awesome-malware-resources

Just another collection of links, tools, reports and other stuff

Table of Contents

• Malware Reports
  • Infostealer / Banking Malware
    • Agent Tesla
    • QakBot
    • Ursnif
    • Emotet
    • Gootkit
    • MassLogger
    • Formbook
    • Hancitor
    • IcedID
    • KPOT v2.0 Stealer
    • LokiBot
    • TrickBot
    • Dridex
    • Minebridge RAT
    • Backdoor.Spyder
  • Loader / Dropper
    • GuLoader
    • BazarLoader
    • ZLoader
    • SmokeLoader
    • Saint Bot
    • Cobalt Strike
  • Ransomware
    • Maze
    • Egregor
    • Ryuk
    • REvil
    • Makop
    • Babuk
    • RegretLocker
    • HelloKitty
    • DearCry
    • Clop
    • LockBit
  • APT
• Tutorials
  • Malware Analysis
    • Courses
    • Overview of Malware Techniques
    • Process Injection
    • DLL Search Order Hijacking
    • Weaponizing Windows Virtualization
    • Access Token Manipulation
  • Anti-Analysis
    • API Hashing
    • Debugger Detection
  • Maldoc Analysis
  • Malware Development
    • Courses
• Software / Tools
  • List of Plugins for Disassembler/Decompiler
  • IDA Plugins
    • Labeless
• Threat Intelligence
  • MITRE ATT&CK
• Video Playlist
• Blogs
  • Researcher
  • Vendors

Malware Reports

Complete Work of Hasherezade - Download from VX-Underground

Infostealer / Banking Malware

Agent Tesla

[2021]

• Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 & v3
• Technical report of AgentTesla
• Agent Tesla amps up information stealing attacks

[2020]

• The Hasty Agent: Agent Tesla Attack Uses Hastebin
• Agent Tesla: A Day in a Life of IR

[2018]

• Analysis of New Agent Tesla Spyware Variant

QakBot

[2021]

• The Rise of QakBot
• [RE021] Qakbot analysis – Dangerous malware has been around for more than a decade

[2020]

• Deep Analysis of a QBot Campaign – Part I
• Deep Analysis of a QBot Campaign – Part II
• An old enemy – Diving into QBot part 1
• Diving into Qbot part 1.5 – Cracking string encryption
• An old enemy – Diving into QBot part 2
• An old enemy – Diving into QBot part 3
• QakBot reducing its on disk artifacts
• Deep Analysis of QBot Banking Trojan
• An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods

[2019]

• Reversing QakBot - Hatching

Ursnif

[2021]

• New Variant of Ursnif Continuously Targeting Italy

[2019]

• New Ursnif Variant Spreading by Word Document

Emotet

[2021]

• Emotet Command and Control Case Study
• Reverse engineering Emotet – Our approach to protect GRNET against the trojan
• The Malware-As-A-Service Emotet
• [RE019] From A to X analyzing some real cases which used recent Emotet samples

[2020]

• Analyzing an Emotet Dropper and Writing a Python Script to Statically Unpack Payload

Gootkit

[2021]

• Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets
• Gootkit: the cautious Trojan
• “Gootloader” expands its payload delivery options

[2020]

• Investigating the Gootkit Loader
• German users targeted with Gootkit banker or REvil ransomware

[2019]

Daniel Bunce (0verfl0w_) - SentinelOne

• Gootkit Banking Trojan | Part1: Deep Dive into Anti-Analysis Features
• Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities
• Gootkit Banking Trojan | Part 3: Retrieving the Final Payload

MassLogger

[2021]

• MassLogger v3: a .NET stealer with serious obfuscation

[2020]

• Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach

Formbook

[2021]

• Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I
• Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part II
• Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part III
• Yes, Cyber Adversaries are still using Formbook in 2021

[2018]

• In-depth Formbook malware analysis – Obfuscation and process injection

Hancitor

[2021]

• Analysis of Hancitor – When Boring Begets Beacon
• Unearthing Hancitor Infrastructure
• Hancitor Infection Chain Analysis: An Examination of its Unpacking Routing and Execution Techniques

IcedID

[2021]

• Let’s set ice on fire: Hunting and detecting IcedID infections
• IcedID on my neck I’m the coolest
• IcedID Analysis
• IcedID GZIPLOADER Analysis
• IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims

[2020]

• Manual Unpacking IcedID Write-up
• Unpacking Visual Basic Packers – IcedID
• COVID-19 and FMLA Campaigns used to install new IcedID banking malware
• IcedID: When ice burns through bank accounts

[2019]

• A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
• A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
• A Deep Dive Into IcedID Malware: Part III - Analysis of Child Processes
• IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth

KPOT v2.0 Stealer

[2020]

• Reverse engineering KPOT v2.0 Stealer

LokiBot

[2021]

• A Deep Dive into Lokibot Infection Chain

TrickBot

[2021]

• TrickBot Crews New CobaltStrike Loader

[2020]

• Trickbot Malware-as-a-service
• De-crypting a TrickBot Crypter

Dridex

[2021]

• Dridex Loader Analysis
• Dridex Malware Analysis [1 Feb 2021]
• Dridex Malware Analysis [8 Feb 2021]
• Dridex Malware Analysis [10 Feb 2021]

Minebridge RAT

[2021]

• MineBridge Is on the Rise, With a Sophisticated Delivery Mechanism

Backdoor.Spyder

• Backdoor.Spyder.1 by Dr.Web

Loader / Dropper

GuLoader

[2021]

• Dancing With Shellcodes: Cracking the latest version of Guloader

[2020]

• Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
• GuLoader: Peering Into a Shellcode-based Downloader
• Quick analysis note about GuLoader (or CloudEyE)

BazarLoader

[2021]

• New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I
• New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II

ZLoader

[2021]

• Zloader email campaign using MHTML to download and decrypt XLS
• Zloader: Entailing Different Office Files
• Advancements in Invoicing - A highly sophisticated way to distribute ZLoader

[2020]

• Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex

SmokeLoader

[2019]

• Going Deep | A Guide to Reversing Smoke Loader Malware

Saint Bot

[2021]

• A deep dive into Saint Bot, a new downloader

Cobalt Strike

[2021]

• Look how many cybercriminals love Cobalt Strike
• Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
• Anatomy of Cobalt Strike’s DLL Stager
• Yet Another Cobalt Strike Stager: GUID Edition

[2020]

• The art and science of detecting Cobalt Strike - Talos
• Detecting Cobalt Strike Default Modules via Named Pipe Analysis

Ransomware

Maze

[2020]

• A Technical Look into Maze Ransomware
• Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)

Egregor

[2021]

• An Analysis of the Egregor Ransomware

[2020]

• Egregor Ransomware - An In-Depth Analysis

Ryuk

[2021]

• Video Tutorial about resolving API hashing from Ryuk by Jiří Vinopal

[2020]

• Ryuk Revisited - Analysis of Recent Ryuk Attack
• An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
• Deep Dive Into Ryuk Ransomware
• Deep Analysis of Ryuk Ransomware - N1ght-W0lf

REvil

[2021]

• Relentless REvil, revealed: RaaS as variable as the criminals who use it
• Sodinokibi Ransomware Analysis
• The DFIR Report - Sodinokibi (aka REvil) Ransomware

[2020]

• German users targeted with Gootkit banker or REvil ransomware
• Sodinokibi / REvil Malware Analysis

[2019]

• McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us - Episode 1
• McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars - Episode 2
• McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money - Episode 3
• McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo - Episode 4
• Kaspersky - Sodin ransomware exploits Windows vulnerability and processor architecture

Makop

[2020]

• Makop Ransomware - Technical Analysis

Babuk

[2021]

• Sogeti - Babuk Ransomware Analysis (PDF)
• Technical Analysis of Babuk Ransomware
• Babuk Ransomware Analysis by Chuong Dong

RegretLocker

[2020]

• RegretLocker Ransomware Analysis by Chuong Dong

HelloKitty

[2021]

• HelloKitty Ransomware Lacks Stealth, But Still Strikes Home

DearCry

[2021]

• Internals of DearCry Ransomware !
• DearCry ransomware attacks exploit Exchange server vulnerabilities

Clop

[2021]

• Splunk - Detecting Clop Ransomware

LockBit

[2020]

• LockBit Analysis
• LockBit ransomware borrows tricks to keep up with REvil and Maze

