Login
Zero2Automated/Ultimate Malware Reverse Engineering Bundle
Enrollment is closed

Please Note: While the original Beginner Malware Analysis Course is being remastered, we have temporarily discontinued new purchases of the Ultimate Malware Reverse Engineering Bundle.

  • £185.99 or 3 monthly payments of £65

Ultimate Malware Reverse Engineering Bundle

  • Closed
  • Discord access

Perfect for all skill levels, from a complete beginner to an expert analyst - this bundle has it all. 
Buy now
So, you want to learn and/or improve upon your existing malware analysis and reverse engineering skills?
 
You’ve found the right place.
 
Initially created in response to the extreme lack of affordable advanced malware reverse engineering training, the Zero2Automated: Advanced Malware Analysis Course was developed by malware reverse engineers, for malware reverse engineers – with a large focus placed on practical analysis and practical approaches
 
This training walks you through a typical malware infection chain, covering different techniques in use by modern-day threat actors at each stage in the chain – and for each stage we cover a different malware family, so you will be able to experience analysing a vast array of malware throughout this course. From analysing exploit-embedded malicious documents, to reverse engineering a modular implant designed to harvest user credentials, Zero2Automated provides you with everything needed to enhance and advance your malware analysis skillset.
 
While we focused on packing as much material with a practical focus into this course, we do realise that theory is vital in order to understand certain fundamentals, such as grasping the internals of the PROPagate injection technique, or how Equation Editor could be exploited through a malformed FONT type within a Word document to gain code execution. Therefore, we provide theoretical whitepapers alongside the chapters that require a deeper dive, allowing you to refer back to them whenever needed.

Purchase as a Gift

Looking at gifting the course to an aspiring malware analyst or reverse engineer? Whether as a seasonal gift, birthday present, or simply just a gesture of thanks, we'll provide you with a 100% off discount code that you can send to the individual of your choosing.
Gift The Course
This course has all it takes to be the best malware analysis course out there, the content is wonderful, the content creators and instructors are well-known researchers, the price is considerably cheap, and most importantly the practical aspect of the course (which is the most important thing in a malware analysis course) is very intense!

Amged Wageh

I really want to give a shout out to @0verfl0w_ and @VK_Intel for their #Zero2Auto Malware course. Having access to a well organized syllabus which structurally teaches malware analysis, and not to mention automation. I am one happy researcher.


Danus Minimus

What is even better than a solid malware reverse engineering training? A solid malware reverse engineering training packed with additional features to add further value-for-money.
 
Starting out, we knew the plan was always to build up the amount of value within this course. 
Currently, upon purchasing this bundle you will gain exclusive access to an e-book written by Jason Reaves (@sysopfb) that walks you through several sophisticated malware samples such as Qakbot and GuLoader, 10% off IDA Pro Named License or IDA Home License – the industry standard for disassemblers and decompilers – and access to the Zero2Automated Discord community for collaboration with fellow students, participation in the bi-weekly malware challenges, job postings channel, and more!
 
Oh, and of course you will also gain access to the Beginner Malware Analysis Course - an additional 8+ hours of video content.
*Sandbox & MISP Bundle is currently unavailable

Certification of Completion

After successful completion of Zero2Automated: The Advanced Malware Analysis Course, as well as passing the final exam, you will receive a Certificate of Completion, along with a unique certificate ID for verification.
Most courses I found on malware analysis were either too basic/general or they did not have much hands-on practice at all. Z2A is completely different because it’s really practical and decently challenging. The theory of most covered topic can be found online, but the full walkthrough of malware samples that use those techniques in this course is invaluable. I would say this course is probably one of the best investments I have made to learn RE!

Chuong Dong

Such an excellent content. This is a must if you want to understand the real power of analyzing malware. It offers up-to-date content and very detailed explanations including notorious malware samples such as Qakbot and IcedID. 
The whole course is organized in such a way that it makes you grasp the key concepts of reverse engineering cyber threats, without going crazy. Absolutely love it.

