{
	"id": "b8927665-7a27-44fc-aa90-6fb1e45b36cd",
	"created_at": "2026-04-06T00:06:08.196111Z",
	"updated_at": "2026-04-10T03:20:33.084565Z",
	"deleted_at": null,
	"sha1_hash": "d0b2fc6fa87fb44db02762cc37c2af9f550b1fe3",
	"title": "Building a Custom Malware Analysis Lab Environment - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9673988,
	"plain_text": "Building a Custom Malware Analysis Lab Environment - SentinelLabs\r\nBy Marco Figueroa\r\nPublished: 2021-01-04 · Archived: 2026-04-05 21:41:56 UTC\r\nIntroduction\r\nBuilding the right malware analysis environment is the first step for every malware researcher. When all system\r\nconfigurations and software installations are complete, you’re able to analyze and investigate malware properly. In this post,\r\nI wanted to share my own experiences and scripts to help ease the workload of setting up a malware environment to explore\r\nmalicious software.\r\nIn this post, you will learn how to:\r\n1. download, install and configure a free Windows 10 and a free REMnux Linux virtual machine\r\n2. set up a virtual private network for communication between virtual machines\r\n3. build a custom Windows malware environment with SentinelLabs RevCore Tools\r\n4. learn how to capture network traffic from a Windows 10 virtual machine\r\nInstalling Virtual Machines\r\nWhen running multiple virtual machines, the host operating system will begin slowing down, so it is critical to set each\r\nvirtual machine’s best requirements to optimize its performance. To set up the virtual machines in this post, I recommend\r\nthat the Windows 10 virtual machine be set with the minimum requirements of two processor cores with 4GB of RAM and\r\nthe Linux virtual machine with two processor cores with 2GB of RAM.\r\nDownloading a Free Windows 10 Installation\r\nMicrosoft provides a free virtual machine which is intended for testing IE and Edge web browsers. To download the\r\nMicrosoft virtual machine go to https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ and download the\r\nMSEdge on Windows 10 zip file and select your preferred VM platform, currently I’m using VM Fusion.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 1 of 20\n\nDownloading REMnux Linux\r\nThe next virtual machine we want to download is REMnux Linux. The REMnux distro is a Linux distribution based on\r\nUbuntu. It has excellent tools for exploring network interactions for behavioral analysis and investigating system-level\r\ninteractions of malware. To download REMnux go to https://docs.remnux.org/install-distro/get-virtual-appliance and\r\ndownload the Virtual Machine platform of your choice.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 2 of 20\n\nInstalling and Configuring a Private Isolated Custom Network\r\nCreating an isolated, controlled network environment when analyzing malware is extremely important due to the level of\r\ninteraction it gives you with malware. VMware Fusion gives you the capabilities to change key networking settings and add\r\na virtual private network configuration to use for analysis between hosts. We will only add two virtual machines to this lab\r\nenvironment, but you can add many virtual machines to this network. The procedures to create this network is as follows:\r\nSelect the tab VMware Fusion-\u003ePreferences-\u003eNetwork; click the lock icon to make changes\r\nSelect the “+” button which creates a vmnet# under the Custom section.\r\nDo not select the “Allow Virtual machines on this network to connect to external networks (using NAT)” option.\r\nAdd a Subnet IP: I’ve entered 10.1.2.0\r\nClick Apply\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 3 of 20\n\nWindows 10 Setup\r\nOnce you’ve created a custom network and both virtual machines have been downloaded, begin by unzipping the MSEdge\r\nWindows 10. Since I’m using VMware Fusion, I will go through how to import the virtual image; the process for importing\r\nthe virtual machine with other platforms is similar.\r\nOpen up VMware Fusion and follow these steps:\r\n1. After the zip has been unpacked enter the MSEdge-Win10-VMware folder.\r\n2. Select in VMware Fusion File-\u003eImport MSEdge_Win10_VMware, hit Continue and save the Virtual Machine; it\r\nwill take a few minutes to import the image.\r\n3. Click on Customize Settings after the image has been imported.\r\n4. Click into the Processors \u0026 Memory tab and confirm that the settings has two processor cores and the memory is\r\n4096MB.\r\n5. Before powering on the MSEdge Win10 virtual machine, take a snapshot and name it something like “VM Clean\r\nImport”.\r\n6. When starting the virtual machine, if prompted to upgrade the virtual machine to greater feature compatibility\r\nsupport, choose Upgrade.