Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Sokow86/awesome-malware-resources
Just another collection of links, tools, reports and other stuff
https://github.com/Sokow86/awesome-malware-resources
List: awesome-malware-resources
banking-malware deep-analysis malware-analysis malware-reports malware-resources ransomware
Last synced: about 1 month ago
JSON representation
Just another collection of links, tools, reports and other stuff
- Host: GitHub
- URL: https://github.com/Sokow86/awesome-malware-resources
- Owner: Sokow86
- Created: 2021-02-07T12:00:00.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2021-06-22T06:23:30.000Z (about 3 years ago)
- Last Synced: 2024-08-13T16:02:46.965Z (about 1 month ago)
- Topics: banking-malware, deep-analysis, malware-analysis, malware-reports, malware-resources, ransomware
- Language: Python
- Homepage:
- Size: 376 KB
- Stars: 18
- Watchers: 2
- Forks: 9
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- ultimate-awesome - awesome-malware-resources - Just another collection of links, tools, reports and other stuff. (Other Lists / PowerShell Lists)
README
# awesome-malware-resources
Just another collection of links, tools, reports and other stuff
# Table of Contents
* [Malware Reports
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#malware-reports)
* [Infostealer / Banking Malware
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#infostealer--banking-malware)
* [Agent Tesla
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#agent-tesla)
* [QakBot
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#qakbot)
* [Ursnif
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#ursnif)
* [Emotet
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#emotet)
* [Gootkit
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#gootkit)
* [MassLogger
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#masslogger)
* [Formbook
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#formbook)
* [Hancitor
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#hancitor)
* [IcedID
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#icedid)
* [KPOT v2.0 Stealer
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#kpot-v2.0-stealer)
* [LokiBot
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#lokibot)
* [TrickBot
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#trickbot)
* [Dridex
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#dridex)
* [Minebridge RAT
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#minebridge-rat)
* [Backdoor.Spyder
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#backdoor.spyder)
* [Loader / Dropper
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#loader--dropper)
* [GuLoader
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#guloader)
* [BazarLoader
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#bazarloader)
* [ZLoader
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#zloader)
* [SmokeLoader
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#smokeloader)
* [Saint Bot
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#saint-bot)
* [Cobalt Strike
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#cobalt-strike)
* [Ransomware
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#ransomware)
* [Maze
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#maze)
* [Egregor
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#egregor)
* [Ryuk
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#ryuk)
* [REvil
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#revil)
* [Makop
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#makop)
* [Babuk
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#babuk)
* [RegretLocker
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#regretlocker)
* [HelloKitty
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#hellokitty)
* [DearCry
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#dearcry)
* [Clop
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#clop)
* [LockBit
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#lockbit)
* [APT
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#apt)
* [Tutorials
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#tutorials)
* [Malware Analysis
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#malware-analysis)
* [Courses
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#courses)
* [Overview of Malware Techniques
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#overview-of-malware-techniques)
* [Process Injection
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#process-injection)
* [DLL Search Order Hijacking
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#dll-search-order-hijacking)
* [Weaponizing Windows Virtualization
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#weaponizing-windows-virtualization)
* [Access Token Manipulation
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#access-token-manipulation)
* [Anti-Analysis
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#anti-analysis)