Felipe Duarte

Bundle Prerequisites

As surprising as it may seem, there are no prerequisites required for you to successfully take this course! The Beginner Malware Analysis Course and the added Zero2Hero course contains everything you will need to understand concepts covered in the more advanced Zero2Automated course!

The Beginner Malware Analysis Course

"Whether you are at the start of your journey into Malware Analysis, or perhaps you are looking to refine your skills in different areas, this course will be beneficial for you. With beginners in mind, the course is comprised of several modules, each focusing on a different aspect of Malware Analysis - this ranges from learning x86 Assembly and analyzing Visual Basic macros, to extracting configurations and learning about encryption algorithms"

This course covers the very basics of Malware Analysis and Reverse Engineering, from introducing the tools of the trade, to reverse engineering multiple modern malware families. The information is provided through theoretical slides, followed by a practical example, whether that is setting up an InetSim instance to intercept malware traffic, or extracting the configuration from a notorious Banking Trojan; it has everything you need to get into the ever-changing field that is Malware Analysis and Reverse Engineering!
Zero to Automated is a natural progression to SANS FOR610, expanding on the analysis of malware obfuscation techniques by dissecting the most prolific and pervasive malware families in use by cybercrime campaigns today.

Jason

This course is really worth it! When last time I checked SANS course FOR610 with info from 2016 it cost around 7k and I'm quite not sure is it even worth the amount of money zero2auto costs

Johnny Belinda

No other course can cover topic in depth, that this course has with real malware samples from wild. Step by step walkthrough of malware is what make this course different from all others. And the final exam is unbelievably awesome.

Sanjay Panchal

Hex-Rays Discount

We have also partnered with a company you may be familiar with... Hex-Rays!
Upon purchasing the course*, you will be able to grab a 10% discount on an IDA Pro Named License or an IDA Home License, with the discount remaining valid for one year from your course purchase date! In order to activate the discount, it's as simple as adding the license to your cart and then entering your course email address in the "end user email" box, before clicking "update"!

*(All existing students will be able to take advantage of this discount for 1 year starting 29/09/2021)
In my opinion, the course was amazing. The range of topics is really wide, and yet everything is discussed in detail and explained thoroughly. One can tell a lot of work went into making this course, which still sells at a very affordable price. The self-paced approach is invaluable when trying to digest so much densely packed information. I don't think there is anything else available out there with such a great quality to price ratio.

Giacomo Casoni

Course Contents

Chapter 0x00: Course Introduction

Course Introduction and Structure
Preview
Presentation Access
Discord Invite
IDA Pro & Hex-Rays Training Discount

Chapter 0x01: Recognising Algorithms

This chapter is all about recognising algorithms within malware samples using different techniques, in order to assist with string decryption, configuration extraction, and network traffic analysis!
Looking at Algorithms inside of Malware
Recognizing Common Cryptographic Algorithms - Encryption
"Recognizing Common Cryptographic Algorithms - Encryption" Samples

Chapter 0x02: Initial Stagers

This chapter starts off by analysing first-stage malware loaders that take the form of malicious macro-embedded documents & documents that exploit a vulnerability within Equation Editor, before reverse engineering the IcedID and ZLoader second-stage loaders - enough to be able to develop a configuration extractor and a basic protocol emulator.
Unpacking Malware Samples
Diving into 1st Stage Loaders
Reversing Second Stage Loaders - IcedID
Reversing Second Stage Loaders - Zloader
Writing Automated Config Extractors and Emulators
Equation Editor Theory PDF: Exploit Analysis
"Unpacking Malware Samples" Samples
"Diving into 1st Stage Loaders" Macro Infected Documents
"Diving into 1st Stage Loaders" Equation Editor Exploiting Documents
"Reversing Second Stage Loaders" Samples