\r\n7. The password to the virtual machine is Passw0rd!\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 4 of 20\n\n8. Open the command prompt to activate the virtual machine, type slmgr.vbs /ato .\r\n9. When prompted, install VMware’s “Virtual Tools” and reboot.\r\n10. Once the virtual machine has rebooted, complete login and immediately take a snapshot. Give it a descriptive name,\r\nsuch as “Activation and VM Tools Install” snapshot.\r\nREMnux Setup\r\nThe REMnux virtual machine downloads as an .ova file. I recommend you browse to docs.REMnux.org to confirm the\r\nhash of the downloaded OVA file.\r\nIf you are using VirtualBox, you can just import REMnux, but if you are using VMware Fusion or VMware Workstation,\r\nfollow these instructions to import the REMnux:\r\n1. Select File-\u003eImport-\u003eChoose File… and select remnux-v7, hit Continue and then Save.\r\n2. When the import is complete, click on Customize Settings.\r\n3. Click into the Processors \u0026 Memory pane under System Settings and leave the settings with two processor cores;\r\nreduce the memory from 4096MB to 2048MB.\r\n4. For the REMnux network configuration, the setup is slightly different. We want to add an additional network\r\nadapter.Note: There are multiple reasons why I configure this virtual machine this way. If I need to update or\r\ndownload other software having the network adapter configured saves me time; the second is if I want to allow\r\nmalware callouts.Once the import is complete and you’re in the “Settings” menu, select Network Adapter. The next\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 5 of 20\n\nstep is to click Add Device… and select Network Adapter and Add…. Make sure the Share with my Mac radio\r\nbutton is set. Return to the main “Settings” panel and select Network Adapter 2. Click the vmnet2 radio button, then\r\nchoose Show All to go back to Settings.\r\n5. When starting the REMnux virtual machine, if prompted to upgrade the virtual machine to greater feature\r\ncompatibility support, choose Upgrade.\r\n6. Once REMnux boots, the credentials are: Username: remnux Password: malware .\r\n7. I always change the password on my virtual machines:\r\n1. $passwd\r\nUNIX password: malware\r\nEnter new UNIX password: (your choice)\r\n8. The next step is to configure the network settings. If you type ifconfig -a you should see two network adapters:\r\n1. Select NAT for the first network adapter. The virtual machine will get an address on that network from the\r\nVMware virtual DHCP server. You can ping google to see if you have connectivity or open the Firefox\r\nbrowser and connect to any website to confirm that you have internet access. If you do not, then type this\r\ncommand in terminal: $ sudo dhclient -r This should allow you to fetch an IP.\r\n2. For the second adapter, ens37, type in this command: $ sudo ifconfig ens37 10.1.2.1 netmask\r\n255.255.255.0\r\n9. Hit the “Snapshot” button and name it something like “Clean Snapshot”.\r\n10. Update and upgrade REMnux: $ sudo apt-get update; sudo apt-get upgrade\r\nInstalling SentinelLabs RevCore Tools\r\nOne of the reasons I wanted to create a SentinelLabs VM Bare Bones malware analysis toolkit was that when installing\r\nFlareVM, I find it contains many tools that I do not use, and it takes a minimum of 40 minutes to install. I wanted to create a\r\nscript of the core tools and system configurations that I need to be able to analyze malware.\r\nFollow this procedure to instal SentinelLabs RevCore Tools on MSEdge WIndows 10:\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 6 of 20\n\n1. Browse to the SentinelLabs RevCore Tools github page and download the zip.\r\n2. Unzip it and drag the SentinelLabs_RevCore_Tools_codeSnippet.ps1 script onto your desktop.\r\n3. If you are using the free downloaded Windows 10 virtual machine that I’ve mentioned above go to Step 4; if you are\r\nusing your own Windows virtual machine continue with these substeps:\r\n1. Instead of dragging just the SentinelLabs_RevCore_Tools_codeSnippet.ps1 , drag the entire folder onto your\r\nvirtual machine desktop.\r\n2. Open the SentinelLabs_RevCore_Tools_codeSnpippet.ps1 file and modify line 4 after -PackageName. You\r\nwill modify the url and change it to the directory location on your desktop. E.g.,\r\n'https://raw.githubusercontent.com/SentineLabs/SentinelLabs_RevCore_Tools/master/SentinelLabs_RevCore_Tools\r\nto 'c:UsersyourUsernameDesktopSentinelLabs_RevCore_Tools-mainSentinelLabRevCoreTools.ps1' ;\r\n3. The final thing to do is to modify the SentinelLabsRevCoreTools.ps1. On lines 105-117, replace IEUser\r\nwith the User profiles name you are using. Save all files and run the script. E.g.,\r\nInstall-ChocolateyShortcut -ShortcutFilePath \"C:\\Users\\IEUser\\Desktop\\HxD.lnk\" -TargetPath \"C:\\Pr\r\nInstall-ChocolateyShortcut -ShortcutFilePath \"C:\\Users\\YourUser Profile\\Desktop\\HxD.lnk\" -TargetP\r\n4. Go to Step 5.