Zero2Automated + The Beginner Malware Analysis Course by 0verfl0w_ and Vitali Kremez

Zero2Automated + The Beginner Malware Analysis Course

Perfect for all skill levels, from a complete beginner to an expert analyst, this bundle has it all. Covering the very basics such as introductions to the tools and variants of malware, as well as important advanced concepts such as Website Injection Techniques utilized by sophisticated Banking Malware, plus Custom Developed Samples for enhanced practical learning, all in one convienient bundle. What are you waiting for?

Zero2Automated: What is it?

Zero2Automated (The Advanced Malware Analysis Course) is a course developed by Malware Reverse Engineers, for Malware Reverse Engineers, with practicality in mind. The main focus of this course is to teach you the advanced concepts utilized by modern malware, through a practical approach, allowing you to instantly apply the information to your own analyses. However, we do understand theory is vital in order to better understand certain fundamentals, such as how the PROPagate injection method works, and how Equation Editor is exploited. As a result, crystal clear PDFs are provided alongside certain chapters requiring a deeper dive, allowing you to constantly refer back to them whenever required.

Furthermore, upon purchase of the Advanced Malware Analysis Course, you will gain access to a private Slack channel focused around the course and course content, allowing you to interact with others currently taking the course, as well as ask for help on any issues that may come up. 

Think that's all? Nope! The Advanced Malware Analysis Course will be updated over time, with additional modules, custom "CTF" challenges, and more being added, allowing you to further improve your knowledge of Malware Analysis and Reverse Engineering. 

We're not done yet though! Not only do you get access to a frequently updated stream of videos and PDFs, you also get exclusive access to an e-book written by Jason Reaves (@sysopfb) that takes you through several sophisticated malware samples, from GuLoader to Qakbot, examining different anti-analysis methods, string encryption functionality, C2 protocols, and more!

ANY.RUN Integration

On top of the already existing features in the course, we are happy to announce we have partnered with ANY.RUN to provide a 3 month customized access plan for all students! This plan contains additional features not available in the free plan, such as locale selection, an extended timeout period, Windows 7 64bit, and more! All of this is featured in the course pricing, so there are no additional fees to worry about - in order to activate the 3 month plan, you need to register an account on ANY.RUN, and you will be upgraded, allowing you to access all the features in the plan immediately!
Additionally, ANY.RUN will be the new home for the malware samples covered in the course, allowing you to get an interactive overview on the sample before even opening it up in a disassembler or debugger!
If you have any questions about the customized plan, feel free to drop us a message here or via email (contact emails can be found at the end of this page), and we will respond ASAP!

ANY.RUN Features

  • Win 7 32/64bit
  • Unlimited manual submissions (1 parallel)
  • Interactive access 
  • Analysis time: 660 sec
  • Max input file size: 100Mb
  • HTML reports
  • URL analysis
  • Mitre ATT&CK mapping 
  • Process behavior graph 
  • Extended IDS rule sets 
  • Video record 
  • MITM proxy for HTTPS 
  • Locale selection 
  • Network geolocation 
  • Priority in queue 
  • Various software presets 
  • Custom OpenVPN configuration 
  • Monitoring of system processes 

The Beginner Malware Analysis Course

"Whether you are at the start of your journey into Malware Analysis, or perhaps you are looking to refine your skills in different areas, this course will be beneficial for you. With beginners in mind, the course is comprised of several modules, each focusing on a different aspect of Malware Analysis - this ranges from learning x86 Assembly and analyzing Visual Basic macros, to extracting configurations and learning about encryption algorithms"

This course covers the very basics of Malware Analysis and Reverse Engineering, from introducing the tools of the trade, to reverse engineering multiple modern malware families. The information is provided through theoretical slides, followed by a practical example, whether that is setting up an InetSim instance to intercept malware traffic, or extracting the configuration from a notorious Banking Trojan; it has everything you need to get into the ever-changing field that is Malware Analysis and Reverse Engineering!

Upon purchasing this bundle, you will be provided access to The Beginner Malware Analysis Course soon after.

Zero2Automated: Bundle Prerequisites

As surprising as it may seem, there are no prerequisites required for you to successfully take this course! The Beginner Malware Analysis Course and the added Zero2Hero course contains everything you will need to understand concepts covered in the more advanced Zero2Automated course!

Z2A: What Will I Learn?

