______ _ _____ ______ __ ____ __
| ____| | /\ | __ \| ____| \ \ / / \/ |
| |__ | | / \ | |__) | |__ _____\ \ / /| \ / |
| __| | | / /\ \ | _ /| __|______\ \/ / | |\/| |
| | | |____ / ____ \| | \ \| |____ \ / | | | |
|_| |______/_/ \_\_| \_\______| \/ |_| |_|
________________________________________________________
Developed by
flarevm@fireeye.com
FLARE (FireEye Labs Advanced Reverse Engineering)
________________________________________________________
Welcome to FLARE VM - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
Please see https://www.fireeye.com/blog/threat-research/2018/11/flare-vm-update.html for a blog on installing FLARE VM.
Version 2.0 of FLARE VM has introduced breaking changes with previous versions. A fresh installation in a clean Virtual Machine is recommended.
Version 2.0 of FLARE VM now depends on the environment variable FLARE_START
. If troubleshooting, please make sure this environment variable is set. Its default value is set to %PROGRAMDATA%
\Microsoft\Windows\Start Menu\Programs\FLARE
.
This download configuration script is provided to assist cyber security analysts in creating handy and versatile toolboxes for malware analysis environments. It provides a convenient interface for them to obtain a useful set of analysis tools directly from their original sources. Installation and use of this script is subject to the Apache 2.0 License. You as a user of this script must review, accept and comply with the license terms of each downloaded/installed package listed below. By proceeding with the installation, you are accepting the license terms of each package, and acknowledging that your use of each package will be subject to its respective license terms. List of package licenses: http://exeinfo.atwebpages.com http://go.microsoft.com/fwlink/?LinkID=251960 http://jd.benow.ca/ http://msdn.microsoft.com/en-US/cc300389.aspx http://ntinfo.biz https://www.sublimetext.com http://opensource.org/licenses/MIT http://progress-tools.x10.mx/dnsd.html http://sandsprite.com/CodeStuff/scdbg_manual/MANUAL_EN.html http://sandsprite.com/iDef/MAP/ http://sandsprite.com/iDef/SysAnalyzer/ http://sandsprite.com/tools.php?id=17 http://svn.code.sf.net/p/processhacker/code/2.x/trunk/LICENSE.txt http://technet.microsoft.com/en-us/sysinternals/bb469936 http://upx.sourceforge.net/upx-license.html http://vimdoc.sourceforge.net/htmldoc/uganda.html http://whiteboard.nektra.com/spystudio/spystudio_license http://wjradburn.com/software/ http://www.7-zip.org/license.txt http://www.angusj.com/resourcehacker/ http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html http://www.gnu.org/copyleft/gpl.html http://www.gnu.org/licenses/gpl-2.0.html http://www.novirusthanks.org/products/kernel-mode-driver-loader/ http://www.ntcore.com/exsuite.php http://wjradburn.com/software/ http://www.ollydbg.de/download.htm http://www.ollydbg.de/version2.html http://www.oracle.com/technetwork/java/javase/terms/license/index.html http://www.radare.org/r/license.html http://www.rohitab.com/apimonitor http://www.slavasoft.com/hashcalc/license-agreement.htm http://www.techworld.com/download/portable-applications/microsoft-offvis-11-3214034/ https://blog.didierstevens.com/programs/pdf-tools/ https://blog.didierstevens.com/programs/xorsearch/ https://bytecodeviewer.com/ https://cdn.rawgit.com/iggi131/packages/master/RawCap/license.txt https://docs.binary.ninja/about/license/#demo-license https://docs.binary.ninja/about/license/index.html#demo-license https://github.com/0xd4d/de4dot/blob/master/LICENSE.de4dot.txt https://github.com/0xd4d/dnSpy https://github.com/0xd4d/dnSpy/blob/master/dnSpy/dnSpy/LicenseInfo/GPLv3.txt https://github.com/FarGroup/FarManager/blob/master/LICENSE https://github.com/clinicallyinane/shellcode_launcher/ https://github.com/enkomio/RunDotNetDll/blob/master/LICENSE.TXT https://github.com/fireeye/flare-fakenet-ng https://github.com/fireeye/flare-floss https://github.com/fireeye/flare-qdb https://github.com/fireeye/flare-vm https://github.com/icsharpcode/ILSpy/blob/master/README.txt https://github.com/icsharpcode/ILSpy/blob/master/doc/license.txt https://github.com/java-decompiler/jd-gui/blob/master/LICENSE https://github.com/mikesiko/PracticalMalwareAnalysis-Labs https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE https://github.com/radareorg/cutter https://github.com/x64dbg/x64dbg/blob/development/LICENSE https://github.com/x64dbg/x64dbgpy/blob/v25/LICENSE https://hshrzd.wordpress.com/pe-bear/ https://github.com/hasherezade/hollows_hunter/blob/master/LICENSE https://github.com/hasherezade/pe-sieve/blob/master/LICENSE https://metasploit.com/ https://mh-nexus.de/en/hxd/license.php https://nmap.org/ncat/ https://portswigger.net/burp https://raw.githubusercontent.com/IntelliTect/Licenses/master/WindowsManagementFramework.txt https://raw.githubusercontent.com/chocolatey/choco/master/LICENSE https://raw.githubusercontent.com/ferventcoder/checksum/master/LICENSE