{"id":2056,"date":"2024-01-03T08:34:25","date_gmt":"2024-01-03T08:34:25","guid":{"rendered":"\/cybersecurity-blog\/?p=2056"},"modified":"2024-01-09T07:23:57","modified_gmt":"2024-01-09T07:23:57","slug":"malware-configuration","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/","title":{"rendered":"Easily Extract Malware Configuration in ANY.RUN"},"content":{"rendered":"\n<p><strong>Editor\u2019s note:<\/strong><em><strong>\u00a0<\/strong><\/em>The current article was originally published on March 29, 2022, and updated on January 3, 2024.<\/p>\n\n\n\n<p>Memory dump extraction and YARA matching are powerful detection methods for known malware families. What\u2019s more, they can reveal detailed information about malware injected into the memory of system processes.&nbsp;&nbsp;<\/p>\n\n\n\n<p>But extracting malware configuration is not easy. Unless you do it with ANY.RUN.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How memory dumps improve detection rate&nbsp;<\/h2>\n\n\n\n<p>One of <a href=\"https:\/\/any.run\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=malware_config_upd&amp;utm_content=linktolanding&amp;utm_term=291223\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s main advantages lie in its simplicity, interactivity, and speed. Any user can analyze even complex malware nearly instantly. Simply loading a sample and hitting the \u201crun\u201d button already gives you structured data with little manual work.&nbsp;<\/p>\n\n\n\n<p>But there are cases when you need to dive into a deeper analysis of samples.&nbsp;&nbsp;<\/p>\n\n\n\n<p>One of such tasks is malware\u2019s memory analysis. Extracting malware configuration from memory in itself requires a wide set of skills. Our goal is to streamline this process and help you retrieve and decrypt data on the fly, improving your productivity.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"349\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-8.png\" alt=\"\" class=\"wp-image-6586\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-8.png 621w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-8-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-8-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-8-270x152.png 270w\" sizes=\"(max-width: 621px) 100vw, 621px\" \/><\/figure><\/div>\n\n\n<p>A part of the memory dump with the beginning of Amadey\u2019s version 2.50 encoded config&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Memory analysis is carried out with the help of dump extractions from specific regions of executed files.&nbsp;<\/li>\n\n\n\n<li>After that, we detect a malicious program using a set of the YARA rules.&nbsp;<\/li>\n\n\n\n<li>Then, we employ algorithms designed for its analysis and configuration extraction if known malware is identified.&nbsp;<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Memory dumps extracted by ANY.RUN and our YARA scanner effectively detect various anomalies such as encrypted strings, packers, anti-debug, and anti-sandbox techniques, etc.&nbsp;<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Why extract malware configs?&nbsp;<\/h2>\n\n\n\n<p>Malware configurations are crucial for identifying all types of Indicators of Compromise (IOCs), which are then used for detection purposes. They also aid in understanding how malware is configured to execute and its functional capabilities.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily extract malware configuration in <span class=\"highlight\">ANY.RUN<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Configuration feature: the key to the endless internal malware features&nbsp;<\/p>\n\n\n\n<p><strong>In cybersecurity, understanding typical behaviors of malware families is essential<\/strong>. Each family typically adheres to a pattern established by its creator, with individual files following this blueprint. The behavior of these malware instances varies based on the settings defined in the initial build. For instance, a malicious object might send data to an email, a server, use messengers, or a combination of these, all contingent upon its configuration settings.&nbsp;<\/p>\n\n\n\n<p>That said, modern malware, such as <a href=\"https:\/\/app.any.run\/tasks\/4a784a02-aa80-4294-a234-8a01c35fa5ad\/?_gl=1*11qwhxs*_gcl_au*MTcxODQyMTMwOC4xNjk2MzIwMDQy*_ga*MTE0MDk3MTAxMS4xNjc3NjYxNTQ4*_ga_53KB74YDZR*MTcwMjU0MjA4OC40MDIuMS4xNzAyNTQ2Njg1LjAuMC4w\" target=\"_blank\" rel=\"noreferrer noopener\">Arkei<\/a>, has evolved to exhibit a modular nature.&nbsp;<\/p>\n\n\n\n<p>This allows the addition of new components \u2014 like keyloggers, banking modules, or miners \u2014 to the initial build, altering the malware&#8217;s behavior. The configurations of these modules, which store all customization options, play a crucial role. When extracted, they enable cybersecurity specialists to predict and understand the behavior of malicious objects, possibly even before they initiate harmful activities or after their command servers become inaccessible.&nbsp;<\/p>\n\n\n\n<p>Consider <a href=\"https:\/\/app.any.run\/tasks\/bc4d4c26-b53f-4275-a089-d0b57714b218\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=malware_config_upd&amp;utm_content=linktoservice&amp;utm_term=291223\" target=\"_blank\" rel=\"noreferrer noopener\">this Remcos sample<\/a> that no longer connects to its C2 server. Despite this disconnection, its configuration can still be analyzed.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Configurations also help you catch details that would have been missed otherwise. For example, in a malware with ten C&amp;C servers, if the first server responds, the subsequent ones might remain undiscovered, as often seen with <a href=\"https:\/\/app.any.run\/tasks\/3052704d-5b94-4851-b788-c8ca592b9260\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=malware_config_upd&amp;utm_content=linktoservice&amp;utm_term=291223\" target=\"_blank\" rel=\"noreferrer noopener\">Emotet<\/a>. This malware typically transmits data to the first IP address, obscuring the others when monitoring network traffic. Configuration extractors are invaluable in such scenarios, revealing hidden details without requiring active malware engagement.