but not sure where to start? In this article, we introduce you to Godbolt.org—a powerful, web-based ally in your journey toward mastering assembly and dissecting binary logic.
Best Beginner Reverse Engineer Lab Setup
Setting up a malware analysis lab is often the biggest hurdle for beginners. In this guide, we showcase RETOOLKIT—a powerful solution that automates your tool installation, getting your VM ready for research in under 10 minutes.
Good Faith - Computer Fraud and Abuse Act Changes
The Computer Fraud and Abuse Act (CFAA) has long been a source of anxiety for the security community. In this article, we examine the evolution of this 1986 law and the recent, pivotal changes that aim to protect good faith security research.
Ubuntu 22.04 LTS Crash Analysis
Understanding why a system fails is a core skill for any researcher. Today, we dive into Ubuntu 22.04 LTS crash logs to identify root causes using memory analysis, stack-trace dissection, and source code review.
Man In The Middle Android APK Network Traffic
Intercepting HTTPS traffic is a critical step in mobile malware analysis. In this guide, we demonstrate how to use MITM Proxy to peel back the encryption layers of Android APKs and reveal their communication with command-and-control servers.
What Do You Need For A Career In Malware Analysis?
Looking to start a career in Malware Analysis, Reverse Engineering, or Exploit Development? Success in these fields isn't just about degrees—it’s about the right mix of programming, specialized tools, and a relentless curiosity.
Obfuscated VBA, Powershell, C#
VBA Macros remain a dominant attack vector. Today, we perform a deep-dive analysis of a multi-tiered threat that chains VBA, WMI Objects, PowerShell, and Inlined C#, complete with an AMSI bypass.
MD5: 9eafc9090d71b382af7c8c04e83d61d2
Sample: Download via Any.Run
Analyzing Python Malware
While most malware is written in C/C++ or Assembly, there is a growing trend of authors using Python and converting it to standalone executables. Today, we triage Vbucks.exe to see how these "compiled" Python threats operate.
MD5: c8506405462fe678a64ba3d346138cd8
Sample: Download via Hybrid Analysis
Analyzing TLS Callbacks
Ever lost control of a program before your debugger could even pause? TLS Callbacks may be an older technique, but they remain a potent tool for anti-debugging, obfuscation, and early-stage malware execution.
Fast and Free Malware Analysis Lab Setup
How do you get started in Malware Analysis? First, you need a safe, isolated environment to investigate threats. Here is the fastest way to automatically build a Virtual Lab Environment using a FREE VM from Microsoft and the FLARE analysis framework.
Generically Unpacking Ransomware With Memory Breakpoints
Today we look at how to generically unpack ransomware utilizing memory and hardware breakpoints on specific WinAPI functions as well as key memory locations.
Down The Rabbit Hole...
[*] ACQUIRING RABBIT
[*] GEO SEQUENCE INITIATED
[*] 19.5872677,-155.4268897 FOUND
[*] SATELLITE RE-POSITIONING
[*] T.I.M.S ENGAGED
[*] REDIRECTING TO LAST KNOWN RABBIT HOLE
[*] GEO SEQUENCE INITIATED
[*] 19.5872677,-155.4268897 FOUND
[*] SATELLITE RE-POSITIONING
[*] T.I.M.S ENGAGED
[*] REDIRECTING TO LAST KNOWN RABBIT HOLE
Analysis CVE-2017-11882 Microsoft Equation Editor Exploit
Today's video covers how to analyze CVE 2017-11882: the Microsoft Office Equation Editor Buffer Overflow. We also touch on three distinct methods to debug problematic programs using assembly-fu, registry hacks, and gflag magic.
Filename: 7ccd19d3dc34c6dbee600961d73cee0c.rtf
MD5: a1fcfd23988726f5a52f173afefb9652
The Wonderful World of MIPS
The ever-growing Internet of Things (IoT) brings a new wave of malware geared toward unfamiliar architectures. Today we take a look at how to compile, analyze, and debug MIPS-based binaries on standard x86 hardware.
Metasploit - Some Assembly Required
Metasploit is the most prevalent exploit framework in the world today thanks to its ease of use and scalability. Today we focus on payload generation and how some "assembly" may be required.