Chapter 0x03: Evasion

In this section we will be diving into several different techniques in use by malware to evade detection. This includes in-depth analysis on multiple popular injection methods (such as PROPagate injection and EarlyBird injection), anti-analysis mechanisms, and common persistence techniques.
Reverse Engineering Process Injection - Reflective, DLL, PE, Hollowing
Reverse Engineering Process Injection - Doppelganging, APC, EarlyBird
Reverse Engineering Process Injection - API Hooking
Reverse Engineering Process Injection - PROPagate Injection
Analyzing Anti-Analysis Mechanisms in Malware
Analyzing Persistence Mechanisms in Malware
Process Injection Theory PDF: PROPagate Injection
Process Injection Theory PDF: Process Doppelganging
Process Injection Theory PDF: Reflective DLL Injection
"Reverse Engineering Process Injection" Samples - Part 1
"Reverse Engineering Process Injection" Samples - Part 2
"Reverse Engineering Process Injection" Samples - Part 3
"Analyzing Anti-Analysis Mechanisms in Malware" Samples
"Analyzing Persistence Mechanisms in Malware" Samples

Practical Analysis

Custom Sample 1
Custom Sample README

Chapter 0x04: Malware Internals

Within this chapter we'll be getting into the core of common malware variants, from analysing the browser hooking & inject functionality of banking trojans, to the Luhn10 algorithms in use by Point-Of-Sale based implants, and the propagation techniques employed by worms.
Malware Internals: Qakbot Web Inject Loader (Part 1)
Malware Internals: Qakbot Web Inject Loader (Part 2)
Malware Internals: Worms & Spyware
Malware Internals: Ransomware, POS, Wipers, SpamBots, and RATs
"Malware Internals: Qakbot Web Inject Loader" Sample
"Malware Internals: Worms & Spyware" Samples
"Malware Internals: Ransomware, POS, Wipers, SpamBots, and RATs" Samples

Chapter 0x05: In-Depth Analysis

This section consists of two sample deep-dives; the first being Trickbot and it's Active Directory components, and the second being an analysis of the Qbot banking trojan, from the very first stage, up until a network protocol & C2 communications analysis walkthrough.
Theory - Trickbot & Active Directory: In-Depth Analysis
Practical - Trickbot & Active Directory: In-Depth Analysis
Trickbot & Active Directory: Prototype Source Code (CPP)
Qakbot Deep Dive - First Stage Analysis
Qakbot Deep Dive - Second Stage Analysis
Qakbot Deep Dive - Communications Analysis
"Qakbot Deep Dive - First Stage Analysis" Sample
Compiled BriefLZ DLL
Qakbot Scripts

Chapter 0x06: Exploitation

Here we will be reverse engineering and analysing exploitation code within malware samples; specifically a kernel-level privilege escalation exploit used by Ramnit, exploitation of a vulnerable driver to disable Driver Signature Enforcement used by the RobbinHood ransomware gang, and the infamous EternalBlue & EternalRomance exploits in use by Trickbot for network propagation. 
Trickbot Case Study: EternalBlue & EternalRomance - Theory
Trickbot Case Study: EternalBlue & EternalRomance - Practical
Analysing a Kernel Level Priv. Esc. Exploit: CVE-2014-4113
Kernel Level Priv. Esc. Exploit Samples
Analysing a Vulnerable Driver Exploitation Technique for Disabling DSE
Vulnerable Driver Exploitation Samples
Analyzing a UAC Bypass

Chapter 0x07: Decompilable2Src Malware

This chapter steps away from natively compiled binaries and .NET based samples, and focuses on reversing other programming languages commonly used to develop malware, such as Python, JavaScript, and PowerShell.
Analyzing Uncompiled & Decompilable Malware
"Analyzing Uncompiled & Decompilable Malware" Samples

