Reverse EngineeringMalware

pe-viewerC:\Samples\mzheader reverse engineering / malware
.text Characteristics: 0x60000020
.text:0000 ; Liam Chugg — Security Researcher @ CrowdStrike
.text:0004 ; I enjoy picking apart malware, everything here is reproducible if you want to follow along
.text:0008 ; Samples: VirusTotal · MalwareBazaar · github.com/MZHeader/samples
.text:0010 ; ────────────────────────────────────────────────────────
.text:0014 ; Hey! I'm Liam, a Security Researcher at CrowdStrike. I originally started this blog while working as a security analyst, mainly as a way to get into reverse engineering by sharpening my skills and developing my technical writing ability. Over time it's grown into a place where I share things I find interesting, from CTF / CrackMe challenges to deep dives on random malware samples.
.text:0030 ; ────────────────────────────────────────────────────────
Section[1]  .rsrc  VirtualAddress: 0x00004000   VirtualSize: 0x00001200   Characteristics: 0x40000040
.rsrc Characteristics: 0x40000040
; filter:
.rsrc:0000 Series: Crackmes ; 1 posts  ·  CTF  [+]
.rsrc:0020 Picking Apart PirateFi: A Trojanised Steam Game ; TimeDateStamp: 0x69B5F680 (15 Mar 2026)  ·  InfoStealer .rsrc:0040 From ClickFix to MacSync: Execution Chain Analysis on macOS ; TimeDateStamp: 0x69473880 (21 Dec 2025)  ·  InfoStealer .rsrc:0060 UPATRE Downloader: Replication, Decryption, and Execution ; TimeDateStamp: 0x6938B800 (10 Dec 2025)  ·  Loader
.rsrc:0080 Series: Huntress CTF ; 2 posts  ·  CTF  [+]
.rsrc:00A0 The Invisible Loader: Winos 4.0’s Journey from Disk to C2 ; TimeDateStamp: 0x6855F600 (21 Jun 2025)  ·  Loader .rsrc:00C0 Analyzing KoiLoader: WinDbg‑Driven Reverse Engineering of a Multi‑Stage Malware Loader ; TimeDateStamp: 0x6854A480 (20 Jun 2025)  ·  InfoStealer .rsrc:0100 Inside Quasar RAT: Unpacking a Multi-Stage PowerShell Loader ; TimeDateStamp: 0x66021000 (26 Mar 2024)  ·  RAT .rsrc:0120 Following the Execution Trail: An XWorm Loader Autopsy ; TimeDateStamp: 0x65BD8200 (3 Feb 2024)  ·  RAT .rsrc:0140 Dissecting ClipBanker: From JavaScript Loader to Process Injection ; TimeDateStamp: 0x659B3B00 (8 Jan 2024)  ·  InfoStealer .rsrc:0160 Breaking Down NJRat: A Full Kill Chain Analysis ; TimeDateStamp: 0x65667F00 (29 Nov 2023)  ·  RAT
Section[2]  .idata  VirtualAddress: 0x00006000   VirtualSize: 0x00000600   Characteristics: 0x40000040
.idata Characteristics: 0x40000040
.idata:0000 linkedin.com/in/liam-chugg .idata:0020 github.com/MZHeader .idata:0040 x.com/Chuggx00 .idata:0060 atom.xml (RSS feed)
RESOURCE_DATA RT_RCDATA
; hover a .rsrc entry
; to inspect resource data