Reverse Engineering
Malware
pe-viewer
—
C:\Samples\
mzheader
reverse engineering / malware
.text
Characteristics: 0x60000020
.text:0000
;
Liam Chugg
— Security Researcher @
CrowdStrike
.text:0004
; I enjoy picking apart malware, everything here is reproducible if you want to follow along
.text:0008
; Samples:
VirusTotal
·
MalwareBazaar
·
github.com/MZHeader/samples
.text:000C
; → more about me
▼
.text:0010
; ────────────────────────────────────────────────────────
.text:0014
; Hey! I'm Liam, a Security Researcher at CrowdStrike.
.text:0018
; I originally started this blog while working as a security
.text:001C
; analyst, mainly as a way to get into reverse engineering
.text:0020
; and sharpen my skills. Over time it's grown into a place
.text:0024
; where I share things I find interesting, from challenges
.text:0028
; to random deep dives. Hoping to keep it growing with
.text:002C
; even more cool stuff!
.text:0030
; ────────────────────────────────────────────────────────
Section[1] .rsrc
VirtualAddress: 0x00004000 VirtualSize: 0x00001200
Characteristics: 0x40000040
.rsrc
Characteristics: 0x40000040
; filter:
ALL
InfoStealer
RAT
Loader
CTF
.rsrc:0000
Picking Apart PirateFi: A Trojanised Steam Game
; TimeDateStamp: 0x69B5F680 (15 Mar 2026) ·
InfoStealer
.rsrc:0020
From ClickFix to MacSync: Execution Chain Analysis on macOS
; TimeDateStamp: 0x69473880 (21 Dec 2025) ·
InfoStealer
.rsrc:0040
UPATRE Downloader: Replication, Decryption, and Execution
; TimeDateStamp: 0x6938B800 (10 Dec 2025) ·
Loader
.rsrc:0060
Huntress CTF: 2025 - Reverse Engineering Challenge Writeups
; TimeDateStamp: 0x69054D80 (1 Nov 2025) ·
CTF
.rsrc:0080
The Invisible Loader: Winos 4.0’s Journey from Disk to C2
; TimeDateStamp: 0x6855F600 (21 Jun 2025) ·
Loader
.rsrc:00A0
Analyzing KoiLoader: WinDbg‑Driven Reverse Engineering of a Multi‑Stage Malware Loader
; TimeDateStamp: 0x6854A480 (20 Jun 2025) ·
InfoStealer
.rsrc:00C0
Huntress CTF: 2024 Writeups
; TimeDateStamp: 0x672C0300 (7 Nov 2024) ·
CTF
.rsrc:00E0
Inside Quasar RAT: Unpacking a Multi-Stage PowerShell Loader
; TimeDateStamp: 0x66021000 (26 Mar 2024) ·
RAT
.rsrc:0100
Following the Execution Trail: An XWorm Loader Autopsy
; TimeDateStamp: 0x65BD8200 (3 Feb 2024) ·
RAT
.rsrc:0120
Dissecting ClipBanker: From JavaScript Loader to Process Injection
; TimeDateStamp: 0x659B3B00 (8 Jan 2024) ·
InfoStealer
.rsrc:0140
Breaking Down NJRat: A Full Kill Chain Analysis
; TimeDateStamp: 0x65667F00 (29 Nov 2023) ·
RAT
Section[2] .lnkin
VirtualAddress: 0x00006000 VirtualSize: 0x00000200
Characteristics: 0x00000200
.lnkin
Characteristics: 0x00000200
.lnkin:0000
linkedin.com/in/liam-chugg
Section[3] .gthb
VirtualAddress: 0x00007000 VirtualSize: 0x00000200
Characteristics: 0x00000200
.gthb
Characteristics: 0x00000200
.gthb:0000
github.com/MZHeader
Section[4] .xcom
VirtualAddress: 0x00008000 VirtualSize: 0x00000200
Characteristics: 0x00000200
.xcom
Characteristics: 0x00000200
.xcom:0000
x.com/Chuggx00
RESOURCE_DATA
RT_RCDATA
; hover a .rsrc entry
; to inspect resource data