SamuZai
oalabs

oalabs

patreon


oalabs posts

Live Steam VOD: PyInstaller Malware Triage - Creal Stealer

In this live stream we triage Creal Stealer, a Python stealer which has been packed with PyInstaller. We cover the differences between Python byte code disassembly and decompiling as well as provide a few tips for decompiling newer versions of Python.

Shout out to Karsten for his YouTube short which covered the same topic in 30 sections instead of an hour... go sub you you aren't already!...

View Post

Zombieware Part 2 - Reverse Engineering The COSMU File Infector

Part two of our live stream looking at Zombieware and in this part we fully reverse engineer the file infector COSMU and build an extractor tool to recover files that have been infected by it.

Samples

Zombieware Part 1 - Malware That Never Dies

Self-replicating malware, long abandoned by its operators, continues to contribute significant volume and noise to malware feeds. We investigate this trend, which we refer to as Zombieware!

Full Zombieware blog post can be found on our UnpacMe blog here:

 Zombieware: Malware That Never Dies...

View Post

Syscall Tracing With x64dbg

Just a quick tip taking advantage of a new feature in x64dbg and the WOW64 translation layer to trace syscalls. Since we are tracing all syscalls that go through the WOW64 translation this also catches indirect syscalls!

References

Live Stream VOD: Lumma Stealer Deobfuscation - Part 2

This is the second part of our series on removing the code obfuscation from the latest version of Lumma Stealer. The stream is more of a short re-cap of the completed tool from the first stream where we go over the shortcomings and discuss possible future approaches.

There is also a bit of technical difficulty in the middle when Twitch decided to completely drop our stream! Lol thanks Je...

View Post

IDA Quick Tip - SP Analysis Failed

Stack pointer analysis failed, it's happened to us all. This is just a quick tip with an overview of why this is happening and how to troubleshoot it.

Sample

The sample being examined is from Practical Malware Analysis, the lab binary 15-3. Normally we prefer to use real malware for our examples and not prepared samples but in this case the tip was made in response to a specific ...

View Post

Live Stream VOD: Lumma Stealer Deobfuscation - Part 1

This is the first part of our series on removing the code obfuscation from the latest version of Lumma Stealer. In this VOD we identify the opaque predicate patterns that are preventing IDA from reconstructing the control flow and we begin to build an IDAPython script to remove them.

Sample

  • 18a065b740da441c636bce23fd72fc0f68e935956131973f15bf4918e31...

    View Post

Dynamic Malware Analysis - Tips For Faster Static Reverse Engineering

This tutorial outlines how to use dynamic analysis to speed up static analysis by dynamically identifying high value reverse engineering targets in the target binary. Our example is a Danabot malware that is using a tricky method to hide its configuration C2s.

Tools

Delphi Reverse Engineering Tips

This tutorial provides an overview of the Delphi reverse engineering tips that we have covered in past streams. The key is using IDR to extract compiler information from the binary and apply it to IDA prior to starting your reverse engineering.

References

Live Stream VOD: Breaking Themida Protected C2 Config for Socks5Systemz

In this stream we attack a Themida protected C2 config using tracing in x64dbg and some other tricks. The malware analyzed is an older socks proxy botnet called Socks5Ssystemz which has been operating under the radar for years.

Note: This stream was was split over two days due to a surprise migraine! The themida RE starts at around the 40min mark.

Sam...

View Post

Welcome To OALABS!

At OALABS it is our mission to bring you the kind of reverse engineering tutorials that we wished we had when we were first learning to analyze malware. Our tiers are organized into three simple categories, and our discord is free for everyone!

  • F5 - You get access to live stream recordings.

  • ...

    View Post

Live Stream VOD: GCleaner

In this stream we take a look at a new version of GCleaner with a particularly weak string encryption algorithm. Instead of attacking this statically we used some advanced breakpoint features in x64dbg.

Hint -- this approach will work for all encrypted string that are decrypted in the CRT setup functions.

Once we extract the strings we poke around an open directory for one of the ...

View Post

Live Stream VOD: GitHub Bug Used to Infect Game Hackers With Lua Malware

In this stream we analyze a unique delivery chain that uses a bug in GitHub to mimic popular repositories and deploy malware. We also do a deep dive into Lua malware!

The first 30min are describing the GitHub delivery of the malware, the Lua work starts after that.  The real Lua work starts around 2h 55m when we build a custom Lua JIT interpreter with our own instrumentation hooks! View Post

Live Stream VOD: Indirect Syscalls and The PikaBot Loader

In this stream we take a look at the new PikaBot loader which uses indirect syscalls to evade AV/EDR. As part of the analysis we develop a quick way to trace indirect syscalls with x64dbg and use this method to unpack the final payload.

Syscall work starts around the 40min mark πŸ˜‰

Sample

fd8c7df2940c86b821c05d9376f7dc3716306f8e0a933e2e161da09989907ca3 [2024-03-02 19:57:09 +0000 UTC View Post

Live Stream VOD: Breaking Zeus VM Part 6

The final part of our series on reverse engineering VM protection in VMZeus. We update our Binary Ninja plugin to lift the VM code!