Filename: ConsoleApplication4.exe
Sample: Download via Reverse.it
Reverse Engineering and Debugging 3rd Party APKs
Today we demonstrate how to reverse engineer 3rd party APKs, what tools are needed, and how to debug them without having access to the original source code.
Filename: Chess_V2.apk
Malicious Link Files
Malware authors are implementing malicious link files into their campaigns more and more. This analysis video details how to quickly triage and analyze two different types of LNK-based threats.
Filename: Dossier.lnk
Triaging Malicious Word Document
Today we demonstrate how to quickly triage a malicious Word document rigged with a VBS downloader and obfuscated PowerShell.
Filename: trin594d.doc
MD5: ea677003262604084a6afc3f459dfba3
Sample: Download via Reverse.it
Triaging Java JAR Files
Today we show how to quickly triage Java JAR files and how to escalate your analysis when facing professional-grade obfuscators like ProGuard or Allatori.
Filename: 09-2017_B0LET0.jar
MD5: 9EE15215CF9695FF0560837900BFC93C
Sample: Download via Reverse.it
Worms Caught In Brambuls
Today we analyze a classic SMB worm that leverages GMAIL for Command and Control (C2) check-ins and drops a persistent backdoor on infected machines.
Filename: smb-4ppzilmr.tmp
MD5: 3844EC6EC70347913BD1156F8CD159B8
Sample: Download via Reverse.it
Large Victim Credential Server Uncovered
Today we analyze a seemingly normal PDF Phishing campaign but it soon leads to a very large victim credential server.
Filename: 1.pdf
MD5: 529F3E3CB0C3C00E98789540BDD9BFB2
Sample: Download via Reverse.it
Analyzing Obfuscated Locky Ransomware Downloader
Today we analyze a malicious HTML document that claims the user must download a compatibility plugin in order to view a UPS receipt. This document employs several layers of HTML, Javascript, and Executable obfuscation.
Filename: UPS-Receipt-008533234.doc.html
MD5: 762B0F20C80995D3AC8A66716011C156
Sample: Download via Malwr
Fastest Automated Malware Analysis Lab Setup with FREE VM and Tools
How do you get started in Malware Analysis? First, you need an analysis environment in-place to investigate files. Here is the fastest way to automatically setup a Virtual Lab Environment complete with a FREE VM directly from Microsoft and FREE analysis tools.
Bypassing Anti-Analysis Technique In Office Documents
Today we analyze a malicious, VBA Enabled Word Document. The authors of this document have password protected the VBA Project within the file to prevent inspection of the malicious code. They have also taken measures to prevent password removal techniques. Automatic analysis tools do not work, but we show how to get past all these anti-analysis obstacles.
Filename: efax543254456_2156.doc
MD5: 30B9491821923A1ECB5D221A028208F2
Sample: Download Sample
Choda Ransomware - The Lazy Malware
Today we analyze a piece of malware that calls itself Choda Ransomware. This is, by far, the laziest piece of ‘malware’ I’ve ever seen. While technically functional as a screen locker, its execution is amateurish at best.
Filename: Choda Ransomware.exe
MD5: e501e536b58e7f1822b5064e3e4e61a0
Sample: Download via Reverse.it
Copying Non-Selectable Window Text
Today we examine a quick malware analysis "life hack" to retrieve text from non-selectable windows. This is an essential skill when dealing with obfuscated error messages or foreign language alerts that hinder your investigation.
FBI Ransomware
Today we analyze a variant of "Scareware" that poses as the FBI. It accuses the user of various criminal misconducts and demands a $150 "fine" to restore access. Unlike modern sophisticated ransomware, this sample is a screen locker that can be bypassed without paying.
Filename: VIDEOMP419389183-14.MP4.exe
MD5: C8C53340FBCE3B76AEB7E49EE6F88869
Sample: Download via Reverse.it
What's a packer and why are they used?
Today we demonstrate what a packer is, why it might be used, and a practical approach to unpacking a sample. While packers have legitimate uses in software protection and compression, they are a staple in the malware author's toolkit for evading signature-based detection.
Quick PDF Analysis
Today we demonstrate how to quickly analyze a suspicious PDF file to determine whether it contains malicious content. PDF documents are a favorite vector for attackers because they support embedded scripts, multimedia, and complex object structures that can hide shellcode.