Zero2Automated Content:
  • Week 0x01: Algorithms - Looking at Encryption, Hashing, Compression, etc.
  • Week 0x02: Initial Stagers - Unpacking Malware, Analysing Malicious Word Documents, Analysing Loaders, Automating Config Extraction
  • Week 0x03: Evasion - Persistence, Anti-Analysis, Process Injection
  • Week 0x04: Malware Internals - Core Functionality, looking at Banking Malware, Spyware, Ransomware, Worms, etc.
  • Week 0x05: Full Analysis 1 - Analysing a malware sample in depth 
  • Week 0x06: Full Analysis 2 - Analysing a malware sample in depth 
  • Week 0x07: Uncompiled Malware - Taking a look at uncompiled malware; Python, JavaScript, NodeJS, etc.
  • Week 0x08: Exploitation - Looking at how malware uses exploits to achieve it's goals - Privilege Escalation, Gaining Access, Evasion
  • Week 0x09: "Rooting and Booting" - Taking a look at Rootkits and Bootkits
  • Week 0x0A: Shellcode - Looking at analysing Shellcode statically and dynamically
  • Week 0x0B: Command And Control Servers - All things C2, including replicating a DGA.
  • Week 0x0C: Threat Intelligence - Understanding Threat Intelligence 
  • Week 0x0D: Module Study - Trickbot Lock-n-Grab 
  • Week 0x0E: YARA Signature Development - How to develop YARA rules more effectively
  • Week 0x0F and Onwards: Additional Undecided Modules Added

Certification of Completion

After successful completion of Zero2Automated: The Advanced Malware Analysis Course, as well as passing the final exam, you will receive a Certificate of Completion, along with a unique certificate ID for verification.

Why is the Contents Section so short?

If you are looking at the course in the first few weeks of it's existance, you might be looking at the section above, and the section below, and wondering why there's hardly any content in the Contents section. 
For those of you who took our first course (Zero2Hero), you may remember that new episodes were rolled out weekly, along with new blog posts. 

We decided to take the same approach for the Zero2Automated course, and so the reason the Contents section is possibly quite small is entirely due to that. We will be putting out a new chapter every Monday, starting June 1st, until we have uploaded the core course material (roughly 12-13 chapters). At that point, you will have access to the entirety of the course, both blog posts, and videos.
This decision was made due to the fact that it would be a lot easier to help people out with specific chapters, rather than have 50,000 questions on different chapters all at once!
Here is where the Slack Channel comes into play - any questions about the course can be asked there, and can easily be answered by someone else taking the course, or by us!

So, the TL;DR, don't worry about the length of the contents section below, as it will be updated every week, as a new chapter is released!

What's included?