There are no notes for this stream, instead we have setup a GitHub repository for our plugin code: ZVM. References and documentation can be found in the Re...

View Post

Live Stream VOD: Breaking Zeus VM Part 5

This is the fifth pare in our series on reverse engineering VM protection in VMZeus. We convert our disassembler into a Binary Ninja plugin! 


There are no notes for this stream, instead we have setup a GitHub repository for our plugin code: ZVM. References and documentat...

View Post

Live Stream VOD: Breaking Zeus VM Part 4

This is the fourth part of our series on reverse engineering the VM protection in VMZeus. Finally we finish our disassembler! We finish the instruction definitions then spend the majority of the stream troubleshooting some very silly mistakes. 

During the troubleshooting we also use a debugger to trace the VM which is the "simplest" method for breaking VMs... just run them! 

...

View Post

Live Stream VOD: Breaking Zeus VM Part 3

This is the third part of our series on reverse engineering the VM protection in VMZeus.

This is a grind stream where we build the framework for our custom disassembler and begin to implement the instruction definitions using the reverse engineering work from the previous stream.  This is a core part of the series and explains the idea behind a disassembler and how to architect one.<...

View Post

Live Stream VOD: Breaking Zeus VM Part 2

This is the second part of our series on reverse engineering the VM protection in VMZeus.

This is a grind stream where we work through each instruction handlers, reverse engineer the semantics of each instruction. At the end of the stream we have our first overview of the entire instruction set and we can see that despite the number of instructions the actual language is very simple and i...

View Post

Introduction to YARA Part 4 - Writing Efficient YARA Rules

Unlocked For Everyone πŸ”“

This is the final part of our four-part tutorial series covering YARA basics. In this tutorial we cover the foundations of writing efficient YARA rules and provide some tips that can help speed up your YARA hunts.

To accompany this tutorial we also have a post on th...

View Post

Introduction to YARA Part 3 - Rule Use Cases

Unlocked For Everyone πŸ”“

This is the third part of our four-part tutorial series covering YARA basics. In this tutorial we cover different use cases for YARA and how these use cases will impact the rule development and deployment.

Unlike the other tutorials in this series this tutorial is m...

View Post

Introduction to YARA Part 2 - Hunting on UnpacMe

Unlocked For Everyone πŸ”“

This is the second part of our four-part tutorial series covering YARA basics. In this tutorial we demonstrate how to hunt for malware using the free YARA scanning service on Unpac.Me.

References

<...

View Post

Introduction to YARA Part 1 - What is a YARA Rule

Unlocked For Everyone πŸ”“

This is the first part of our four-part tutorial series covering YARA basics. In this tutorial we cover the basics of YARA, how it works, and how to build a simple rule. 

Full documentation for YARA can be found on the 2024-01-17 00:22:33 +0000 UTC View Post

Live Stream VOD: Breaking Zeus VM Part 1

Our first stream of 2024 and we are taking a slightly different approach! We are going to reverse engineer the VM protection in VMZeus.

In this stream we outline our method of attack and identify the dispatcher and instruction handlers. This sets us up to reverse and label the instructions on the next stream.

Sample

f792997cb36a477fa55102ad6b680c97e3517b2e63c83c802bf8d57ae9e...

View Post

Live Stream VOD: Live Ledger Crypto Wallet Attack Analyzed

In this stream we analyze a unique crypto stealer that appears to have been built custom to target a hardware wallet. We perform a full analysis of the malware to determine how it works, and investigate it's potential origin.

Sample

3333e2846173468a7bf9dc859e2a0418a4bf1a2840802b397463fce5398fb6d3 [2023-12-30 21:38:43 +0000 UTC View Post

Live Stream VOD: SparkRAT Open Source GO RAT Triage

In this stream we analyze the SparkRAT GO malware using GoReSym and write a config extractor. This is a good introduction to GO malware.

Sample

6c4cb9d518f725b5c92f68699992f5525592328a47517d5897d971aac0ab6539 [UnpacMe]

Notes

2023-12-30 21:32:46 +0000 UTC View Post

Live Stream VOD: Is Origin Logger Agent Tesla's Successor

We take a look at this .NET stealer that is possibly a clone or new version of Agent Tesla.

There is also a horrific πŸ•·οΈ surprise around the 27min mark....

Sample

b1114c27beb856eae1f9fba0a880450702b7bda007f0fbacc4d5df561d83ec88 [2023-12-30 21:27:10 +0000 UTC View Post

Live Stream VOD: Danabot Core Triage Part 2 - Delphi Structs and IDA

In this stream we continue our analysis of Danabot with a focus on the core component. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.

Building on our use of  IDR in the last stream, we extract the "record" metadata (struct) and use it to identify key infor...

View Post

Live Stream VOD: Danabot Loader Triage Part 1 - Delphi and IDA

In this stream we take a look at a version of the Danabot Loader. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer. 

First we use IDR to recover the Delphi types then we use HashDB to re...

View Post

Dynamic String Decryption With x64dbg

A short tutorial demonstrating how to use x64dg to dynamically decrypt the encrypted strings in Pikabot. Though we are using Pikabot as an example this technique is generally applicable to any string encryption that requires a function call to decrypt each string.

Reference sample:

...

View Post