FLARE-VM
Installation
Prerequisites
- Windows 7 or later (10/11 recommended)
- At least 60GB free disk space
- 8GB RAM minimum (16GB recommended for analysis)
- Administrator privileges
- Internet connection for tool downloads
Installation Steps
# Clone FLARE-VM repository
git clone https://github.com/mandiant/flare-vm.git
cd flare-vm
# Run as Administrator (must be run as admin)
Set-ExecutionPolicy RemoteSigned -Force
.\install.ps1
# Or install specific modules
.\install.ps1 -Modules malware,reverse_engineering
# Restart after installation completes
Restart-Computer -ForceOffline Installation
# Download all requirements for offline installation
cd flare-vm
.\download_dependencies.ps1
# On offline machine, copy flare-vm directory and run
.\install.ps1 -OfflineCore Tools Overview
Reverse Engineering & Disassembly
# IDA Pro Free (or commercial license)
# Launch IDA
"C:\Program Files\IDA Freeware 7\ida.exe" malware.exe
# Ghidra - NSA's reverse engineering framework
ghidra
# Radare2 - open-source RE framework
r2 malware.exe
# x64dbg - advanced debugger
x64dbg malware.exe
# Ollydbg - 32-bit debugger
ollydbg malware.exeDynamic Analysis & Monitoring
# Process Monitor - monitor system calls and file access
"C:\Program Files\SysInternals\procmon.exe"
# Process Explorer - advanced task manager
"C:\Program Files\SysInternals\procexp.exe"
# Autoruns - monitor startup locations
"C:\Program Files\SysInternals\autoruns.exe"
# API Monitor - track API calls
"C:\tools\ApiMonitor\ApiMonitor.exe"
# WireShark - network packet capture
wireshark
# Fiddler - HTTP(S) proxy and traffic inspector
fiddler
# Regshot - registry change detector
regshotStatic Analysis Tools
# PE Explorer - portable executable analyzer
"C:\Program Files\PE Explorer\PEExplorer.exe" malware.exe
# Detect It Easy - malware type detector
"C:\tools\DiE\die.exe" malware.exe
# PEiD - PE file identifier
peid malware.exe
# strings.exe - extract readable strings
strings malware.exe > strings.txt
# Exiftool - extract file metadata
exiftool malware.exePractical Analysis Workflows
Initial Malware Analysis
# 1. Obtain metadata
exiftool malware.exe
Get-FileHash malware.exe -Algorithm SHA256
Get-Item malware.exe | Select-Object -ExpandProperty Length
# 2. Check in VirusTotal via Python
$url = "https://www.virustotal.com/api/v3/files"
# Requires API key and uploading file
# 3. Quick static analysis
"C:\tools\DiE\die.exe" malware.exe
strings malware.exe | out-file strings.txt
# 4. Use PEStudio for quick PE analysis
"C:\tools\PEStudio\PEStudio.exe" malware.exeDynamic Analysis Capture
# 1. Start process monitoring
# Open Process Monitor
"C:\Program Files\SysInternals\procmon.exe"
# 2. In separate window, start registry monitoring
regshot
# Click "First Shot" button
# 3. Setup network monitoring
wireshark
# Filter for: dns or http or tcp.port==4444
# 4. Execute malware in isolated environment
"C:\temp\malware.exe"
# 5. Capture post-execution state
# In Regshot, click "Second Shot"
# Review registry changes
# 6. Analyze network traffic in Wireshark
# Look for DNS queries, HTTP requests, C2 connectionsDebugger Attachment & Analysis
# Attach x64dbg to running process
x64dbg malware.exe
# Set breakpoints on key APIs
# In x64dbg console:
bp CreateFileA
bp WriteFile
bp InternetConnectA
bp CreateRemoteThread
# Run and observe API calls
# Continue execution (F9 key)
# Breakpoint triggers on API call
# Examine registers and stack
# RAX register contains return value
# Stack shows parameters
# Step through instructions
# F7 for step-into, F8 for step-overUnpacking Malware
# Detect packing
"C:\tools\DiE\die.exe" packed_malware.exe
# Automated unpacking (cautious - may trigger AV)
# UPX unpacker
upx -d packed.exe -o unpacked.exe
# Manual unpacking in debugger
x64dbg packed_malware.exe
# Find original entry point (OEP)
# Dump process memory at OEP
# Use tools like UPX to extract
# Python unpacking (pe_unmapper)
python pe_unmapper.py packed_malware.exe unpacked.exeNetwork Traffic Analysis
# Capture traffic with Wireshark
wireshark
# Or command-line capture
tshark -i 1 -w capture.pcap
# Filter for suspicious traffic
# DNS: filter for unusual domains
# HTTP: look for suspicious User-Agents
# Check for known C2 signatures
# Extract objects from traffic
# File > Export Objects > HTTP
# Look for downloaded PE files
# Analyze DNS queries
# Statistics > DNS > TreeTool-Specific Commands
IDA Pro