\r\n4. In the Windows 10 search bar, type powershell , right click and run as administrator. Browse to the location of the\r\nSentinelLabs_RevCore_Tools_codeSnippet.ps1 powershell script, then run the script:\r\n.SentinelLabs_RevCore_Tools_codeSnippet.ps1 .\r\n5. The script will cause two automatic reboots, and you’ll need to log in again with your user password after each. The\r\nfirst reboot will continue disabling various system services that could otherwise hinder your malware analysis and\r\ncontinue to install the core tools. After the second reboot, the script will finalize and confirm all of the configurations\r\nand installations.The installed tools and modified system configurations are listed below. Don’t forget to take a\r\nsnapshot when it’s finished and you’ve reached the “Type ENTER to exit” point.\r\n1. Tools:\r\nChecksum, 7zip, Process Explorer, Autoruns, TCPview, Sysmon, HxD, PEbear, PEStudio, PEsieve, Cmder,\r\nNXlog, X64dbg, X32dbg, Ollydbg, IDA-Free, Cutter, Ghidra, Openjdk11, Python3, PIP, PIP pefile, PIP YaraA\r\ntool that I frequently use is Hiew, Chocolatey does not have Hiew in its collection. My recommendation is to\r\ndownload and try out the free version, once you see the power of Hiew you should definitely purchase\r\nlifetime access because it is worth every penny.\r\n2. System Configuration:\r\nDisabling – Bing Search, Game Bar Tips, Computer Restore, UAC, Update, Firewall, Windows Defender,\r\nAction Center\r\nSet Window Theme, Set Wallpaper, Create Shortcuts For Tools\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 7 of 20\n\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 8 of 20\n\nNetwork Traffic Collection\r\nWhen analyzing malware, often the malware operation and the C2s are still active, so an excellent way to stay under\r\nthe radar is to run malware in a controlled environment. Analyzing network traffic is a trivial process in detecting\r\nmalicious software callouts in real time network traffic. This section will help you configure your virtual machines to\r\ncapture the detonated malicious software’s network traffic or statically step through debugged code, which allows\r\nyour investigation to understand the potential threat at hand.\r\nThe first thing that must be configured is the virtual private network communication between the MSEdge Windows\r\n10 and REMnux:\r\n1. On the Windows 10 virtual machine, select the custom vmnet2 network (Virtual Machine-\u003eNetwork\r\nAdapter-\u003eCustom (vmnet2)).\r\n2. On the Windows 10 VM, right click on the network adapter in the taskbar and choose Open Network \u0026\r\nInternet settings.\r\n3. Select Ethernet and click on Change adapter options.\r\n4. Right click on Ethernet0 and select Properties.\r\n5. Double click on Internet Protocol Version 4 (TCP/IPv4).\r\n6. Click the radio button to select “Use the following IP address:”, then add the IP address, Subnet mask, Default\r\ngateway, and Preferred DNS server as follows:\r\n1. IP Address: 10.1.2.100\r\n2. Subnet mask: 255.255.255.0\r\n3. Default Gateway: 10.1.2.1\r\n4. Click the radio button to select “Use the following DNS server address:” and add:\r\nPreferred DNS Server: 10.1.2.1\r\n5. Click OK to complete configuration of the network settings.\r\nThe REMnux adapter for the virtual private network has already been configured from the previous section.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 9 of 20\n\nNow that the virtual machines are networked and can communicate with each other, it is time to configure a few tools\r\non the REMnux virtual machine to capture traffic.\r\nInstalled on REMnux are various tools you can use to capture network traffic. We will configure Burp Suite and\r\nINetSim. Burp Suite is typically used to test web application firewalls, but in our case we want to configure it so that\r\nwhen Windows 10 detonates malware, it will try to establish a connection to a domain or C2. The traffic will\r\npotentially use HTTPS and pass through Burp Suite, which will be bound to INetSim. INetSim is a software suite\r\nthat simulates common services for lab environments to analyze malware’s network behavior.\r\nBurp Suite Configuration\r\nThe Burp Suite setup is straightforward, but there are a couple of steps that we must configure before we can begin\r\nusing it.\r\nOpen a command prompt and type: $ sudo Burp Suite .\r\nselect Temporary project, then hit Next and then Start Burp.