EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationtoolkitvmflarevm

Assembling the Analysis Toolkit

How to build a safe, isolated malware analysis environment — VM configuration, pre-built distributions, and the complete tool stack organised by category.

Ashish Revar12 May 202614 min read3 views
Quick Bite

⚡ Quick Bite · 30s

Building a Professional Malware Analysis Lab

VM isolation with snapshots and host-only networking, FlareVM and REMnux distributions, and FakeNet-NG for safe C2 communication study.

Watch this 30-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

Overview

A malware analyst needs two things before touching a suspicious binary: a safe environment and the right tools. Every tool mentioned in this topic is either open-source or has a free tier sufficient for all labs in this course.

The Analysis Virtual Machine

All analysis happens inside a virtual machine (VM). The host operating system never directly interacts with malware. The VM runs on a hypervisor such as VMware Workstation, VirtualBox, or Proxmox.

ConfigurationRecommended Setting
Guest OSWindows 10 (64-bit). Most malware targets Windows. Use an unactivated evaluation ISO from Microsoft.
RAM4 GB minimum. 8 GB if running IDA Pro alongside a debugger.
Disk60 GB dynamically allocated.
Network adapterHost-Only for isolated analysis. Use NAT only when you need to simulate internet access via INetSim or FakeNet-NG. Never use Bridged mode.
Shared foldersDisabled. Clipboard sharing disabled. Drag-and-drop disabled. These are escape vectors.
SnapshotsTake a clean snapshot after installing all tools but before analysing any sample. Revert between samples.

Refer to REMA eBook 2026, Figure 2.4 for the lab isolation architecture diagram.

VM Detection

Sophisticated malware checks for virtualisation artefacts: VMware Tools processes, VirtualBox guest additions DLLs, specific MAC address prefixes (00:0C:29 for VMware), and the CPUID instruction's hypervisor bit. Defeating these checks is covered in Unit 6. For now, a standard VM is sufficient for the samples in this course.

Pre-Built Analysis Distributions

Rather than installing dozens of tools individually, analysts start from a pre-configured distribution.

DistributionBase OSFocus
FlareVMWindowsMandiant-maintained. 140+ tools installed via Chocolatey/PowerShell: debuggers, disassemblers, PE tools, network utilities. Recommended for this course.
REMnuxLinuxMalicious document analysis (pdfid, olevba), network forensics, memory analysis. Complements a Windows VM.

Tool Categories at a Glance

CategoryToolsPurpose
PE inspectionPEStudio, PE-Bear, CFF Explorer, DIEHeaders, sections, imports, exports, entropy, timestamps, signatures
String extractionstrings, FLOSSASCII/Unicode strings. FLOSS decodes stack strings and tight XOR loops.
Capability detectionCapaIdentifies what a binary can do based on code patterns
Hashingmd5sum, sha256sum, ssdeepCryptographic and fuzzy hashes for identification
DisassemblersIDA Pro/Free, GhidraStatic code analysis, CFGs, decompilation
Debuggersx64dbg, WinDbgDynamic analysis, breakpoints, memory inspection
Process monitoringProcess Hacker, ProcmonDLL loads, file/registry activity
Network monitoringWireshark, FakeNet-NGPacket capture, service simulation
Memory forensicsVolatility 3RAM dump analysis for injected code, hidden processes
SandboxesCuckoo/CAPE, Any.RunAutomated detonation and behavioural reports

Network Simulation

Many samples attempt DNS resolution and HTTP connections during execution. If these fail, the malware may refuse to proceed, hiding secondary behaviours.

INetSim (Linux, included in REMnux): emulates DNS, HTTP, HTTPS, SMTP, FTP, and IRC. When malware queries a domain, INetSim responds with a configurable IP.

FakeNet-NG (Windows, included in FlareVM): intercepts all outbound connections, responds with simulated services, and logs every DNS query, HTTP request, and raw TCP/UDP connection.

ToolPlatformProtocols
INetSimLinuxDNS, HTTP, HTTPS, SMTP, FTP, IRC
FakeNet-NGWindowsDNS, HTTP, TCP, UDP, SMTP
ApateDNSWindowsDNS only

The Recommended Free Stack

Static:    Ghidra + PEStudio + Detect-It-Easy + FLOSS + Capa
Dynamic:   x32dbg + ScyllaHide plugin
Process:   Process Hacker + Procmon (Sysinternals)
Network:   Wireshark + FakeNet-NG
Memory:    Volatility 3
Sandbox:   Any.Run (free tier) + Hybrid Analysis

Install everything via FlareVM on a Windows 10 VM. Takes approximately 2 hours for a clean setup.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Malware Blueprints in Portable Executable Headers

A deep dive into the Portable Executable (PE) structure used by Windows binaries — how analysts decode executable metadata to uncover malicious intent, compiler behaviour, packing indicators, and execution flow.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

FlareVM — Mandiant Windows Analysis Distribution

Install script for 140+ malware analysis tools on Windows 10. Run in your analysis VM after a clean OS install.

tool
REMnux — Linux Malware Analysis Distribution

Free Linux VM pre-loaded with document analysis, network forensics, and memory analysis tools. Complements a Windows FlareVM.

tool
Windows 10 Evaluation ISO — Microsoft

Free 90-day evaluation ISO for Windows 10 Enterprise. Use as the guest OS in your analysis VM.

reference
More articlesTest your knowledge