Overview In 2026 I completed the FOR610 course from SANS and earned the GIAC Reverse Engineering Malware Certification (GREM). I took the course in the on-demand format, which gave me 180 days to complete all of the video lectures, labs, and practice material. Because of this, my experience may be a little different from someone who takes the course in person over the typical 6-day SANS training schedule. Overall, the course was excellent. The labs were extremely well designed and did a great job of walking through real reverse engineering workflows. However, the biggest challenge for me wasn鈥檛 the technical content, it was preparing correctly for the exam. ...
PyInstaller Malware Loader Analysis (Broken PKG Archive)
Overview This report documents the analysis of a suspicious Windows executable disguised as svchost_REAL.exe. Static analysis revealed that the binary is a PyInstaller-based loader, which normally embeds a Python runtime and packaged payload within the executable. However, during execution the loader failed to locate its embedded PKG archive, preventing the payload from being unpacked or executed. This behavior suggests the sample may be corrupted, intentionally modified to resist analysis, or incomplete. ...
Phorpiex Worm Malware Analysis
Overview This report documents the static analysis of a Windows PE malware sample identified as Phorpiex (Trik). Phorpiex is a long-running malware family known for worm propagation, spam botnet activity, and more recently cryptocurrency clipboard hijacking. The analyzed sample demonstrates capabilities including persistence via registry run keys, command-and-control communication, router discovery using UPnP, and clipboard monitoring for cryptocurrency wallet replacement. Threat Summary Field Details Malware Family Phorpiex (Trik Worm) SHA256 ad9cd916566c52d3045fea0120900a9f2f460a4bfbc01d0bac236f3cc9344739 MD5 4d2d3b04cf612c15cf5815be0fbeac51 Primary Capabilities Worm propagation, clipboard hijacking, botnet communication Key IOC http://178.16.54.109/new.php First Seen 2026-03-09 Source MalwareBazaar Background Date Observed: 2026-03-09 Analyst: Cody Craig Source: MalwareBazaar ...
Malware Analysis: Dropper.DownloadFromURL.exe
馃З Overview This analysis covers a suspicious executable named Dropper.DownloadFromURL.exe identified as a potential malware dropper. The sample appears to retrieve a payload from a remote server, write it to disk, and execute it. This malware sample is from TCM Security鈥檚 Practical Malware Analysis & Triage Course. 馃攳 Static Analysis Hashes SHA256: 92730427321a1c4ccfc0d0580834daef98121efa9bb8963da332bfd6cf1fda8a MD5: 1d8562c0adcaee734d63f7baaca02f7c Embedded Strings (UTF-16LE) cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s" http://ssl-6582datamanager.helpdeskbros.local/favicon.ico C:\Users\Public\Documents\CR433101.dat.exe Mozilla/5.0 "http://huskyhacks.dev" ping 1.1.1.1 -n 1 -w 3000 > Nul & C:\Users\Public\Documents\CR433101.dat.exe open 鈿欙笍 Import Table (IAT) Analysis The executable imports the following Windows API calls: ...
RAT.CMDSocket.exe Analysis
Overview This post documents my analysis of a Remote Access Trojan (RAT) sample, RAT.CMDSocket.exe.malz. The objective was to identify its capabilities, persistence methods, and communication patterns through a combination of static and dynamic analysis. Static Analysis Initial string extraction immediately revealed notable artifacts: @SSL support is not available. Cannot connect over SSL. Compile with -d:ssl to enable. @https @No uri scheme supplied. InternetOpenW InternetOpenUrlW @wininet MessageBoxW @[+] what command can I run for you @[+] online @NO SOUP FOR YOU \mscordll.exe Nim httpclient/1.0.6 /msdcorelib.exe AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup intrt explr http://serv1.ec2-102-95-13-2-ubuntu.local Key takeaways: ...