\r\nSelect the Proxy tab and then “Options”. Under Proxy Listeners, select the default interface and click the Edit\r\nbutton.\r\nUnder the Binding tab, set Bind to address to Specific address: 10.1.2.1 and  click OK.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 10 of 20\n\nIMPORTANT STEP:\r\nGo back to you MSEDGE Windows 10 virtual machine and open up the Edge browser.\r\nType in the address bar: http://10.1.2.1:8080 . You should see “Burp Suite Community Edition”.\r\nDownload the CA Certificate on the top right side of the page.\r\nOpen the location of the file and double click on the certificate file.\r\nSelect Install Certificate... .\r\nSelect Current User as the Store Location and click Next .\r\nSelect Automatically select the certificate store based on the type of certificate . Click\r\nNext and then click Finish .\r\nGo into the settings of the EDGE Browser and disable all security functionalities; this will help with\r\ntesting the connection to INetSim in the next section.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 11 of 20\n\nMake sure you take a snapshot.\r\nGo back to the REMnux virtual machine. You should still be in Burp Suite Proxy tab, Edit proxy listener options.\r\nUnder the Request handling tab, set Redirect to host to localhost and Redirect to port to 4443 . Select\r\nsupport for invisible proxying.\r\nNow go to the Intercept tab and make sure intercept is off.\r\nUnder Proxy Listeners, select the default and click Edit\r\nUnder the Binding tab, Bind to address: Specific address: 10.1.2.1 should still be kept, but change the\r\nBind to port 443\r\nClick on the Request handling tab and set the Redirect to host option to localhost and Redirect to port\r\nto 4443.\r\nSelect the Support invisible proxying (enable only if needed.) and click OK.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 12 of 20\n\nINetSim Configuration Setup\r\nREMnux has INetSim preinstalled. Use your favorite text editor and open up the inetsim.conf file located in\r\n/etc/inetsim/ . Follow the steps to configure INetSim:\r\n1. $ sudo vi /etc/inetsim/inetsim.conf and enable all the services by uncommenting out the services by\r\ndeleting the # character.Pro Tip: Be aware that malware could potentially detect it is running in a virtual\r\nenvironment by checking whether everything in this file is uncommented. I have yet to come across this, but it\r\nis good to be aware of the possibility. You could take a more conservative approach and only uncomment\r\nservices you intend to use.\r\n2. The next step is to bind the REMnux network adapter IP in the inetsim.conf file. The next section after the\r\nservices menu is the service_bind_address . Uncomment the # and change the default IP address from\r\n10.10.10.1 to 0.0.0.0 .\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 13 of 20\n\n3. Scroll down to the dns_default_ip section, uncomment the # and change the IP address from 10.10.10.1\r\nto 10.1.2.1 .\r\n4. The last thing to do is to bind the HTTPS port so Burp Suite can route the traffic to the port 4443. Scroll down\r\nto the https_bind_port section, uncomment the # character and replace 443 with 4443 .\r\n5. Save the changes and exit the editor.\r\n6. The next step is to run the following commands which are VERY IMPORTANT to execute or INetSim will\r\nnot work correctly. Ubuntu has a system-resolved system service which provides network name resolution to\r\nlocal applications. This conflicts with INetSim so we need to disable the service.We have to disable system-resolve and also mask it so that it doesn’t auto start on reboot. Finally, we will stop the service.\r\n$ sudo systemctl disable systemd-resolved\r\n$ sudo systemctl mask systemd-resolved\r\n$ sudo systemctl stop systemd-resolved\r\n7. The final step is to run INetSim:\r\n$ sudo inetsim\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 14 of 20\n\nTo test network connectivity from your Windows 10 virtual machine, open a command prompt and ping 10.1.2.1,\r\nthen open Edge browser and type 10.1.2.1. You should see the following message “This is the default HTML page for\r\nINetSim HTTP server fake mode.”\r\nThe final test is to make sure the DNS is working correctly and serving up requests. For this example, I type in the\r\nsearch bar https://www.mymaliciousdomain.com/malwaretrojan.exe . If everything is working, you should see a\r\nweb page warning that the requested site is not secure.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 15 of 20\n\nI also like using Wireshark to capture packets to analyze the pcaps when investigating malware.\r\nOpen a new tab in your terminal in REMnux and type $ wireshark .