Chapter 0x08: Threat Intelligence

This chapter walks through the typical threat intelligence process when it comes to malware analysis & reverse engineering, as well as describing how to develop effective YARA rules for detection and threat hunting.
Hunting for Automated Signature Development - YARA
Threat Intelligence - Part 1
Threat Intelligence - Part 2

Chapter 0x09: Shellcode Analysis

This chapter walks you through the somewhat tricky process of reverse engineering malicious shellcode, using tools to execute it within a debugger, as well as analysing some of the techniques commonly seen within shellcode in the wild.
Analysing Shellcode Statically and Dynamically
"Analysing Shellcode Statically and Dynamically" Samples

Chapter 0x0A: Rootkits & Bootkits

The final chapter of the core Zero2Automated material, this chapter focuses on Trickbot's bootkit vulnerability reconnaissance tool, and how it operates at the kernel level.
TrickBoot Theory PDF: Technical Details
Analyzing Trickbot's Bootkit Vulnerability Reconnaissance Tool: Trickboot
permaDll32.zip

Final Examination

Examination Brief
Zero2Automated Exam: Theory

Biweekly Malware Challenges

Challenge #1: Gozi String Decryption
Challenge #2: IcedID Configuration Extraction
Challenge #3: Oski Stealer String Decryption
Challenge #4: Operation DreamJob

Zero2Hero

You asked for it, and we're providing it! Here you can find all the videos from our previous course, Zero2Hero, that was released for a short period of time in 2019. Now it's back for good!
Zero2Hero: Algorithms - RC4
Zero2Hero: How Attackers Gain Footholds
Zero2Hero: Persistence
Zero2Hero: Privilege Escalation
Zero2Hero: Analysis Of ASUS SHADOWHAMMER Attack
Zero2Hero: Basic Injection Techniques
Zero2Hero: RigEK - Theory
Zero2Hero: RigEK - Practice Part 1
Zero2Hero: RigEK - Practice Part 2
Zero2Hero: POS - Theory
Zero2Hero: POS - Practice
Zero2Hero: FIN7 Insights - Theory
Zero2Hero: FIN7 Insights - Practice Part 1
Zero2Hero: FIN7 Insights - Practice Part 2
Zero2Hero: Trickbot Hooking Engine - Theory
Zero2Hero: Trickbot Hooking Engine - Practice
Zero2Hero: Golang Usage in Malware - Theory
Zero2Hero: Golang Usage in Malware - Practice
Zero2Hero: YARA Hunting for Code Reuse - Theory
Zero2Hero: YARA Hunting for Code Reuse - Practice
Zero2Hero: Malware Samples

Zero2Automated: Malware Walkthroughs E-Book

Zero2Automated Malware Walkthroughs
Zero2Automated Malware Walkthroughs - EPUB (Test)

Blog Posts

Full Blog Posts/Writeups written by the Zero2Auto Team
Netwalker - From static RE to automatic extraction

Resources

Link to Windows 7 VM

FAQs

Do I get lifetime access to the course?

Yes! Upon purchasing the course, you gain immediate lifetime access, allowing you to come back every few months to look at specifics! No additional payments, no additional worries! Furthermore, further content will be added to the course over time, which you will also gain access to, free of charge!

Can I access the course offline?

Unfortunately the videos cannot be accessed offline, however, you are able to download the theoretical material provided alongside the course, to study more in-depth topics offline!

Is payment possible without PayPal?

Both Stripe (Credit Card/Debit Card payments) and PayPal are the main supported payment processors of the platform, however if these are an issue for you, we may be able to work out possible payment methods - in that case, please see the "How can I contact you" answer.

Is a Certificate of Completion given?

It is! Upon completing the videos, there will be an examination that you can take. Upon passing this examination, you will receive a certificate of completion, with your name on it!

How can I contact you for further questions?

You can contact us over Twitter (@0verfl0w_) or via Email (contact@0ffset.net)

Be the first to know

Get product updates, launch announcements and more by joining the newsletter.

You're signing up to receive emails from 0ffset Training Solutions