Packed loaders try to make static analysis annoying, but they still leave clues: section entropy, import stubs, string construction, and control-flow patterns around the unpacking routine.
Identify the packer shape
Start with headers, sections, imports, and entropy. A tiny import table plus a high-entropy executable section usually means the interesting code is unpacked at runtime.
Get-FileHash .\sample.exe -Algorithm SHA256
pefile .\sample.exe --sections
strings .\sample.exe | Select-String "http|Mutex|User-Agent"Reconstruct intent
You do not always need full unpacking to extract configuration. Watch for decoding loops, stack strings, and API resolution routines.
Do not run unknown malware on your workstation. Keep analysis in an isolated lab with no shared clipboard, credentials, or mounted personal directories.
Extract indicators
Document hashes, mutexes, C2 domains, user agents, and persistence paths. Make every indicator traceable to the sample and offset where you found it.
Build an analysis notebook
Keep a notebook with hashes, timestamps, tools, offsets, strings, functions, and hypotheses. Malware analysis can become messy quickly; a structured notebook prevents you from confusing assumptions with confirmed behavior.
Useful notes:
- Original hash and file size.
- PE timestamp and section names.
- Suspicious imports or resolved APIs.
- Decoding routines and output buffers.
- Extracted configuration and offset.
Static clues before unpacking
Even packed samples leak intent. Look for API hashing loops, high-entropy overlays, suspicious section permissions, TLS callbacks, and tiny import tables. These clues guide where to spend reverse-engineering time.
imports: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect
sections: high entropy, RWX, unusual names
strings: mutex, user-agent, URL fragments, registry pathsDefensive output
The final deliverable should help defenders, not only reversers. Convert findings into YARA logic, Sigma detections, EDR hunting ideas, and network indicators with confidence levels.
Good malware notes explain both what the sample does and how a defender can find it again.
YARA and hunting output
After extracting behavior, turn stable traits into hunting logic. Avoid rules based only on one string or one hash; packed malware changes quickly. Better rules combine section properties, import behavior, decoded strings, and structural patterns.
rule idea:
- PE file
- suspicious section entropy
- runtime API resolution strings
- decoded mutex prefix
- user-agent fragmentCommon mistakes
New analysts often over-focus on unpacking perfectly. Sometimes the fastest defensive value comes from partial understanding: C2 domains, persistence paths, mutexes, and process injection clues. Another mistake is detonating the sample too early without a clean snapshot, which destroys the ability to compare static and dynamic observations.
Reporting format
A useful malware report should include executive summary, technical behavior, indicators, detection opportunities, affected platforms, confidence, and recommended containment steps. Include uncertainty clearly. If a behavior is inferred from static code but not executed, say so.
Lab hygiene
Static analysis still needs lab discipline. Keep samples in an isolated directory, mark them clearly, disable automatic cloud backup, and never open them with tools that may execute preview handlers. Use snapshots for any environment that might later run the sample, and keep analysis notes separate from personal accounts or production credentials.
Recommended setup:
- Dedicated VM for malware analysis.
- No shared clipboard with the host during risky work.
- No mounted personal directories.
- Fake credentials only.
- Controlled network simulation when dynamic analysis is required.
- Hash-based sample naming for traceability.
Turning analysis into detections
After the technical work, write detections at multiple layers. Network indicators catch immediate activity. Host telemetry catches persistence, injection, and suspicious process behavior. YARA helps with file discovery. Sigma-style logic helps search SIEM data. No single detection is enough, especially when packed samples mutate quickly.
Prioritize stable behaviors over fragile strings. If the loader always resolves APIs dynamically, creates a mutex prefix, writes a payload to a specific directory pattern, and contacts a structured URI path, combine those traits. A defender should be able to run your output without needing to understand every reverse-engineering detail.
Defensive actions
Turn analysis into action: block confirmed C2, search endpoint telemetry for persistence keys, hunt command-line patterns, and create detections for loader behavior. The value of reversing is not the disassembly screenshot; it is the defender's ability to reduce dwell time.
