CreatorsOk
oalabs

oalabs

patreon


oalabs posts

Live Stream VOD: Pikabot is Back - Automated String Extraction - Part 3

The third and final part in our series on the new Pikabot core! In this stream complete our custom emulator to automatically extract encrypted strings from the malware and create a few yara rules for hunting.

Fun fact, the string extractor also works on the Pikabot loader!

Sample

39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206

Notes

2023-12-02 02:42:47 +0000 UTC View Post

Live Stream VOD: Pikabot is Back - Automated String Extraction - Part 2

The second part in our series on the new Pikabot core! In this stream we begin to build a custom emulator to automatically extract encrypted strings from the malware. 

Just a heads up... at the end of the stream I run into a very obvious bug that I don't solve until the next stream... if you spot it feel free to yell at the screen 😅

Sample

39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206

Notes

2023-12-02 02:40:27 +0000 UTC View Post

Live Stream VOD: Pikabot is Back - Part 1

Pikabot is back!  New loader, new string encryption, indirect syscalls and more! Join us for our initial triage of the core module. In this stream we focus on the dynamic API resolution and string decryption. The majority of the stream we are using some tricks in x64dbg to automatically decrypt the strings, next stream we will attack this statically.  

Stay tuned to the end for a surprise (last 10 min!).

Sample

39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e...

View Post

Live Stream VOD: Solving ADVObfuscator Part 2

In this Twitch stream we continue our work on an automated string recover tool for ADVObfuscator by extending it to handle custom variants with globals and AVX instructions.


Samples

  • 765d19b4728008c1589f222d1fa49f1cb7310204c7a4574eb9f930d0544bed7b 
  • 3a987fd51423f186242c3fbbdab59113c11d4ac67109e90ab948d5d0591699fb
  • a08c766724927d41cf29f736eca1ef557ba45debd3e29fa066180ec66426dc4f 
  • 4e0e4660d283270ae7abac2520b0bbd19324ff879c079ddb77...

    View Post

Live Stream VOD: Solving ADVObfuscator Part 1

In this Twitch stream we begin building a tool to assist with string recovery for malware that is protected with ADVObfuscator. 

Since ADVObfuscator is an open source tool we built our own test sample instead of using malware when developing the tool.  Notes with source code can be found here...

2023-11-05 21:46:17 +0000 UTC View Post

Live Stream VOD: Mystic Stealer Deobfuscation

In this Twitch stream we build a config extractor for Mystic Stealer that is able to handle their "custom" obfuscation.

NOTE: We are troubleshooting some issues with Patreon video embeds. If you can't see/watch the video please let me know (comment or DM, whichever you prefer).

Samples

BF38A3699AB2072D...

View Post

Live Stream VOD: Automated Go String Decryption for UNK Obfuscator - Part 2

In this Twitch stream we continue our previous work on Garble Go string decryption to tackle another type of obfuscator used for GoLang that creates in-line obfuscated strings (similar to ADV) instead of using functions.

This is really a development stream with a lot of distractions along the way but in the end we do finish a nice tool that can hopefully be used...

View Post

Live Stream VOD: Automated Go String Decryption for UNK Obfuscator - Part 1

In this Twitch stream we extend our previous work on Garble Go string decryption to tackle another type of obfuscator used for GoLang that creates in-line obfuscated strings (similar to ADV) instead of using functions. The source/name of the obfuscator is currently unknown but the obfuscation pattern in the compiled binary is easy to identify.

Samples

View Post

Live Stream VOD: AttackerCryptor Is Not a Cryptor

A light Twitch stream taking a look at possibly world's worst cryptor... totally FUD until you upload to VirusTotal lol! This is just a silly stream but sometimes you have to call it out when you see it ... we will be back on schedule next week! 

Samples

11c38fc24bf7b29cd6e974670bc11d7f92af124d8b7edcd89482500f4de3d442

Notes

2023-09-26 15:30:01 +0000 UTC View Post

Live Stream VOD: Limerat Exposed

In this Twich stream we take a closer look at Limerat and open source .NET RAT that has become very popular. Our goal is to build a stand alone configuration extractor that will extract all of the config settings not just the C2!

Samples

6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334 

Notes

2023-09-26 15:01:01 +0000 UTC View Post

Live Stream VOD: Garble GoLang String Recovery

In this Twitch stream we continue our efforts to recover strings encrypted with the Garble GoLang obfuscator. We manage to identify a common pattern that not only allows us to identify Go samples where Garble has been used but also provides a pattern match for our string decryption tool. 

Spoiler alert - we have a nice PoC tool by the end of the stream : )

Samples

623...

View Post

Live Stream VOD: Bandit Stealer (GoLang)

In this Twitch stream we take a look at Bandit, a new infostealer written in GO that primarily targets browser credentials and crypto wallets. The collected information is uploaded to Telegram with the operator's telegram ID and channel ID hard coded in the binary but there is a separate C2 hosted panel which we have some fun exploring... 

One of the main themes that emerges from this stream is how to deal with GoLang obfuscators, specifically 2023-09-01 14:30:02 +0000 UTC View Post

Applied Emulation - Module 5

Emulating The Windows Environment

This is the last part in our five-part tutorial series on emulation. In this module we learn how to use a full User-Mode emulator capable of running a PE file. The focus is mainly on Dumpulator and its applications vs. Unicorn (and other CPU only emulators). The module is accompanied by a live demo and a lab that builds on the concepts we discuss.


References

Applied Emulation - Module 4

Advanced Unicorn Techniques

This is the fourth part in our five-part tutorial series on emulation. In this module we expand our capabilities with Unicorn using the Unicorn hooks. We build a tracing engine and lay the groundwork for a full binary instrumentation tool. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.


