Content Library

Twitter: @embee_research GitHub: embee-research Youtube: EmbeeResearch

Binary Reverse Engineering (Ghidra/Debuggers)

• Ghidra Tips For Beginners
• Manual Analysis and C2 Extraction of Cobalt Strike
• Defeating API Hashing with Conditional Breakpoints
• Golang Analysis - Extracting an Xworm Payload
• Fixing False Entry Points Using Pe-bear
• Resolving Emotet API Hashes
• Developing a Static Decoder For IcedID
• Unpacking Malware Using Hardware Breakpoints
• Identifying Dummy Exports in IcedID
• Using Dumpulator to Decrypt Qakbot Strings - P2
• Decrypting Qakbot Strings With Dumpulator

Detection Engineering (Yara/Sigma)

• Developing Yara Rules Using Encryption
• Brute Ratel - Static Detection Via API Hashes
• Havoc C2 - Static Detection Via Ntdll Hashes
• Basic .NET Detection Using Yara
• Rhadamanthys Detection Via Yara
• Qakbot Detection Via Sigma
• GraceWire Detection Via Yara
• NightHawk C2 Detection Via Yara
• Static Detection of IcedID With Yara
• NetSupport - Process Based Detection

.NET Reverse Engineering + Malware Analysis (Dnspy/Powershell)

• AsyncRAT - Manually Decoding a .NET Loader
• Easy Analysis of .NET Malware
• Decoding AgentTesla Strings Using Powershell - Dynamic Invocation
• Using Process Hacker to Extract .NET Malware
• Bulk String Decryption of .NET Malware Using Powershell
• Using Powershell to Directly Invoke Decryption Code, Bypass Anti-Debug and extract C2 information
• DcRat Custom Decoding Script and Analysis

Script Reverse Engineering (CyberChef/Python)

• Advanced Decoding Using CyberChef
• Python Decoder for Remcos Loader
• Decoding Ursnif Loaders Via CyberChef
• Manual Deobfuscation of Danabot Using CyberChef and Python
• Decoding AsyncRAT Using CyberChef
• Decoding DNS Malware Using CyberChef
• Cleaning Up Scripts Using CyberChef
• Decoding AsyncRAT Loader Via CyberChef
• Decoding Zipped Content with Cyberchef
• Jupyter Decoding Using Cyberchef
• Decoding BazarLoader Using CyberChef
• String Concatenation With CyberChef
• Manual Decoding of Chromeloader Malware using Cyberchef
• Decimal Decoding (Gootloader) Using Cyberchef
• AgentTesla - Manual Key Generation and Decoding With Cyberchef

Red Team / Offensive Techniques

• Rotating API Hashes for Detection Evasion
• Module Stomping for EDR Evasion

Getting Started

• Setting Up an Analysis VM - Recommended Tools

Full Length Blogs

• Cyberchef Advanced Tips - AsyncRAT Loader
• Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
• Snakes on a Domain: An Analysis of a Python Malware Loader
• Cobalt Strikes Again: An Analysis of Obfuscated Malware