Coding The Rat King: A Multi-Family Malware Configuration Parser

Описание к видео Coding The Rat King: A Multi-Family Malware Configuration Parser

In this tutorial/code review, I'll walk you through my journey over the last couple of months to take our original ASyncRAT config parser/extractor and modify it to work with several related, cloned, and derivative Remote Access Trojan (RAT) families of malware.

Even though this wasn't a scheduled video and it was done pretty much on a whim, I hope it will be insightful in the learning journey of those of you interested in malware analysis and cybersecurity, and for those experienced viewers, please share your feedback, improvements, and - especially - additions you'd like to see added to this tool (for example, additional malware families that use a similar configuration format as ASyncRAT, QuasarRAT, VenomRAT, DcRAT, etc. that are not yet supported).

If you want to build your own Malware Analysis Sandbox for free, stay tuned for our next master0Fnone class, coming soon to this channel!


Please leave general feedback and questions here as comments, or DM me on Mastodon (social links listed on the channel).

Check the pinned comment for any updates to the content.

Let me know what you would like to see in future videos!


Project Homepage:

https://github.com/jeFF0Falltrades/ra...

Resources and References:

- psy_maestro QuasarRAT Blog:   / quasarrat-malware-analysis-report  
- Malware Bazaar: https://bazaar.abuse.ch/
- YARA: https://yara.readthedocs.io/en/stable...
- List of .NET CIL Instructions: https://en.wikipedia.org/wiki/List_of...
- dotnetfile Library: https://github.com/pan-unit42/dotnetfile
- yara-python Library: https://github.com/VirusTotal/yara-py...
- Remnux Distro: https://remnux.org/
- dnSpy: https://github.com/dnSpy/dnSpy/releases
- Original AsyncRAT Config Parser: https://github.com/jeFF0Falltrades/Tu...
- My YARA Rule Repo: https://github.com/jeFF0Falltrades/YA...


This video includes images from the following sources (thank you!):

Ouroboros (modified) - Image by Freepik - https://www.freepik.com/free-vector/o...

Rat King Illustration (modified) - User:Di (they-them), CC BY 4.0 (https://creativecommons.org/licenses/..., via Wikimedia Commons - https://commons.wikimedia.org/wiki/Fi...

Word Thump Comic Cloud (modified) - Image by Freepik - https://www.freepik.com/free-vector/w...

Chapters:

00:00:00 - Important Notes
00:03:03 - Background for this Video
00:10:29 - Key Differences from our First Parser
00:14:36 - QuasarRAT Build & Deploy Demo
00:23:07 - Decompiling & Comparing RAT Configurations in dnSpy
00:32:08 - Finding the Common Feature of Each RAT Family
00:35:11 - Installation/Troubleshooting of the Rat King Parser
00:45:01 - Running Rat King Parser Against Various Samples
00:49:00 - Rat King Parser Option Flags
00:52:39 - rat_king_parser.py Code Review
00:55:12 - recompile.py and YARA Rule Code Review
01:01:37 - Multiprocessing in rat_king_parser.py
01:09:39 - rat_config_parser.py Code Review
01:10:15 - dotnetpe_payload.py Code Review
01:19:14 - dotnet_constants.py Code Review
01:21:18 - config_item.py Code Review
01:30:10 - config_aes_decryptor.py Code Review
01:34:32 - Wrapping Up rat_config_parser.py
01:37:33 - Odds and Ends Code Review
01:39:00 - See? Wasn't That Short? (Wrap-Up)

Комментарии

Информация по комментариям в разработке

Похожие видео