MalwareAnalysisArtifacts

Yara Rules

* Dexter_POS (Banker)
* IcedID_Payload (Banker)
* RogueRobin (Trojan)
* FSG 1.0 (Packer)
* VB5_6.yara (Packer)
* Pony_Loader (DLL .Net Loader)
* Pony_Payload (Stealer)
* Generic.FakeUTCTool (Downloader)
* NSIS (Installer)
* NetWire_RC (RAT/Stealer)

IDA Scripts

* XrefChecker.py (Sort functions by the number of Xrefs. Helps to find deobfuscation / decryption / API hash runtime routine)
* Zloader_Strings_Decode.py (Auto decode some of the zloader strings, and comment the result in IDA)
* Zloader_DLL_Decode.py (Resolving DLL routines and comment the result in IDA)
* Zloader_API_Hash_Algo.py (Autonomous script from IDA that calculate API hashs with the Zloader hashing algorithm)
* Zloader_API_Hash_Resolver.py (Resolve hashed API, and comment the result in IDA)
* Zloader_Configuration_Dump.py (Static dump of the Zloader configuration file, including RC4 keys and C&C servers)

Random tools

* PE_Parser (Get PE / DOS / COFF header fields in depth)
* VB5-6_Header_parser.py (VB5 and VB6 header field parser)
* x64dbg_Dump_to_Hex.py (Convert x64dbg memory dump into a nice hex array)
* Lab03-3_Payload_Dumper.py (Extract, decode and dump the keylogger payload of the PMA Lab03-3) 
* Lab13-2_Screenshot_Decipher.py (Immunity Debugger script that decode obfuscated screenshots, using instrumentation)

IDA Theme

* IDA_theme.clr (see theme_demo.png)
* IDA_highlight.idc (highlight important assembly instructions)