* [API Hashing
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#api-hashing)
* [Debugger Detection
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#debugger-detection)
* [Maldoc Analysis
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#maldoc-analysis)
* [Malware Development
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#malware-development)
* [Courses
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#courses)
* [Software / Tools
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#software--tools)
* [List of Plugins for Disassembler/Decompiler
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#list-of-plugins-for-disassemblerdecompiler)
* [IDA Plugins
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#ida-plugins)
* [Labeless
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#labeless)
* [Threat Intelligence
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#threat-intelligence)
* [MITRE ATT&CK
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#mitre-att&ck)
* [Video Playlist
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#video-playlist)
* [Blogs
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#blogs)
* [Researcher
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#researcher)
* [Vendors
](https://github.com/Sokow86/awesome-malware-resources/blob/main/README.md#vendors)
# Malware Reports
[Complete Work of Hasherezade - Download from VX-Underground](https://vx-underground.org/archive/hasherezade/CompleteWorkOfHasherezadeVXUG.7z)
## Infostealer / Banking Malware
### Agent Tesla
[2021]
* [Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 & v3](https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/)
* [Technical report of AgentTesla](https://menshaway.blogspot.com/2021/04/agenttesla-malware.html)
* [
Agent Tesla amps up information stealing attacks](https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/)
[2020]
* [The Hasty Agent: Agent Tesla Attack Uses Hastebin](https://www.deepinstinct.com/2020/10/29/the-hasty-agent-agent-tesla-attack-uses-hastebin/)
* [Agent Tesla: A Day in a Life of IR](https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir)
[2018]
* [Analysis of New Agent Tesla Spyware Variant](https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant)
### QakBot
[2021]
* [The Rise of QakBot](https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot)
* [[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade ](https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html)
[2020]
* [Deep Analysis of a QBot Campaign – Part I](https://www.fortinet.com/blog/threat-research/deep-analysis-of-a-qbot-campaign-part-1)
* [Deep Analysis of a QBot Campaign – Part II](https://www.fortinet.com/blog/threat-research/deep-analysis-qbot-campaign)
* [An old enemy – Diving into QBot part 1](https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/)
* [Diving into Qbot part 1.5 – Cracking string encryption](https://malwareandstuff.com/diving-into-qbot-part-1-5-cracking-string-encryption/)
* [An old enemy – Diving into QBot part 2](https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-2/)
* [An old enemy – Diving into QBot part 3](https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/)
* [QakBot reducing its on disk artifacts](https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/)
* [Deep Analysis of QBot Banking Trojan](https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/)
* [An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods](https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/)
[2019]
* [Reversing QakBot - Hatching](https://hatching.io/blog/reversing-qakbot/)
### Ursnif
[2021]
* [New Variant of Ursnif Continuously Targeting Italy](https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy)
[2019]
* [New Ursnif Variant Spreading by Word Document](https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document)
### Emotet
[2021]
* [Emotet Command and Control Case Study](https://unit42.paloaltonetworks.com/emotet-command-and-control/)
* [
Reverse engineering Emotet – Our approach to protect GRNET against the trojan](https://cert.grnet.gr/en/blog/reverse-engineering-emotet/)
* [The Malware-As-A-Service Emotet](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf)
* [[RE019] From A to X analyzing some real cases which used recent Emotet samples](https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html)
[2020]
* [Analyzing an Emotet Dropper and Writing a Python Script to Statically Unpack Payload](https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/)
### Gootkit
[2021]
* [Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets](https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/)
* [Gootkit: the cautious Trojan](https://securelist.com/gootkit-the-cautious-trojan/102731/)
* [“Gootloader” expands its payload delivery options](https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/)
[2020]
* [Investigating the Gootkit Loader](https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html)
