If you can understand how a specific malware sample was made, you are closer to unwrapping it and seeing the bits that express its true functionality

Bugfix release of dnfile, parsing .NET binaries from Python. Thanks for the PRs! pypi.org/project/dnfile/

We need a common instruction-level trace file format that different tools can produce and others can consume

Code similarity is a common and powerful way to cluster malware samples and make connections between seemingly unrelated malware families. Although it sounds simple, it is actually a complex problem and is hard to automate at scale without generating false positives. 1/

This is true for malware analysis as well. Just replace SIEM with IDA/Ghidra/dnSpyEx/etc and read

Check out capa v4 with: 1. support for analyzing .NET executables 2. finer grained capability detection via instruction and operand features 3. many new and updated detection rules Blog: mandiant.com/resources/blog… Binaries: github.com/mandiant/capa/… Source: github.com/mandiant/capa