The Windows Malware Analysis Distribution: flare-vm

2017-08-07T21:35:51
ID N0WHERE:171975
Type n0where
Reporter N0where
Modified 2017-08-07T21:35:51

Description

FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

The distribution also includes the FLARE team’s public malware analysis tools such as FLOSS and FakeNet-NG.

How To Get It

You are expected to have an existing installation of Windows 7 or above. This allows you to choose the exact Windows version, patch level, architecture and virtualization environment yourself. Once you have that available, you can quickly deploy the FLARE VM environment by visiting the following URL in Internet Explorer (other browsers are not going to work):

_ http://boxstarter.org/package/url? _ _ https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1 _

After you navigate to the above URL in the Internet Explorer, you will be presented with a _ Boxstarter WebLauncher _ dialog. Select Run to continue the installation.

Following successful installation of Boxstarter WebLauncher, you will be presented with a console window and one more prompt to enter your Windows password as shown in Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting you to login every time.

The rest of the process is fully automated, so prepare yourself a cup of coffee or tea. Depending on your connection speed, the initial installation takes about 30-40 minutes. Your machine will also reboot several times due to the numerous software installation’s requirements. During the deployment process, you will see installation logs of a number of packages.

Installed Tools


Debuggers

  • OllyDbg + OllyDump + OllyDumpEx
  • OllyDbg2 + OllyDumpEx
  • x64dbg
  • WinDbg

Disassemblers

  • IDA Free
  • Binary Ninja Demo

Java

  • JD-GUI

Visual Basic

  • VBDecompiler

Flash

  • FFDec

.NET

  • ILSpy
  • DNSpy
  • DotPeek
  • De4dot

Office

  • Offvis

Hex Editors

  • FileInsight
  • HxD
  • 010 Editor

PE

  • PEiD
  • ExplorerSuite (CFF Explorer)
  • PEview
  • DIE

Text Editors

  • SublimeText3
  • Notepad++
  • Vim

Utilities

  • MD5
  • 7zip
  • Putty
  • Wireshark
  • RawCap
  • Wget
  • UPX
  • Sysinternals Suite
  • API Monitor
  • SpyStudio
  • Checksum
  • Unxutils

Python, Modules, Tools

  • Python 2.7
  • Hexdump
  • PEFile
  • Winappdbg
  • FakeNet-NG
  • Vivisect
  • FLOSS
  • FLARE_QDB
  • PyCrypto
  • Cryptography

Other

  • VC Redistributable Modules (2008, 2010, 2012, 2013)

The Windows Malware Analysis Distribution: flare-vm Documentation

The Windows Malware Analysis Distribution: flare-vm Download