Contents

Course Introduction: Week 0x00
Course Introduction and Structure
6 mins
Algorithms: Week 0x01
Looking at Algorithms inside of Malware
48 mins
Initial Stagers: Week 0x02
Unpacking Malware Samples
60 mins
Diving into 1st Stage Loaders
(1h 09m 12s)
Reversing Second Stage Loaders - IcedID
45 mins
Reversing Second Stage Loaders - Zloader
34 mins
Writing Automated Config Extractors and Emulators
(1h 00m 06s)
Equation Editor Theory PDF: Exploit Analysis
1.86 MB
"Unpacking Malware Samples" Samples
2.35 MB
"Diving into 1st Stage Loaders" Macro Infected Documents
166 KB
"Diving into 1st Stage Loaders" Equation Editor Exploiting Documents
1.21 MB
"Reversing Second Stage Loaders" Samples
168 KB
Evasion: Chapter 0x03
Reverse Engineering Process Injection - Part 1
59 mins
Reverse Engineering Process Injection - Part 2
(1h 18m 21s)
Reverse Engineering Process Injection - API Hooking
38 mins
Reverse Engineering Process Injection - PROPagate Injection
43 mins
Analyzing Anti-Analysis Mechanisms in Malware
40 mins
Analyzing Persistence Mechanisms in Malware
54 mins
Process Injection Theory PDF: PROPagate Injection
131 KB
Process Injection Theory PDF: Process Doppelganging
82.7 KB
"Reverse Engineering Process Injection" Samples - Part 1
740 KB
"Reverse Engineering Process Injection" Samples - Part 2
522 KB
"Reverse Engineering Process Injection" Samples - Part 3
222 KB
"Analyzing Anti-Analysis Mechanisms in Malware" Samples
3.94 MB
"Analyzing Persistence Mechanisms in Malware" Samples
4.39 MB
Practical Analysis and Test
Custom Sample 1
129 KB
Custom Sample README
Malware Internals: Week 0x04
Malware Internals: Qakbot Web Inject Loader (Part 1)
57 mins
Malware Internals: Qakbot Web Inject Loader (Part 2)
(1h 46m 47s)
"Malware Internals: Qakbot Web Inject Loader" Sample
239 KB
Malware Internals: Worms & Spyware
47 mins
"Malware Internals: Worms & Spyware" Samples
3.73 MB
Malware Internals: Ransomware, POS, Wipers, SpamBots, and RATs
(1h 19m 38s)
"Malware Internals: Ransomware, POS, Wipers, SpamBots, and RATs" Samples
18.4 MB
In-Depth Analysis: Week 0x05
Theory - Trickbot & Active Directory: In-Depth Analysis
37 mins
Practical - Trickbot & Active Directory: In-Depth Analysis
24 mins
Trickbot & Active Directory: Prototype Source Code (CPP)
6.45 KB
Qakbot Deep Dive - First Stage Analysis
(1h 08m 16s)
Qakbot Deep Dive - Second Stage Analysis
49 mins
Qakbot Deep Dive - Communications Analysis
(1h 21m 40s)
"Qakbot Deep Dive - First Stage Analysis" Sample
210 KB
Compiled BriefLZ DLL
11 KB
Qakbot Scripts
18.4 KB
Exploitation: Week 0x06
Trickbot Case Study: EternalBlue & EternalRomance - Theory
45 mins
Trickbot Case Study: EternalBlue & EternalRomance - Practical
21 mins
"Decompilable2Src" Malware: Week 0x07
Analyzing Uncompiled & Decompilable Malware
(1h 01m 00s)
Threat Intelligence: Week 0x08
Hunting for Automated Signature Development - YARA
23 mins
Zero2Hero
Zero2Hero: How Attackers Gain Footholds
28 mins
Zero2Hero: Persistence
18 mins
Zero2Hero: Privilege Escalation
30 mins
Zero2Hero: Analysis Of ASUS SHADOWHAMMER Attack
36 mins
Zero2Hero: Basic Injection Techniques
(1h 03m 07s)
Zero2Hero: RigEK - Theory
18 mins
Zero2Hero: RigEK - Practice Part 1
12 mins
Zero2Hero: RigEK - Practice Part 2
9 mins
Zero2Hero: POS - Theory
14 mins
Zero2Hero: POS - Practice
11 mins
Zero2Hero: FIN7 Insights - Theory
11 mins
Zero2Hero: FIN7 Insights - Practice Part 1
7 mins
Zero2Hero: FIN7 Insights - Practice Part 2
3 mins
Zero2Hero: Trickbot Hooking Engine - Theory
14 mins
Zero2Hero: Trickbot Hooking Engine - Practice
14 mins
Zero2Hero: Golang Usage in Malware - Theory
19 mins
Zero2Hero: Golang Usage in Malware - Practice
13 mins
Zero2Hero: YARA Hunting for Code Reuse - Theory
34 mins
Zero2Hero: YARA Hunting for Code Reuse - Practice
15 mins
Zero2Hero: Algorithms - RC4
17 mins
Zero2Automated: Malware Walkthroughs E-Book
Zero2Automated Malware Walkthroughs - EPUB (Test)
923 KB
Zero2Automated Malware Walkthroughs
1.01 MB
Blog Posts
Netwalker - From static RE to automatic extraction
256 KB
Resources
Link to Windows 7 VM

FAQs

Do I get lifetime access to the course?

Yes! Upon purchasing the course, you gain immediate lifetime access, allowing you to come back every few months to look at specifics! No additional payments, no additional worries! Furthermore, further content will be added to the course over time, which you will also gain access to, free of charge!

Can I access the course offline?

Unfortunately the videos cannot be accessed offline, however, you are able to download the theoretical material provided alongside the course, to study more in-depth topics offline!

Is payment possible without PayPal?

Both Stripe (Credit Card/Debit Card payments) and PayPal are the main supported payment processors of the platform, however if these are an issue for you, we may be able to work out possible payment methods - in that case, please see the "How can I contact you" answer.

Is a Certificate of Completion given?

It is! Upon completing the videos, there will be a short test that you can take. Upon passing this test, you will receive a certificate of completion, with your name on it!

How can I contact you for further questions?

You can contact us over Twitter (@0verfl0w_ and @VK_Intel) or via Email (0verfl0w33@protonmail.com and vitali@vk-intel.com)