\r\nOnce the application has opened, click on the shark fin icon on the far left of the toolbar to begin capturing packets.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 16 of 20\n\nDetonating Malware\r\nWhen malware is executed, it usually makes some request to a domain or IP address. INetSim helps with this by\r\nspoofing the responses to the malware that is waiting for a response. An example would be if malware was executed\r\nand reached out to a domain and will not proceed without a response unless the conditions were met, which is the\r\nresponse. If the malware doesn’t receive the response, it would terminate and not continue its malicious actions. This\r\nis where the live environment assists us with responding to callouts and capturing network traffic.\r\nFor the final step of the lab environment setup, we will detonate a notorious binary trojan (or any malware you\r\nchoose) to test the configuration is working correctly.\r\nI’m testing with a Trickbot binary (SHA256:\r\n49d95cae096f7f73b3539568b450076227b4ca42c0240044a7588ddc1f1b6985 ). I’ve opened Process Explorer and\r\nTCPView to monitor the execution of this variant of Trickbot.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 17 of 20\n\nDetonating malware can save a lot of time before diving deep into reverse engineering as it allows you to gather\r\ninsight and create an unbiased hypothesis. In this example, when we detonated this trickbot sample there were three\r\ncallouts that stuck out:\r\nThe callouts were to fetch files from Microsoft Updates site; these cab files called were automatic updaters of\r\nuntrusted certificates. A certificate trust list is a predefined list of items signed by a trusted entity. These\r\nrequested cab files are used to update and expand the existing functionality by adding known untrusted\r\ncertificates to the untrusted certificate store by using a certificate trust list.\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 18 of 20\n\nAlthough Trickbot is one of the more prolific malware strains today and is more complex than a few callouts, it is a\r\ngood starting point if you are in the beginning stages of research and have never encountered this binary.\r\nI’ve been successfully using this lab setup for many years. A real-world example of using this lab setup occurred\r\nwhen I was brought in to help with an incident at short notice back in 2016. I didn’t have time for an initial triage of\r\nthe binary as I was joining a war room call for the briefing by the investigation team lead. I started both VMs from\r\nsnapshots and detonated the binary while being brought up to speed about the incident. Within 5 minutes, I informed\r\nthe investigation lead about an IP that the specific binary was calling out to, which was enough to give the threat\r\nhunters a place to begin. After the war room call, I started reversing the malware and extracting additional IOCs and\r\nTTPs.\r\nConclusion\r\nA lab environment setup and configuration varies during malware analysis. When analyzing malware you need\r\ndifferent tools to dissect and do deep analysis. I hope the SentinelLabs RevCore Tools and configurations in this\r\nsetup assists, but there might be a time that you need to analyze something different, like a dot net file, and may need\r\nan additional tool to fully disassemble the binary. The journey of reversing malware is a marathon and not a sprint;\r\ngrowing your skill and learning from every malware analyzed should be the goal.\r\nResources\r\nhttps://support.microsoft.com/en-us/help/2677070/an-automatic-updater-of-untrusted-certificates-is-available-for-window\r\nhttps://askubuntu.com/questions/191226/dnsmasq-failed-to-create-listening-socket-for-port-53-address-already-in-use\r\nhttps://gallery.technet.microsoft.com/scriptcenter/Change-the-Desktop-b5b2141c\r\nhttps://gist.github.com/trietptm/b84ccad9db01f459ac7e\r\nMarco Figueroa\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 19 of 20\n\nMarco Figueroa is a Principal Threat Researcher at SentinelOne whose technical expertise includes reverse engineering,\r\nincident handling, threat intelligence, and APT hunting. Previously, Marco spent the last 7 years at Intel as a Sr. Security\r\nResearcher.\r\nSource: https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nhttps://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/"
	],
	"report_names": [
		"building-a-custom-malware-analysis-lab-environment"
	],
	"threat_actors": [],
	"ts_created_at": 1775433968,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0b2fc6fa87fb44db02762cc37c2af9f550b1fe3.pdf",
		"text": "https://archive.orkl.eu/d0b2fc6fa87fb44db02762cc37c2af9f550b1fe3.txt",
		"img": "https://archive.orkl.eu/d0b2fc6fa87fb44db02762cc37c2af9f550b1fe3.jpg"
	}
}