* [German users targeted with Gootkit banker or REvil ransomware ](https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/)
[2019]
Daniel Bunce (0verfl0w_) - SentinelOne
* [Gootkit Banking Trojan | Part1: Deep Dive into Anti-Analysis Features](https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/)
* [Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities](https://labs.sentinelone.com/gootkit-banking-trojan-persistence-other-capabilities/)
* [Gootkit Banking Trojan | Part 3: Retrieving the Final Payload](https://labs.sentinelone.com/gootkit-banking-trojan-retrieving-final-payload/)
### MassLogger
[2021]
* [MassLogger v3: a .NET stealer with serious obfuscation](https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/)
[2020]
* [Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach](https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html)
### Formbook
[2021]
* [Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I](https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I)
* [Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part II](https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii)
* [Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part III](https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-in-phishing-campaign-part-iii)
* [Yes, Cyber Adversaries are still using Formbook in 2021](https://yoroi.company/research/yes-cyber-adversaries-are-still-using-formbook-in-2021/)
[2018]
* [In-depth Formbook malware analysis – Obfuscation and process injection](https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/)
### Hancitor
[2021]
* [Analysis of Hancitor – When Boring Begets Beacon](https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon/)
* [Unearthing Hancitor Infrastructure](https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure)
* [Hancitor Infection Chain Analysis: An Examination of its Unpacking Routing and Execution Techniques](https://threatresearch.ext.hp.com/hancitors-return-analyzing-its-latest-infection-chain/)
### IcedID
[2021]
* [Let’s set ice on fire: Hunting and detecting IcedID infections](https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240)
* [IcedID on my neck I’m the coolest](https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/)
* [IcedID Analysis](https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/)
* [IcedID GZIPLOADER Analysis](https://www.binarydefense.com/icedid-gziploader-analysis/)
* [IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims](https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims)
[2020]
* [Manual Unpacking IcedID Write-up](https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/)
* [Unpacking Visual Basic Packers – IcedID](https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/)
* [COVID-19 and FMLA Campaigns used to install new IcedID banking malware](https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware)
* [IcedID: When ice burns through bank accounts ](https://www.group-ib.com/blog/icedid)
[2019]
* [A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection](https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one)
* [A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)](https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two)
* [A Deep Dive Into IcedID Malware: Part III - Analysis of Child Processes](https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes)
* [IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth](https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/)
### KPOT v2.0 Stealer
[2020]
* [Reverse engineering KPOT v2.0 Stealer](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md)
### LokiBot
[2021]
* [A Deep Dive into Lokibot Infection Chain ](https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html?m=1)
### TrickBot
[2021]
* [TrickBot Crews New CobaltStrike Loader](https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c)
[2020]
* [Trickbot Malware-as-a-service](https://blog.cyberint.com/trickbot-malware-as-a-service)
* [De-crypting a TrickBot Crypter](https://zero2auto.com/2020/06/22/decrypting-trickbot-crypter/)
### Dridex
[2021]
* [Dridex Loader Analysis](https://blog.lexfo.fr/dridex-malware.html)
* [Dridex Malware Analysis [1 Feb 2021]](https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/)
* [Dridex Malware Analysis [8 Feb 2021]](https://aaqeel01.wordpress.com/2021/02/08/dridex-malware-analysis-8-feb-2021/)
* [Dridex Malware Analysis [10 Feb 2021]](https://aaqeel01.wordpress.com/2021/02/10/dridex-malware-analysis-10-feb-2021/)
### Minebridge RAT
[2021]
* [MineBridge Is on the Rise, With a Sophisticated Delivery Mechanism](https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism)
### Backdoor.Spyder
* [Backdoor.Spyder.1 by Dr.Web](https://vms.drweb.com/virus/?i=23648386&lng=en)
## Loader / Dropper
### GuLoader
[2021]
* [Dancing With Shellcodes: Cracking the latest version of Guloader](https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4)
[2020]