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"659\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-8.png\" alt=\"\" class=\"wp-image-6588\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-8.png 979w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-8-300x202.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-8-768x517.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-8-370x249.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-8-270x182.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-8-740x498.png 740w\" sizes=\"(max-width: 979px) 100vw, 979px\" \/><figcaption class=\"wp-element-caption\">Emotet malware configuration showing all of its C2 IPs&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Take <a href=\"https:\/\/app.any.run\/tasks\/4dd94494-54b6-4cf7-adc7-228f8a12601d\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=malware_config_upd&amp;utm_content=linktoservice&amp;utm_term=291223\" target=\"_blank\" rel=\"noreferrer noopener\">Trickbot<\/a> as another example. It employs delay tactics, like lengthy mathematical calculations, to postpone its activity. While Trickbot may only start network activities, such as connecting to a C2 server, after a 300-second delay, tools like ANY.RUN can detect and extract its configurations in as little as 100 seconds.&nbsp;<\/p>\n\n\n\n<p>Given the multitude of malware families, our strategic approach focuses on the most prevalent ones, as per distribution statistics. According to our <a href=\"https:\/\/any.run\/malware-trends\/\" target=\"_blank\" rel=\"noreferrer noopener\">Malware Trends Tracker<\/a>, there are roughly 50 widespread families. This helps us monitor more targeted APTs and popular MaaS operations which you\u2019re most likely to encounter as a security specialist.&nbsp;<\/p>\n\n\n\n<p>Malware analysis often involves delving into a sample&#8217;s memory dump, reversing, and debugging it. This process, especially for complex codes like those in Emotet, can be time-consuming. However, understanding and extracting malware configurations streamline this task, offering quicker and more efficient insights into the malware&#8217;s potential behavior and impact.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Automating malware config extraction with ANY.RUN<\/h2>\n\n\n\n<p>Extracting malware configurations is a repetitive but crucial task for researchers. It involves delving into the memory dump of a malware sample, then reversing and debugging it to understand its behavior and structure. This can be particularly time-consuming with complex malware like Emotet, known for its bloated code.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"545\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-1024x545.png\" alt=\"\" class=\"wp-image-6589\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-1024x545.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-768x409.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-1536x818.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-370x197.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5-740x394.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-5.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Manual configuration extraction is complicated&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Good news is that in many cases you don\u2019t need to do it manually. <strong>ANY.RUN can extract configs for 90% of the most well-known malware.&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>For instance, today alone, there have been numerous AgentTesla uploads, and configurations for all active samples are already available.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-1024x566.png\" alt=\"\" class=\"wp-image-6590\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-1536x848.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-2048x1131.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-4-740x409.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A list of public tasks where AgentTesla was detected in ANY.RUN&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>These can be accessed in our public submissions under &#8220;Emotet samples with configurations.&#8221; As of this writing ANY.RUN offers over 50 extractors. Here are some of the highlights:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><a href=\"https:\/\/app.any.run\/tasks\/87b21b60-cae0-4a9a-a8f0-c9a959a2b7c4\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Emotet<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/b863823b-c158-454e-b817-7d40d7c06a0e\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">IcedId<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/68f6456b-97ad-4a83-9ad0-d5a4fd276008\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Lokibot<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/2c413542-653c-4877-9526-5794675d1dc8\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">FormBook<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/6c57c36d-cceb-4b1a-afd3-711344a59db9\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">TrickBot<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/6f1aea34-c567-41cd-8389-66fd75b7946e\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Arkei<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/a8898b9d-3f82-4ebf-8e49-21b78cb5fa14\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Oski<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/d33147f3-909e-4f52-9af2-4d14cf9bfbdd\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Cobalt Strike<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/d855acac-a97d-41cd-a4fe-07f71824a3c0\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Remcos<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/794e8864-50bc-4720-98f3-ff4509dce32b\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">RedLine<\/a><\/td><td><a