Malware Analysis — Canonical Reference.

Triage pipeline

1. Hash & reputation. SHA-256 against VirusTotal, MalwareBazaar, Hybrid Analysis. Known sample = use existing analysis as starting point.
2. Static features. File type, sections, imports, strings, certs, resources, overlay. Extract with pestudio, capa, floss.
3. capa rules. Maps code patterns to MITRE ATT&CK techniques. Quick capability inventory without execution.
4. Sandbox detonation. Cuckoo / Cape / Hatching Triage. Captures network, filesystem, registry, process tree.
5. Manual gate. Auto-analysis confidence low (heavy obfuscation, anti-VM, custom packer) → escalate to manual reverse-engineering.

Packer recognition + unpacking

• UPX. Section names UPX0, UPX1. upx -d unpacks. Most common, easiest.
• Themida / VMProtect. Detected by Detect-It-Easy. Virtualization-based: rewrites code into custom bytecode interpreted at runtime. Weeks of manual work.
• ASPack, PECompact, MPRESS. Older commercial packers. Generic unpacker (UnpacMe, de4dot for .NET) often handles.
• Custom packer. No vendor signature; entry-point stub allocates RWX, decrypts, JMP into decrypted code. Set hardware breakpoint on the OEP candidate after the long decryption loop.
• Generic unpacking flow. Trace until VirtualAlloc + WriteProcessMemory + transfer of control (CALL, JMP) into the new region. That's OEP. Dump from memory, fix IAT with Scylla, reconstruct PE.

Behavioral profile separated from payload

• Exploit-stage behavior. Process spawned (often unusual: WINWORD spawning powershell), file written to %TEMP%, registry mutation in Run/RunOnce, network beacon to never-before-seen host.
• Payload-stage behavior (varies by family). Credential dump (LSASS access), keylogger (low-level hook install), persistence (scheduled task created), C2 (DNS or HTTPS beacon).
• Why separate. One detection on exploit-stage behavior catches the entire population; per-payload detection scales linearly with families.

RAT generations

• Gen 1 (2000s). PoisonIvy, Sub7, Bifrost. GUI-driven, direct TCP C2, no encryption. Trivially detected today.
• Gen 2 (early 2010s). Gh0st, DarkComet, njRAT. Custom protocols, basic obfuscation, modular plugins.
• Gen 3 (mid-2010s). AsyncRAT, NanoCore. HTTPS C2, simple anti-analysis, builder-driven so many derivatives.
• Gen 4 (late 2010s onward). Cobalt Strike, Sliver, Mythic, Brute Ratel. Operator framework, beacon protocols designed for stealth (jitter, sleep mask, domain fronting), modular post-ex.
• Gen 5 (current). Custom toolchains by sophisticated actors. Memory-only payloads, EDR-evasion built in (direct syscalls, indirect syscalls, AMSI patches, ETW patches). Often single-use per intrusion.

APT group template — adding a new actor

• Tooling. Custom malware families, public tooling preferences, exploit kit choices.
• Infrastructure. Hosting pattern (bulletproof, cloud, compromised), domain-registration habits, certificate patterns.
• Victimology. Sectors targeted, geographic targeting, victim selection criteria (opportunistic vs strategic).
• Confidence. Per claim: primary observation / public report / inferred. Distinguish what your team observed from what the broader community has published.