APT

• Iran’s APT34 Returns with an Updated Arsenal
• APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign
• Dissecting APT21 samples using a step-by-step approach
• Analyzing APT19 malware using a step-by-step method
• A detailed analysis of ELMER Backdoor used by APT16
• LazyScripter - From Empire to Double RAT - APT28
• Revealing Lamberts/Longhorn malware capabilities using a step-by-step approach (cyberespionage group linked to Vault 7)
• Higaisa or Winnti? APT41 backdoors, old and new
• The Return of the Higaisa APT41
• Lazarus APT conceals malicious code within BMP image to drop its RAT

Tutorials

• A Guide to Ghidra Scripting Development for Malware Researchers

Malware Analysis

Courses

• Zero2Auto - Vitali Kremez, Overflow
• Hasherezade - Malware Training Vol1

Overview of Malware Techniques

• Analyzing Modern Malware Techniques - Part 1

• Analyzing Modern Malware Techniques - Part 2

• Analyzing Modern Malware Techniques - Part 3

• Analyzing Modern Malware Techniques - Part 4

• Common Tools & Techniques Used By Threat Actors and Malware — Part I

• Common Tools & Techniques Used By Threat Actors and Malware — Part II

Process Injection

• Elastic - Ten Process Injection Techniques
• Process Injection Techniques - Medium

DLL Search Order Hijacking

• Windows Persistence Mechanics – DLL Search Order Hijacking

Weaponizing Windows Virtualization

• VX-Underground - "Weaponizing Windows Virtualization" Paper
• Beware of the Shadowbunny - Using virtual machines to persist and evade detections

Access Token Manipulation

• McAfee - Technical Analysis of Access Token Theft and Manipulation

Anti-Analysis

API Hashing

Deobfuscating DanaBot's API Hashing

Debugger Detection

Catching Debuggers with Section Hashing

Maldoc Analysis

• Anti-Analysis Techniques Used in Excel 4.0 Macros
• Excel Formula/Macro in .xlsb?
• XLSB: Analyzing a Microsoft Excel Binary Spreadsheet
• Malware Analysis Exercises with Walkthroughs
• How to Reverse Office Droppers: Personal Notes
• Cracking Password Protected Payloads

Malware Development

• 0xPat - Malware development part 1

• 0xPat - Malware development part 2

• 0xPat - Malware development part 3

• 0xPat - Malware development part 4

• 0xPat - Malware development part 5

• 0xPat - Malware development part 6

• 0xPat - Malware development part 7

• 0xPat - Malware development part 8

• Implementing Direct Syscalls Using Hell’s Gate

Courses

RED TEAM Operator: Malware Development Intermediate Course

Software / Tools

https://labs.sentinelone.com/top-15-essential-malware-analysis-tools/

List of Plugins for Disassembler/Decompiler

• Awesome IDA, x64DBG & OllyDBG plugins
• CPUIDSpoofer

IDA Plugins

• IDA WinAPI Helper
• Tenet Trace Explorer

Labeless

• Labeless

• CheckPoint Introduction to Labeless - Part 1

• CheckPoint Introduction to Labeless - Part 2

• CheckPoint Introduction to Labeless - Part 3

• CheckPoint Introduction to Labeless - Part 4

• CheckPoint Introduction to Labeless - Part 5

• CheckPoint Introduction to Labeless - Part 6

• Video Tutorial about resolving API hashing from Ryuk by Jiří Vinopal

Threat Intelligence

MITRE ATT&CK

RecordedFuture - Top 2020 MITRE Techniques

Video Playlist

• Formbook Reversing -Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching] by DuMp-GuY TrIcKsTeR

Blogs

Researcher

• Vitali Kremez
• N1ght-W0lf
• 0xthreatintel
• MalwareAndStuff
• Cyber Geeks
• Reversing.xyz
• Secrary - Malware Reports
• GoogleHeadedHacker

Vendors

• Fortinet Threat Research
• MalwareBytes
• SentinelOne Labs
• CheckPoint Research
• InQuest Labs
• FireEye Blog
• HornetSecurity
• Cisco Talos
• Hatching Tria.ge
• Bitdefender Labs
• Minerva Labs
• F5 Labs
• PTSecurity Threat Intelligence
• F-Secure Labs