href=\"https:\/\/app.any.run\/tasks\/f9d94287-0767-4940-a4fc-5dbfe6e55b59\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">HawkEye<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/da62472a-a9c0-4663-933e-2e4f3e4f6486\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">AZORult<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/8acfcd2a-4d4f-4d9f-9aac-1f9c2602495b\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ZLoader<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/3c210aab-8ea9-4255-afd8-b6ad6616622d\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">GuLoader<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/c526afda-c9b1-4eb1-9ce6-eaa8d8a64ad2\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Nanocore<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/981bc503-dbb8-4348-9453-f82b999843f2\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Hancitor<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/884a64db-681a-4de8-9726-5eb39f9efe06\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Qbot<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/a2d1d4cd-284b-4b58-bbcc-f3f2b9c46557\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Netwire<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/39dc5df1-5f09-4cfd-8318-5e39a6e9426d\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Quasar<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/dc209ae0-5ede-42f2-bc76-23427f57a608\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">CryptBot<\/a><\/td><td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/app.any.run\/tasks\/011c34be-fc8d-4e08-9156-6b70b4595935\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">WSHRat<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/5c801b3c-be8e-4358-8588-86718939b1ff\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Matiex<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/f6e563b2-9b2f-4502-ac71-6d6efb512c5a\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">SquirrelWaffle<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/ba3dea07-d355-4ec6-9471-4ff50548001f\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">SystemBC<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/3d943de7-1c39-4f72-b825-6bec2b9d33af\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Tofsee<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/4bf965dc-f3d0-402b-8a3d-c293b96e8856\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Snake Keylogger<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/463b3f8e-93e4-423f-a88b-4e33107cd65c\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">AsyncRat<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/4ce7310c-0933-4d0d-a7cf-67fb0223e18d\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">BlackNet<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/689e6e92-957a-4324-ba85-60d2951d6eb0\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">DarkComet<\/a><br><a href=\"https:\/\/app.any.run\/tasks\/e4a08d3a-018e-4997-b296-0d8be079e95d\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Amadey<\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The system displays the following malware configurations:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An IP address and a port to connect to a C2 server&nbsp;<\/li>\n\n\n\n<li>The current sample name&nbsp;&nbsp;<\/li>\n\n\n\n<li>A malware family name, type, and version&nbsp;<\/li>\n\n\n\n<li>A campaign ID&nbsp;<\/li>\n\n\n\n<li>Encryption keys&nbsp;<\/li>\n\n\n\n<li>Number and types of sub-modules&nbsp;<\/li>\n\n\n\n<li>Anti-debugging, anti-sandbox, and other anti-evasion methods&nbsp;<\/li>\n\n\n\n<li>Mutex&nbsp;&nbsp;<\/li>\n\n\n\n<li>DGA seeds&nbsp;<\/li>\n\n\n\n<li>The targeted OS version&nbsp;<\/li>\n\n\n\n<li>Domain names and URL lists&nbsp;<\/li>\n\n\n\n<li>Other options&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>But keep in mind that different malware families will show various sets of characteristics. Sometimes it can only be the IP addresses of the C2 server with the port, login, and password for the connection.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Guide to using ANY.RUN&#8217;s Malware Configuration interface<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s delve into the specifics of ANY.RUN\u2019s malware configuration reports.&nbsp;<\/p>\n\n\n\n<p>The interface is divided into three functional areas:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"656\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/5-3.png\" alt=\"\" class=\"wp-image-6591\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/5-3.png 975w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/5-3-300x202.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/5-3-768x517.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/5-3-370x249.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/5-3-270x182.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/5-3-740x498.png 740w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><figcaption class=\"wp-element-caption\">Example of a malware configuration extracted using ANY.RUN&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li><strong>Process Navigation<\/strong>: Located at the top, this section lists detected malware families within the sample. It includes all variants, even if there are several builds of the same family. A concise description of the malware is displayed here, with options to visit Malware Tracker for more details and the latest IOCs.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li><strong>Information Panel<\/strong>: This is split into two parts. On the left, there&#8217;s a list where you can select and copy the necessary data. The right side caters to specialists requiring data export in JSON format. A tooltip guide for further information is available and can be accessed by clicking the question mark.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li><strong>Malware Configuration Access<\/strong>: You can find the malware configuration in the info panel either after the task is completed or in real-time. The CFG tag next to the process allows you to work with IOCs immediately, without having to stop the analysis or wait until the end of the task.