Malchanic retweetledi
The #flareon10 countdown is now live at flare-on.com. Clear your weekend plans for Sept. 30th.
English
Malchanic
136 posts
English
Oh I didn’t know it was published yet 😅 Thanks a lot to @GoogleOSS for the bonus and @stevemk14ebr for the nomination!
fearless 🏴🇮🇪@fearless0
Congrats to Duncan (@mrexodia) and x64dbg for being on the first group of winners for the Google Open Source Peer Bonus Program: opensource.googleblog.com/2023/05/google… #x64dbg
English
Malchanic retweetledi
capa explorer integrates capa’s automated capabilities detection seamlessly with IDA Pro. The plugin aims to focus your reverse engineering efforts, especially when analyzing malware. Check it out and let us know what you think!
Hex-Rays SA@HexRaysSA
Ready for a new #PluginFocus blog post? @mehunhoff, @m_r_tz and @williballenthin from the @Mandiant FLARE Team talk about the latest version of their #capaexplorer plugin, an entry in our 2020 plugin contest 🌐 hex-rays.com/blog/plugin-fo… #IDAPro #IDAPython #IDAPlugin
English
Malchanic retweetledi
🚨 capa v5 release is out! Great improvements with big additions for .NET binary analysis. Did you know that capa displays the method token + instruction offset for each .NET match? You can use this info to find the matched location in dnSpy helping focus your analysis!
Moritz@m_r_tz
capa v5.0.0 is out: major improvements for .NET binary analysis, 150 new/updated rules, caching to improve performance standalone and in the IDA Pro plugin, better ELF OS detection, and a lot more. github.com/mandiant/capa/… VirusTotal integration updates are next!
English
What better way to finish off the year than a fresh release of FLARE VM?! 🥳 This release focuses on empowering community contributions and automation. Get it while its hot 🔥🔥🔥mandiant.com/resources/blog…
English
#DnSpyEx News 🥳😊#ElektroKill is really killing it👏❤️One of new feature added in future release will be #NEW #Window during debugging "Static Fields" - displays static fields accessed in the current method as well as static fields defined in the current method's declaring type.
English
English
@DanielStepanic @_devonkerr_ @MalwareMechanic I am glad you didnt give me this for malware analysis homework
English
#IcedID pushed out a new dev loader last Thursday from #Emotet. It's more lean and better obfuscated. This version resolves imports dynamically, removes the cookie parameters that were used to fingerprint machine on initial request, uses in-line function for config decryption.
Threat Insight@threatinsight
Today Proofpoint observed the #Emotet E4 botnet delivering what seems to be a development build of a new #IcedID Loader. This module has the ID 2445 and directly downloads the IcedID bot.
English
@fancy_4n6 @grumpy4n6 Yep, we haven’t forgotten! It’s been really busy as of late. Keep an eye out in the coming weeks 😀
English
@grumpy4n6 🤔🤔🤔
but also - twitter.com/MalwareMechani…
Malchanic@MalwareMechanic
@SeanTheGeek Yep, we’re in the works of refreshing it! Main goal is open sourcing the packages for community support, ease of package creation, and automation via GitHub actions. It’s been slow going but we are working on it. Trying to target a new release later this year
English
Get pumped!
GIF
Mandiant (part of Google Cloud)@Mandiant
Don't miss the next installment of the Mandiant FLARE team's webinar series, The Sample. This week, Principal Reverse Engineer Blaine Stancill will explain the inner workings of a dropper from the #WHITEDAGGER malware family. Register now! mndt.info/3UJAUGj
English
Malchanic retweetledi
#flareon9 is happening. Let your family know you'll miss them. mandiant.com/resources/anno…
English
@SeanTheGeek Yep, we’re in the works of refreshing it! Main goal is open sourcing the packages for community support, ease of package creation, and automation via GitHub actions. It’s been slow going but we are working on it. Trying to target a new release later this year
English
Hey @MalwareMechanic, FLARE-VM is a very cool concept, but the project looks dead at this point, with many broken and/or outdated packages (e.g., github.com/mandiant/flare…). Any chance of a revival?
English
Malchanic retweetledi
🚨 Today we're excited to release Ghidrathon, a Ghidra extension that adds modern Python 3 scripting (including Python 3.10) to Ghidra!
Blog 👉 mandiant.com/resources/blog…
GitHub 👉 github.com/mandiant/Ghidr…
English
@vinopaljiri Thanks for this! Another fun tool to have in your arsenal: github.com/endgameinc/Clr…
English
If you wanna quickly unpack #redline #stealer which is often exec via some native C/C++ loader - dont forget that C/C++ must load somehow .NET runtime inside the process in this case via "CLRCreateInstance" to be able to host .NET payload. Be smart, USE dnSpy follow the tweet🤠🙌
Jiří Vinopal@vinopaljiri
@MalGamy12 [1/2] If I am not wrong - what you got there is the last C/C++ loader which will be loading .NET runtime - if one wants to host .NET code as ex. "redline" from some loader written in C/C++ usually one must load .NET runtime inside the process in this case via "CLRCreateInstance"
English
Malchanic retweetledi
@c3rb3ru5d3d53c For people learning malware evasion techniques, the #UnprotectProject can often provide you the answer 😊
#infosec #malware cf: @DarkCoderSc
unprotect.it/technique/ntse…
English
Malchanic retweetledi
@MalGamy12 [2/2] you got last native loader which will be hosting .NET to be able to load "redline" code which is written in .NET. If you want to process the unpacking of these sh*t loading .NET payload really quickly use DNSpy. Load the original native sample, set module breakpoint - bam
English
FLOSS v2.0 just dropped!! This release is packed full of updates and deobfuscates even more strings! mandiant.com/resources/flos…
English
@netspooky Yes and my favorites by far are @jgeigerm and @MalwareMechanic | would eat ramen and drink bourbon with both any day and learn from them
English
Malchanic retweetledi