* [Threat Bulletin: Dissecting GuLoader’s Evasion Techniques](https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/)
* [GuLoader: Peering Into a Shellcode-based Downloader](https://www.crowdstrike.com/blog/guloader-malware-analysis/)
* [Quick analysis note about GuLoader (or CloudEyE)](https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/)
### BazarLoader
[2021]
* [New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I](https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I)
* [New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II](https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II)
### ZLoader
[2021]
* [
Zloader email campaign using MHTML to download and decrypt XLS](https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/)
* [Zloader: Entailing Different Office Files](https://blogs.quickheal.com/zloader-entailing-different-office-files/)
* [Advancements in Invoicing - A highly sophisticated way to distribute ZLoader](https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader)
[2020]
* [Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex](https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex)
### SmokeLoader
[2019]
* [Going Deep | A Guide to Reversing Smoke Loader Malware](https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/)
### Saint Bot
[2021]
* [A deep dive into Saint Bot, a new downloader](https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/)
### Cobalt Strike
[2021]
* [Look how many cybercriminals love Cobalt Strike](https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor)
* [Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic](https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/)
* [Anatomy of Cobalt Strike’s DLL Stager](https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/)
* [Yet Another Cobalt Strike Stager: GUID Edition](https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/)
[2020]
* [The art and science of detecting Cobalt Strike - Talos](https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf?1600694964)
* [Detecting Cobalt Strike Default Modules via Named Pipe Analysis](https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/)
## Ransomware
### Maze
[2020]
* [A Technical Look into Maze Ransomware](https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf)
* [Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)](https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/)
### Egregor
[2021]
* [An Analysis of the Egregor Ransomware](https://tinyurl.com/yptt8k4u)
[2020]
* [Egregor Ransomware - An In-Depth Analysis](https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis)
### Ryuk
[2021]
* [Video Tutorial about resolving API hashing from Ryuk by Jiří Vinopal](https://www.youtube.com/watch?v=7xxRunBP5XA&feature=youtu.be)
[2020]
* [Ryuk Revisited - Analysis of Recent Ryuk Attack](https://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack)
* [An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques](https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/)
* [Deep Dive Into Ryuk Ransomware](https://github.com/0xastr0/malwareanalysis/blob/main/Ryuk/Deep%20Dive%20Into%20Ryuk%20Ransomware.md)
* [Deep Analysis of Ryuk Ransomware - N1ght-W0lf](https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/)
### REvil
[2021]
* [Relentless REvil, revealed: RaaS as variable as the criminals who use it](https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/)
* [Sodinokibi Ransomware Analysis](https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis)
* [The DFIR Report - Sodinokibi (aka REvil) Ransomware](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
[2020]
* [German users targeted with Gootkit banker or REvil ransomware ](https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/)
* [Sodinokibi / REvil Malware Analysis](https://blog.amossys.fr/sodinokibi-malware-analysis.html)
[2019]
* [McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us - Episode 1](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us)
* [McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars - Episode 2](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-the-all-stars/)
* [McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money - Episode 3](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money/)
* [McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo - Episode 4](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/)
* [Kaspersky - Sodin ransomware exploits Windows vulnerability and processor architecture](https://securelist.com/sodin-ransomware/91473/)
### Makop
[2020]
* [Makop Ransomware - Technical Analysis](https://cybergeeks.tech/makop-ransomware/)
### Babuk
[2021]
* [Sogeti - Babuk Ransomware Analysis (PDF)](https://d1ysz50cxb9zwl.cloudfront.net/R181WS_UQGGuOUvex42DgxhB4UeVI70x_dTZNoj5FZO2aCLPFJ4KcIQc-Yz6Cao-/by/393866/as/file.pdf?Expires=1621231935&Signature=Wcl6bKZryekNEz8v~~bWDJdOMGGHyu5ZNMQ87N7W3EpMdYCegA78DOxKjEvQQ06lv-tYmMhujYCv-jGo1JJEqUSAZ4KV9hnireDLl2h8dxQqwNmlMxK6YecmzyYWilgHN6H5tWntvw5mqCPmX~yiR4vIj3BTJiRWC3cWopRRmK7X5ZdrpOq8CJ7nFEsU-p~1ID-FwzqbDbL8GxU8ddHvlHcKEqvPHDmXM0N1uR~IpxGg5vOl1UUhrR2ZJEyEaCoUo9t~rL88YCCs2v8N3pwKprUjkc4vpYpuYiibvmGNdhXH9Q~3vAdhxz3SNLJpmDO1pKoH3pL92QpfwgTe2zqk3A__&Key-Pair-Id=APKAJAERRT46LD6FN4NA)