Filename: 010820170003375296186050723708.pdf
MD5: b2fbd8077726f78884e5330979b213a1
Status: Download Sample
AES Encrypted Phishing Site
Phishing remains one of the most pervasive threats to end-users. In this analysis, we explore a campaign where a "purchase receipt" PowerPoint document leads to a sophisticated phishing site utilizing AES encryption to hide its source code from automated scanners.
Filename: TransactionID7889277544.pptx
MD5: bd912590f18332ab93af23d1dcc688e4
To Kill The Mocking Porn - Fsociety Crypto Miner
Fsociety is a Monero (XMR) miner that uses multiple layers of trickery to stay hidden. It bounces users through Russian adult sites and uses several types of compression to avoid being caught by standard security tools.
Filename: fsociety_soft.exe
MD5: dfafd55bc9a0e84eafada04a5f21aead
Sample: Download via Malwr
Best Free Antivirus Solutions from a Malware Analysts Perspective
With so many free security products on the market, it is hard to know what is actually worthwhile. From a malware analyst's perspective, the "best" antivirus isn't just about catching old viruses—it’s about how it handles new, unseen threats.
Disclaimer: This article is not sponsored. These are independent observations based on detection rates and behavior over years of analysis.
Malware Analysis and Exploit Development - Tools of the Trade
Interested in exploit development or reverse engineering? Understanding the code, structure, and behavior of a binary is the only way to truly unmask complex threats. Here is a breakdown of the essential tools of the trade.
The Multi Faceted Ursnif Trojan
Svchost.js is a malicious, obfuscated JavaScript dropper responsible for delivering the Ursnif Trojan (also known as Gozi). Ursnif is a sophisticated banking trojan capable of spyware, ransomware delivery, and maintaining persistent backdoors.
Filename: svchost.js
MD5: 04691e4a9ad9f034a94714dd1ec8f114
Sample: Download via Reverse.it
GecisKodu CrackMe
GecisKodu.exe is a "Crack Me" challenge written in Turkish. Unlike the malware samples typically analyzed, this file is a benign puzzle designed to help researchers practice reverse engineering and software cracking techniques.
Filename: GecisKodu.exe
MD5: a97be81ad69ea8656da07042b82a7339
Sample Status: Private / Not Available
TrickBot Banking Trojan - DOC00039217.doc
DOC00039217.doc is a malicious Word document that utilizes VBA macros to initiate a multi-stage infection, ultimately deploying the TrickBot banking trojan.
Filename: DOC00039217.doc
MD5: 31529e5221e16a522e8aece4998036d7
Sample: Download via Reverse.it
FidRW.exe Ransomware
FidRW.exe is a multi-stage demonstration binary designed for security awareness and training. While it mimics real-world ransomware behavior by downloading additional stages, the final payload is ultimately benign.
Filename: FidRW.exe
MD5: 4ff4a8ac43c73b3829ec8452f7ef5ad7
Sample: Download via Malwr
CVE2017-0199 RTF Exploit Analysis
CVE-2017-0199 exploits a logical "Link Type" confusion vulnerability within Microsoft Office. By embedding a malicious link in an RTF or DOCX document, attackers can force the application to download and execute an HTA (HTML Application) payload from a remote server.
Filename: Unpaid_Invoice_829182.doc
MD5: 1cfd12688b1f93545a3dc91366c86825
Sample: Download via Reverse.it
Bladabindi RAT
OO.exe is a Remote Access Trojan (RAT) belonging to the Bladabindi family. Written in .NET, it is closely associated with NJRAT and has undergone significant modifications over several years of active deployment.
Filename: OO.exe
MD5: 22e7c961504b78aefa4ab6b0398ef583
Sample: Download via Malwr
ElmersGlue_3.exe
ElmersGlue is a ransomware application designed to "lock" user workstations until a ransom of approximately $150 USD in Bitcoin is paid. While it employs typical extortion tactics, the application contains significant flaws allowing for recovery without payment.
Filename: VIDEO934284717.mp4.exe
MD5: 8f96e8a051cb8df97a27c36dcf71d585
Sample: Download via Reverse.it