create_toc.py | ||
README.md |
awesome-malware-resources
Just another collection of links, tools, reports and other stuff
Table of Contents
- Malware Reports
- Tutorials
- Software / Tools
- Threat Intelligence
- Video Playlist
- Blogs
Malware Reports
Complete Work of Hasherezade - Download from VX-Underground
Infostealer / Banking Malware
Agent Tesla
[2021]
[2020]
[2018]
QakBot
[2021]
[2020]
- An old enemy – Diving into QBot part 1
- Diving into Qbot part 1.5 – Cracking string encryption
- An old enemy – Diving into QBot part 2
- An old enemy – Diving into QBot part 3
- QakBot reducing its on disk artifacts
- Deep Analysis of QBot Banking Trojan
- An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods
[2019]
Emotet
[2021]
- Reverse engineering Emotet – Our approach to protect GRNET against the trojan
- The Malware-As-A-Service Emotet
- [RE019] From A to X analyzing some real cases which used recent Emotet samples
[2020]
Gootkit
[2021]
[2020]
[2019]
Daniel Bunce (0verfl0w_) - SentinelOne
- Gootkit Banking Trojan | Part1: Deep Dive into Anti-Analysis Features
- Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities
- Gootkit Banking Trojan | Part 3: Retrieving the Final Payload
MassLogger
[2021]
[2020]
Formbook
[2021]
[2018]
Hancitor
[2021]
IcedID
[2021]
[2020]
- Manual Unpacking IcedID Write-up
- Unpacking Visual Basic Packers – IcedID
- COVID-19 and FMLA Campaigns used to install new IcedID banking malware
- IcedID: When ice burns through bank accounts
[2019]
- A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
- A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
- A Deep Dive Into IcedID Malware: Part III - Analysis of Child Processes
- IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
KPOT v2.0 Stealer
[2020]
LokiBot
[2021]
TrickBot
[2020]
Dridex
[2021]
- Dridex Malware Analysis [1 Feb 2021]
- Dridex Malware Analysis [8 Feb 2021]
- Dridex Malware Analysis [10 Feb 2021]
Minebridge RAT
[2021]
Backdoor.Spyder
Loader / Dropper
GuLoader
[2020]
- Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
- GuLoader: Peering Into a Shellcode-based Downloader
- Quick analysis note about GuLoader (or CloudEyE)
BazarLoader
[2021]
- New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I
- New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II
ZLoader
[2021]
- Zloader: Entailing Different Office Files
- Advancements in Invoicing - A highly sophisticated way to distribute ZLoader
[2020]
Ransomware
Maze
[2020]
- A Technical Look into Maze Ransomware
- Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
Egregor
[2021]
[2020]
Ryuk
[2021]
[2020]
- An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
- Deep Dive Into Ryuk Ransomware
- Deep Analysis of Ryuk Ransomware - N1ght-W0lf
REvil
[2021]
[2020]
[2019]
- McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us - Episode 1
- McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars - Episode 2
- McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money - Episode 3
- McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo - Episode 4
Makop
[2020]
Babuk
[2021]
RegretLocker
[2020]
HelloKitty
[2021]
DearCry
[2021]
- Internals of DearCry Ransomware !
- DearCry ransomware attacks exploit Exchange server vulnerabilities
APT
- Dissecting APT21 samples using a step-by-step approach
- Analyzing APT19 malware using a step-by-step method
- A detailed analysis of ELMER Backdoor used by APT16
- LazyScripter - From Empire to Double RAT - APT28
- Revealing Lamberts/Longhorn malware capabilities using a step-by-step approach (cyberespionage group linked to Vault 7)
Tutorials
Malware Analysis
Courses
Overview of Malware Techniques
-
Common Tools & Techniques Used By Threat Actors and Malware — Part I
-
Common Tools & Techniques Used By Threat Actors and Malware — Part II
Process Injection
DLL Search Order Hijacking
Weaponizing Windows Virtualization
- VX-Underground - "Weaponizing Windows Virtualization" Paper
- Beware of the Shadowbunny - Using virtual machines to persist and evade detections
Anti-Analysis
API Hashing
Deobfuscating DanaBot's API Hashing
Debugger Detection
Catching Debuggers with Section Hashing
Maldoc Analysis
- Excel Formula/Macro in .xlsb?
- XLSB: Analyzing a Microsoft Excel Binary Spreadsheet
- Malware Analysis Exercises with Walkthroughs
- How to Reverse Office Droppers: Personal Notes
- Cracking Password Protected Payloads
Malware Development
Courses
RED TEAM Operator: Malware Development Intermediate Course
Software / Tools
https://labs.sentinelone.com/top-15-essential-malware-analysis-tools/
List of Plugins for Disassembler/Decompiler
IDA Plugins
Labeless
Threat Intelligence
MITRE ATT&CK
RecordedFuture - Top 2020 MITRE Techniques