Unicorn Cheat Sheet (Alex Hanel)

2023-08-29 22:23:16 +0000 UTC View Post

Applied Emulation - Module 3

Reverse Engineering With Emulation

This is the third part in our five-part tutorial series on emulation. In this module we learn how to apply emulation to common reverse engineering tasks. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.

Please Note - Based on feedback this is the most difficult module in the series as the examples and labs build on previous reverse engineering experience. If you are not familiar with ho...

View Post

Applied Emulation - Module 2

Unicorn CPU Emulator

This is the second part in our five-part tutorial series on emulation. In this module we learn how to use the Unicorn emulator for simple emulation tasks. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.


References

Applied Emulation - Module 1

Emulator Fundamentals

This is the first part in our five-part tutorial series on emulation. In this module we begin by learning how an emulator works under the hood. The module is accompanied by a live demo and a lab that builds on the concepts we discuss.


References

Live Stream VOD: Glupteba Obfuscated GoLang

In this stream we take a look at a lightly obfuscated version of Glupteba. This malware has multiple components but our focus is on the loader.

Samples

Notes

2023-08-20 01:23:47 +0000 UTC View Post

Live Stream VOD: RootTeam GoLang Stealer

In this stream we take a look at this RootTeam is a GO stealer that can be built via a Telegram channel. Originally we confused this with BanditStealer but it is separate ... also we try of this neat GO symbol recovery tool GO IDA parser!

Samples

e0cd16b3de1f8b6c91b3483e383199f691e935d3d4e1ed9e77f6f9aea929b68b

Notes

2023-08-20 01:16:16 +0000 UTC View Post

Live Stream VOD: TrueBot Exposed

In this stream we take a look at TruBot which has been in the news thanks to a recent Cybersecurity and Infrastructure Security Agency (CISA) report. Stick around for some ... interesting ... yara rules lol.

Sample

717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb

Notes

View Post

Live Stream VOD: Status Recorder

In this stream we take a look at a new stealer that might be named "StatusRecorder" according to its C2 panel? The malware itself is very straight forward and we quickly create a Yara rule and start hunting for similar samples...

Heads Up!

At the beginning of the stream we discover some unusual connections between a security researcher and the malware. All of these connections have been documented in our notes. It is important to note that coincidence and circumstance ar...

View Post

Live Stream VOD: N00bs Night - Multi-Stage Malware Delivery

In this stream we take a close look at a multi-stage malware delivery system which is used to prepare the target so the final payload is not detected. There are a few tricky parts but this is a very accessible stream... N00bs Night!

Samples

8661bf09583ac5882e4183052c4273c267711236b79aeecf3e3fd1ac0da6376e

Notes

...

View Post

Live Stream VOD: Mishapulator A Memory-Only Emulator

This is a bit of a different stream where we investigate a novel idea from @mishap where emulation is performed only on memory based instructions. The concept is that this may end up being a useful (fast) tool for generic string decryption problems.

The stream itself is a bit boring and sort of a failure as we realize a lot more work is required to get the emulator to run in generic scenarios but I think this is a ver...

View Post

Live Stream VOD: Generic xorstr Decryption

This is a crazy 7h long dev stream! We probably won't do another one of these but if you like you can watch in real time I as build a generic string decryption tool for the xorstr library.

What?

The idea for this tool was developed over the past few streams and I just wanted to test it out. In the end this approach is still fairly brittle, the notes do a better job of explaining all the limitations, but it does work well for the cases we need. Maybe we can call it reverse-taint-...

View Post

Live Stream VOD: RisePro Triage (xorstr) - Part 2

In this twitch stream we continue our analysis of RisePro but shift our focus to the string encryption library xorstr. The main focus of this stream is investigating use of the xorstr library in malware and building a universal string decryption tool... this is the stream that kicks off our exciting/boring series of development streams...

Samples

2023-07-05 18:20:40 +0000 UTC View Post

Live Stream VOD: RisePro Triage - Part 1

In this twitch stream we take a look at RisePro a stealer that shares a lot of code with PrivateLoader. The main focus of the stream is investigating the similarities between PrivateLoader and RisePro but we also create a simple string decryption and attempt to build a decent Yara rule.

Samples

2cd2f077ca597...

View Post

Live Stream VOD: AMSI Bypass Loader Part 2

In this Twitch stream we continue our triage of this new loader that uses AMSI bypasses to avoid detection. In this part we focus on the injected X64 shell code. The shell code uses relative offsets to access data within itself which poses some challenges for IDA, and it contains multiple encrypted strings as well as another PE file.

Sample

43cc6ed0dcd1fa220283f7bbfa79aaf6342f...

View Post

Live Stream VOD: AMSI Bypass Loader Part 1

In this Twitch stream we begin to triage a new loader that uses AMSI bypasses to avoid detection. The loader itself is .NET but as we dig deeper we discover that the AMSI bypass is implemented in PowerShell, native X64 shell code is used (no yet analyzed) and the final payload is a Async RAT.

For the first half of the stream we triage the .NET loader and PowerShell, then turn our attention to the shell code. The shell code analysis has a few tricks that might be useful for general shell...

View Post

Live Stream VOD: 😂 Cringe Malware Contest 😂

Join us as you help us rank the worst malware we have ever reverse engineered! 

Special thanks to @huettenhain for helping to host, and everyone who sent us submissions and voted in the chat! 

🏆 Congrats to @struppige for submitting the winning sample!

2023-06-15 14:59:02 +0000 UTC View Post

Live Stream VOD: Metastealer Triage

In this Twitch stream we triage Metastealer creating a Yara rule and config extractor.

Sample

6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac 

Notes

Metastealer: DGAs and obfuscation as malware goes ...

View Post