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Malware configuration can be found on the info panel after the task is finished or in real-time by the CFG tag next to the process, which is quite convenient.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Using ANY.RUN&#8217;s API to quickly get IOCs&nbsp;<\/h2>\n\n\n\n<p>The API feature in ANY.RUN provides a quick way to gather IOCs. This is particularly useful when you have to deal with a large number of files, like receiving hundreds in a spam campaign. You have two main options for analysis:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"774\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2.png\" alt=\"\" class=\"wp-image-6592\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2-300x227.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2-768x581.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2-370x280.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2-270x204.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2-740x559.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/6-2-80x60.png 80w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Malware configuration in an API response&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<br>\n\n\n\n<div class=\"wp-block-media-text is-vertically-aligned-center\" style=\"grid-template-columns:19% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/03\/15.jpg\" alt=\"fast malware analysis\" class=\"wp-image-2065\"\/><\/figure><div class=\"wp-block-media-text__content\">\n\n<p class=\"has-text-align-left has-large-font-size\"><strong> <\/strong><\/p>\n\n\n<p class=\"has-text-align-left has-large-font-size\"><strong>It takes 15 seconds from the moment of sending the executable file till the final results with IOCs. 15 seconds for everything! <\/strong><\/p>\n\n<\/div><\/div>\n\n\n\n<br>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>Help us expand our threat coverage even more. Here&#8217;s how you can contribute:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Let us know which malware families you encounter often, and We&#8217;ll consider adding them.&nbsp;<\/li>\n\n\n\n<li>If you spot any issues with our extractors, please tell us.&nbsp;<\/li>\n\n\n\n<li>Need specific data for your work? Feel free to share your requirements in the comments below.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Also, if you discover a new malware version that isn&#8217;t in our database yet, email us at <a href=\"mailto:newvirus@any.run\" target=\"_blank\" rel=\"noreferrer noopener\">newvirus@any.run<\/a>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>A few words about ANY.RUN&nbsp;&nbsp;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Request a demo today and enjoy 14 days of free access to our Enterprise plan.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=malware_config_upd&amp;utm_content=linktodemo&amp;utm_term=291223\" target=\"_blank\" rel=\"noreferrer noopener\">Request demo \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:\u00a0The current article was originally published on March 29, 2022, and updated on January 3, 2024. Memory dump extraction and YARA matching are powerful detection methods for known malware families. What\u2019s more, they can reveal detailed information about malware injected into the memory of system processes.&nbsp;&nbsp; But extracting malware configuration is not easy. Unless [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":6594,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[34],"class_list":["post-2056","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Easily Extract Malware Configuration in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Malware extractors are ready to use. Enjoy high-quality detection of known families and receive IOCs in 15 seconds via API.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Easily Extract Malware Configuration in ANY.RUN\",\"datePublished\":\"2024-01-03T08:34:25+00:00\",\"dateModified\":\"2024-01-09T07:23:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\"},\"wordCount\":1507,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\",\"name\":\"Easily Extract Malware Configuration in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-01-03T08:34:25+00:00\",\"dateModified\":\"2024-01-09T07:23:57+00:00\",\"description\":\"Malware extractors are ready to use. Enjoy high-quality detection of known families and receive IOCs in 15 seconds via API.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Easily Extract Malware Configuration in ANY.RUN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Easily Extract Malware Configuration in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog","description":"Malware extractors are ready to use. Enjoy high-quality detection of known families and receive IOCs in 15 seconds via API.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Easily Extract Malware Configuration in ANY.RUN","datePublished":"2024-01-03T08:34:25+00:00","dateModified":"2024-01-09T07:23:57+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/"},"wordCount":1507,"commentCount":1,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/","name":"Easily Extract Malware Configuration in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-01-03T08:34:25+00:00","dateModified":"2024-01-09T07:23:57+00:00","description":"Malware extractors are ready to use. Enjoy high-quality detection of known families and receive IOCs in 15 seconds via API.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Easily Extract Malware Configuration in ANY.RUN"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2056"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=2056"}],"version-history":[{"count":6,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2056\/revisions"}],"predecessor-version":[{"id":6628,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2056\/revisions\/6628"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/6594"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=2056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=2056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=2056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}