# Open binary
ida malware.exe
# Key shortcuts:
# 'G' - Go to address
# 'N' - Rename symbol
# 'H' - Hex view
# 'X' - Cross references
# 'D' - Data window
# Script execution
# File > Python script > execute_script.py
# Export information
# File > Export > IDA database (IDB)Ghidra
# Launch Ghidra
ghidra
# Import binary
# File > Import File > select malware.exe
# Analyze
# Analyze > Auto Analyze
# Decompile
# Click on function and view Decompile pane
# Export
# File > Export ProgramRadare2
# Launch interactive shell
r2 malware.exe
# Common commands:
aaa # Analyze all
afl # List functions
pdf @ main # Print disassembly of main
pxr @ 0x401000 # Hexdump with references
s 0x401000 # Seek to address
ia # Import address table
iz # StringsPython-based Analysis
# Using pefile for PE analysis
import pefile
pe = pefile.PE('malware.exe')
# Get imports
for dll in pe.DIRECTORY_ENTRY_IMPORT:
for func in dll.imports:
print(f"{dll.dll.decode()}: {func.name.decode()}")
# Get strings
strings = pefile.get_strings(pe)
# Check characteristics
print(f"Bit: {'32-bit' if pe.OPTIONAL_HEADER.Magic == 0x10b else '64-bit'}")
print(f"Subsystem: {pe.OPTIONAL_HEADER.Subsystem}")
# Detect packing
entropy = pe.sections[0].entropy
print(f"Entropy: {entropy} ({'packed' if entropy > 7 else 'not packed'})")YARA Malware Detection
# Create YARA rule
cat > malware.yar <<EOF
rule suspicious_api {
strings:
$s1 = "WinExec"
$s2 = "CreateRemoteThread"
$s3 = "WriteProcessMemory"
condition:
all of them
}
EOF
# Scan file with YARA
yara malware.yar malware.exe
# Scan directory recursively
yara -r malware.yar C:\malware_samples\
# Create rule from multiple samples
# Use yargen tool
yargen -m malware_samples/ -o output.yarIsolated Execution Environment
VM Network Isolation
# Disable network access (temporary)
Disable-NetAdapter -Name "Ethernet" -Confirm:$false
# Re-enable when done
Enable-NetAdapter -Name "Ethernet" -Confirm:$false
# Or use Inetsim for network simulation
# Configure fake services to capture malware behaviorSnapshot Management
# Create snapshot before executing malware
# Via Hyper-V Manager or VMware
# Execute malware
.\malware.exe
# Revert to clean snapshot
# Right-click VM > Revert to Snapshot
# Or via command line (Hyper-V)
Checkpoint-VM -Name "FLARE-VM" -SnapshotName "Pre-analysis"
Restore-VMSnapshot -Name "Pre-analysis" -Confirm:$falseInternet Simulation
# Use Inetsim on separate Linux VM for traffic simulation
# Or use Fakenet-NG for local network simulation
# Configure malware to point to simulated services
# Edit hosts file to redirect domains
Add-Content C:\Windows\System32\drivers\etc\hosts "127.0.0.1 malicious.com"
Add-Content C:\Windows\System32\drivers\etc\hosts "127.0.0.1 c2.attacker.com"
# Run Fakenet-NG
python fakenet.py --listener ALL --config fakenet_config.iniCustomization
Installing Additional Tools
# Install tool via Chocolatey
choco install cutter -y # GUI for Radare2
choco install recycle-bin -y # Undelete utility
choco install tesseract -y # OCR for strings in images
# Install from PowerShell Gallery
Install-Module -Name PSScriptAnalyzer -Repository PSGallery
# Manual installation
# Download tool ZIP
# Extract to C:\tools\
# Add to PATH if needed
$env:Path += ";C:\tools\newtool"Custom Configuration
# Set up custom folders
New-Item -ItemType Directory -Path C:\analysis\samples
New-Item -ItemType Directory -Path C:\analysis\results
New-Item -ItemType Directory -Path C:\analysis\captures
# Create analysis template script
cat > analyze.ps1 <<EOF
param($file)
exiftool $file | Out-File results_metadata.txt
strings $file | Out-File results_strings.txt
"C:\tools\DiE\die.exe" $file > results_die.txt
EOFBest Practices
- Always analyze malware in isolated virtual machine
- Create clean snapshot before each analysis
- Disable auto-update to avoid interference
- Use separate VM for online tools (VirusTotal, etc.)
- Document findings with screenshots
- Preserve original samples with correct hashing
- Use write-blocking on shared folders
- Enable Windows Firewall (with rules) to contain malware
- Keep air-gapped backup of analysis data
References
Last updated: 2026-03-30