* [Technical Analysis of Babuk Ransomware](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf)
* [Babuk Ransomware Analysis by Chuong Dong](http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/)
### RegretLocker
[2020]
* [RegretLocker Ransomware Analysis by Chuong Dong](http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/)
### HelloKitty
[2021]
* [HelloKitty Ransomware Lacks Stealth, But Still Strikes Home](https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/)
### DearCry
[2021]
* [Internals of DearCry Ransomware !](https://0xthreatintel.medium.com/internals-of-dearcry-ransomware-507b84ae9ba8)
* [
DearCry ransomware attacks exploit Exchange server vulnerabilities](https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/)
### Clop
[2021]
* [Splunk - Detecting Clop Ransomware](https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html)
### LockBit
[2020]
* [LockBit Analysis](https://blog.lexfo.fr/lockbit-malware.html)
* [
LockBit ransomware borrows tricks to keep up with REvil and Maze](https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/)
## APT
* [Iran’s APT34 Returns with an Updated Arsenal](https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/)
* [APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign](https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/)
* [Dissecting APT21 samples using a step-by-step approach](https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/)
* [Analyzing APT19 malware using a step-by-step method](https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/)
* [A detailed analysis of ELMER Backdoor used by APT16](https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/)
* [LazyScripter - From Empire to Double RAT - APT28](https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/)
* [Revealing Lamberts/Longhorn malware capabilities using a step-by-step approach (cyberespionage group linked to Vault 7)](https://cybergeeks.tech/revealing-the-lamberts-malware-using-a-step-by-step-approach-cyberespionage-group-linked-to-vault-7)
* [Higaisa or Winnti? APT41 backdoors, old and new](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/)
* [The Return of the Higaisa APT41](https://www.zscaler.com/blogs/security-research/return-higaisa-apt)
* [Lazarus APT conceals malicious code within BMP image to drop its RAT ](https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/)
# Tutorials
* [A Guide to Ghidra Scripting Development for Malware Researchers](https://labs.sentinelone.com/a-guide-to-ghidra-scripting-development-for-malware-researchers/)
## Malware Analysis
### Courses
* [Zero2Auto - Vitali Kremez, Overflow](https://courses.zero2auto.com)
* [Hasherezade - Malware Training Vol1](https://github.com/hasherezade/malware_training_vol1)
### Overview of Malware Techniques
* [Analyzing Modern Malware Techniques - Part 1](https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/)
* [Analyzing Modern Malware Techniques - Part 2](https://0x00sec.org/t/analyzing-modern-malware-techniques-part-2/)
* [Analyzing Modern Malware Techniques - Part 3](https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/)
* [Analyzing Modern Malware Techniques - Part 4](https://0x00sec.org/t/analyzing-modern-malware-techniques-part-4/)
* [Common Tools & Techniques Used By Threat Actors and Malware — Part I](https://medium.com/bugbountywriteup/common-tools-techniques-used-by-threat-actors-and-malware-part-i-deb05b664879)
* [Common Tools & Techniques Used By Threat Actors and Malware — Part II](https://nasbench.medium.com/common-tools-techniques-used-by-threat-actors-and-malware-part-ii-c2e65cd6b084)
### Process Injection
* [Elastic - Ten Process Injection Techniques](https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process)
* [Process Injection Techniques - Medium](https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740)
### DLL Search Order Hijacking
* [Windows Persistence Mechanics – DLL Search Order Hijacking](https://marcusedmondson.com/2021/02/28/windows-persistence-mechanics-dll-search-order-hijacking/)
### Weaponizing Windows Virtualization
* [VX-Underground - "Weaponizing Windows Virtualization" Paper](https://github.com/vxunderground/VXUG-Papers/blob/main/Weaponizing%20Windows%20Virtualization/WeaponizingWindowsVirtualization.pdf)
* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections](https://embracethered.com/blog/shadowbunny.html)
### Access Token Manipulation
* [McAfee - Technical Analysis of Access Token Theft and Manipulation](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf)
## Anti-Analysis
### API Hashing
[Deobfuscating DanaBot's API Hashing](https://malwareandstuff.com/deobfuscating-danabots-api-hashing/)
### Debugger Detection
[Catching Debuggers with Section Hashing](https://malwareandstuff.com/catching-debuggers-with-section-hashing/)