https://retdec.com/ https://svn.nmap.org/nmap/COPYING https://www.7-zip.org/ https://www.free-decompiler.com/flash/license/ https://www.gnu.org/copyleft/gpl.html https://www.hex-rays.com/products/ida/support/download_freeware.shtml https://www.jetbrains.com/decompiler/download/license.html https://www.kali.org/about-us/ https://www.mcafee.com/hk/downloads/free-tools/fileinsight.aspx https://www.microsoft.com/en-us/download/details.aspx?id=44266 https://www.nirsoft.net/utils/hash_my_files.html https://www.openssl.org/source/license.html https://www.python.org/download/releases/2.7/license https://docs.python.org/3/license.html https://www.sweetscape.com/010editor/manual/License.htm https://www.vb-decompiler.org/license.htm http://kpnc.org/idr32/en/ https://www.vim.org/about.php https://www.winitor.com https://raw.githubusercontent.com/NationalSecurityAgency/ghidra/master/LICENSE https://www.mzrst.com/ https://raw.githubusercontent.com/dscharrer/innoextract/master/LICENSE http://innounp.sourceforge.net/ https://www.visualstudio.com/en-us/support/legal/mt644918 http://repo.or.cz/w/nasm.git/blob_plain/HEAD:/LICENSE https://blog.didierstevens.com/programs/oledump-py/ https://lessmsi.activescott.com/ https://cert.at/downloads/software/bytehist_en.html https://github.com/ReFirmLabs/binwalk https://github.com/fireeye/SilkETW
Create and configure a new Windows 7 SP1 or newer Virtual Machine. To install FLARE VM on an existing Windows VM, download and copy install.ps1
on your analysis machine. On the analysis machine open PowerShell as an Administrator and enable script execution by running the following command:
Set-ExecutionPolicy Unrestricted
Finally, execute the installer script as follows:
.\install.ps1
The script will set up the Boxstarter environment and proceed to download and install the FLARE VM environment. You will be prompted for the Administrator password in order to automate host restarts during installation.
First, install BoxStarter. All commands are expected to be executed with Administrator privileges.
If you are using PowerShell v2:
Set-ExecutionPolicy Unrestricted
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); get-boxstarter -Force
And PowerShell v3 or newest:
Set-ExecutionPolicy Unrestricted
. { iwr -useb http://boxstarter.org/bootstrapper.ps1 } | iex; get-boxstarter -Force
Next, you can deploy FLARE VM environment as follows
Install-BoxstarterPackage -PackageName https://raw.githubusercontent.com/fireeye/flare-vm/master/install.ps1
NOTE: The old installation method using the webinstaller link is now deprecated.
FLARE VM uses the chocolatey public and custom FLARE package repositories. It is easy to install a new package. For example, enter the following command as Administrator to deploy x64dbg on your system:
cinst x64dbg
Type the following command to update all of the packages to the most recent version:
cup all
For an example malware analysis session using FLARE VM, please see the blog at https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html.
The installation instructions referenced in the above blog post are outdated. For installation instructions, follow the steps outlined in the blog https://www.fireeye.com/blog/threat-research/2018/11/flare-vm-update.html.
- dex2jar
- apktool
- flare-qdb
- scdbg
- OllyDbg + OllyDump + OllyDumpEx
- OllyDbg2 + OllyDumpEx
- x64dbg
- WinDbg + OllyDumpex + pykd
- RetDec
- Interactive Delphi Reconstructor (IDR)
- VC Build Tools
- NASM
- Ghidra
- IDA Free (5.0 & 7.0)
- Binary Ninja Demo
- radare2
- Cutter
- de4dot
- Dot Net String Decoder (DNSD)
- dnSpy
- DotPeek
- ILSpy
- RunDotNetDll
- FFDec
- Volatility
- FileInsight
- HxD
- 010 Editor
- JD-GUI
- Bytecode-Viewer
- FakeNet-NG
- ncat
- nmap
- Wireshark
- Offvis
- OfficeMalScanner
- oledump.py
- PDFiD
- PDFParser
- PDFStreamDumper
- PEiD
- ExplorerSuite (CFF Explorer)
- PEview
- DIE
- PeStudio
- PEBear
- ResourceHacker
- LordPE
- PPEE(puppy)
- MetaSploit
- Windows binaries from Kali Linux
- SublimeText3
- Notepad++
- Vim
- VBDecompiler
- BurpSuite Free Edition
- FLOSS
- HashCalc
- HashMyFiles
- Checksum
- 7-Zip
- Far Manager
- Putty
- Wget
- RawCap
- UPX
- RegShot
- Process Hacker
- Sysinternals Suite
- API Monitor
- SpyStudio
- Shellcode Launcher
- Cygwin
- Unxutils
- Malcode Analyst Pack (MAP)
- XORSearch
- XORStrings
- Yara
- CyberChef
- KernelModeDriverLoader
- Process Dump
- Exe2Aut
- Innounp
- InnoExtract
- UniExtract2
- Hollows-Hunter
- PE-sieve
- Py2ExeDecompiler
- Python 2.7
- hexdump
- pefile
- winappdbg
- pycryptodome
- vivisect
- binwalk
- capstone-windows
- unicorn
- oletools
- olefile
- unpy2exe
- uncompyle6
- pycrypto
- pyftpdlib
- pyasn1
- pyOpenSSL
- ldapdomaindump
- pyreadline
- flask
- networkx
- requests
- Python 3
- binwalk
- unpy2exe
- uncompyle6
- VC Redistributable Modules (2005, 2008, 2010, 2012, 2013, 2015, 2017)
- .NET Framework versions 4.6.2 and 4.7.2
- Practical Malware Analysis Labs
- Google Chrome
- Cmder Mini