namberino

1 min read walkthrough

Building a tiny triage rig

A lightweight workflow for turning suspicious binaries into repeatable notes before deeper reversing begins.

malware-analysistoolingpython

Why this exists

Most samples do not deserve a full notebook on first contact. They deserve a fast, repeatable pass that answers a few questions:

  • What format is it?
  • What imports and strings stand out?
  • Does it carry obvious packing hints?
  • What environment details should be preserved?

Directory shape

case/
  sample.bin
  hashes.txt
  strings.txt
  imports.txt
  notes.md

Keeping every first-pass artifact beside the case notes makes it easier to revisit the sample later without rebuilding context.

First-pass capture

Hashes

Record at least SHA-256. If the sample is from a shared corpus, also record source, download time, and password state.

Strings

Do two passes: one for ASCII and one for UTF-16LE. Keep the raw output, then copy only the interesting lines into the writeup.

Imports

Imports are not truth, but they are useful hints. Networking, process injection, crypto, service control, and registry APIs usually decide the first branch of analysis.

Writeup skeleton

## Summary

## Static observations

## Dynamic observations

## Open questions

## Indicators

What makes it stick

The rig is deliberately small. The win is not automation for its own sake; it is consistent evidence capture before curiosity pulls the analysis in five directions.