## Maldoc Analysis
* [Anti-Analysis Techniques Used in Excel 4.0 Macros](https://www.goggleheadedhacker.com/blog/post/23)
* [Excel Formula/Macro in .xlsb?](https://www.virusbulletin.com/virusbulletin/2021/02/excel-formulamacro-xlsb)
* [XLSB: Analyzing a Microsoft Excel Binary Spreadsheet](https://clickallthethings.wordpress.com/2021/02/02/xlsb-analyzing-a-microsoft-excel-binary-spreadsheet/)
* [Malware Analysis Exercises with Walkthroughs](https://github.com/jstrosch/malware-samples/tree/master/malware_analysis_exercises)
* [How to Reverse Office Droppers: Personal Notes](https://marcoramilli.com/2020/08/24/how-to-reverse-office-droppers-personal-notes/)
* [Cracking Password Protected Payloads](https://inquest.net/blog/2021/02/26/Cracking-Password-Protected-Payloads)
## Malware Development
* [0xPat - Malware development part 1](https://0xpat.github.io/Malware_development_part_1/)
* [0xPat - Malware development part 2](https://0xpat.github.io/Malware_development_part_2/)
* [0xPat - Malware development part 3](https://0xpat.github.io/Malware_development_part_3/)
* [0xPat - Malware development part 4](https://0xpat.github.io/Malware_development_part_4/)
* [0xPat - Malware development part 5](https://0xpat.github.io/Malware_development_part_5/)
* [0xPat - Malware development part 6](https://0xpat.github.io/Malware_development_part_6/)
* [0xPat - Malware development part 7](https://0xpat.github.io/Malware_development_part_7/)
* [0xPat - Malware development part 8](https://0xpat.github.io/Malware_development_part_8/)
* [Implementing Direct Syscalls Using Hell’s Gate](https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/amp/)
### Courses
[RED TEAM Operator: Malware Development Intermediate Course](https://institute.sektor7.net/rto-maldev-intermediate)
# Software / Tools
[https://labs.sentinelone.com/top-15-essential-malware-analysis-tools/](https://labs.sentinelone.com/top-15-essential-malware-analysis-tools/)
## List of Plugins for Disassembler/Decompiler
* [Awesome IDA, x64DBG & OllyDBG plugins](https://github.com/fr0gger/awesome-ida-x64-olly-plugin)
* [CPUIDSpoofer](https://github.com/jonatan1024/CpuidSpoofer)
## IDA Plugins
* [IDA WinAPI Helper](https://github.com/x0r19x91/ida-winapi-helper)
* [Tenet Trace Explorer](https://blog.ret2.io/2021/04/20/tenet-trace-explorer/)
### Labeless
* [Labeless](https://github.com/a1ext/labeless)
* [CheckPoint Introduction to Labeless - Part 1](https://research.checkpoint.com/2018/labeless-an-introduction/)
* [CheckPoint Introduction to Labeless - Part 2](https://research.checkpoint.com/2018/installing-labeless/)
* [CheckPoint Introduction to Labeless - Part 3](https://research.checkpoint.com/2018/19558-2/)
* [CheckPoint Introduction to Labeless - Part 4](https://research.checkpoint.com/2018/labeless-part-4-scripting/)
* [CheckPoint Introduction to Labeless - Part 5](https://research.checkpoint.com/2018/labeless-part-5-how-to-decrypt-strings-in-boleto-banking-malware-without-reconstructing-decryption-algorithm/)
* [CheckPoint Introduction to Labeless - Part 6](https://research.checkpoint.com/2018/labeless-part-6-how-to-resolve-obfuscated-api-calls-in-the-ngioweb-proxy-malware/)
* [Video Tutorial about resolving API hashing from Ryuk by Jiří Vinopal](https://www.youtube.com/watch?v=7xxRunBP5XA&feature=youtu.be)
# Threat Intelligence
## MITRE ATT&CK
[RecordedFuture - Top 2020 MITRE Techniques](https://www.recordedfuture.com/top-2020-mitre-techniques/)
# Video Playlist
* [Formbook Reversing -Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching] by DuMp-GuY TrIcKsTeR](https://www.youtube.com/watch?v=aQwnHIlGSBM&feature=youtu.be)
# Blogs
## Researcher
* [Vitali Kremez](https://www.vkremez.com/)
* [N1ght-W0lf](https://n1ght-w0lf.github.io/categories/#malware-analysis)
* [0xthreatintel](https://0xthreatintel.medium.com)
* [MalwareAndStuff](https://malwareandstuff.com)
* [Cyber Geeks](https://cybergeeks.tech)
* [Reversing.xyz](https://blog.reversing.xyz/docs/posts)
* [Secrary - Malware Reports](https://secrary.com/ReversingMalware)
* [GoogleHeadedHacker](https://www.goggleheadedhacker.com)
## Vendors
* [Fortinet Threat Research](https://www.fortinet.com/blog/threat-research)
* [MalwareBytes](https://blog.malwarebytes.com/)
* [SentinelOne Labs](https://labs.sentinelone.com/)
* [CheckPoint Research](https://research.checkpoint.com/)
* [InQuest Labs](https://inquest.net/blog)
* [FireEye Blog](https://www.fireeye.com/blog)
* [HornetSecurity](https://www.hornetsecurity.com/en/threat-research/)
* [Cisco Talos](https://blog.talosintelligence.com)
* [Hatching Tria.ge](https://hatching.io/blog/)
* [Bitdefender Labs](https://labs.bitdefender.com/?adobe_mc=MCMID%3D12175302025694388983327118523069279883%7CMCORGID%3D0E920C0F53DA9E9B0A490D45%2540AdobeOrg%7CTS%3D1614598836)
* [Minerva Labs](https://blog.minerva-labs.com/)
* [F5 Labs](https://www.f5.com/labs)
* [PTSecurity Threat Intelligence](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/)
* [F-Secure Labs](https://labs.f-secure.com)