FlareVM

What is FlareVM?

It's a specialized, free(!!), and open-source collection of software and scripts designed to create a comprehensive malware analysis and reverse engineering environment on a Windows VM (please do not install FlareVM on bare metal). It was developed and is maintained by the Mandiant FLARE team. It's main purpose is to save our time and sanity by installing, setting up, and configuring the tools we need.

Cool. Go on...

Contrary to it's name, it's not a VM that you download. FlareVM is a bunch of PowerShell scripts that you run on a Windows VM (nota bene!). We'll see this unfold as we install it. These scripts use the Chocolatey package manager to automatically download, install, and configure most of the tools (all if you check some extra boxes during installation) used in malware analysis/reverse engineering.

Why do we need FlareVM?

For the safe detonation of malware samples, and its subsequent static and dynamic analyses. And most importantly the ability to wipe the slate clean and load from a clean previous image.

Alternatives to FlareVM

If you're (a) exceptionally rich, (b) fiscally irresponsible, and/or (c) masochistic and enjoy rebuilding your machine from the ground up, you can detonate malware samples on bare metal and watch it burn.

However, if you're like us normies, then FlareVM is your best bet. Alternatively you can try ANY.RUN (read the T&Cs), Joe Sandbox, and Intezer.

Lastly, if you use Linux, then REMnux is your huckleberry.

What's in this box of chocolates?

There are plenty of tools in here, but broad categories include:

• Static Analysis Tools: PEStudio, CFF Explorer,

• Dynamic Analysis Tools: Procmon, Procdot, Process Explorer, Regshot, FakeNet-NG

• Memory Forensics: Volatility, Rekall

• Network Analysis Tools: Wireshark

• Disassemblers and Decompilers: Ghidra, x64dbg

We'll be touching on and using most of these in later posts.