If you’re interested in reverse engineering like me, let me introduce you to Mandiant’s FLARE-VM! It’s a handy tool to quickly set up a malware analysis lab without much hassle.

In concrete terms, FLARE-VM is a nice collection of installation scripts for Windows, based on two badass technologies: Chocolatey (a package manager) and Boxstarter (a tool for scripting installs and configuring reproducible environments). In short, it does the heavy lifting and allows you to install and properly configure a whole bunch of tools in just a few minutes.

Before you get started, you need to check a couple of prerequisites. First, remember that FLARE-VM is designed to run on a VM, so prepare a clean one (preferably Windows 10+) on VMWare or VirtualBox, for example. Then, make sure you have at least 60 GB of disk space and 2 GB of RAM. And don’t forget to disable Windows updates and antivirus, otherwise, it might cause problems.

Next, open a PowerShell prompt as an administrator and download the installation script installer.ps1 to your desktop using the following command:

(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")

Unblock the installation script:

Unblock-File .\install.ps1

Then enable its execution:

Set-ExecutionPolicy Unrestricted -Force

If you receive an error message indicating that the execution policy is overridden by a policy defined at a more specific scope, you might need to pass a scope via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To display the execution policies for all scopes, run Get-ExecutionPolicy -List.

Finally, execute the installation script like this:

.\install.ps1

To pass your password as an argument:

.\install.ps1 -password <password>

To use CLI mode only with minimal user interaction:

.\install.ps1 -password <password> -noWait -noGui

To use CLI mode only with minimal user interaction and a custom configuration file:

.\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui

Once launched, the installation will download and install all the selected tools, configure environment variables, pin shortcuts to the taskbar, etc. In short, with just a few clicks, you’ll get a finely tuned reverse engineering environment, ready to dissect malware!

After installation, it is recommended to switch to host-only network mode and take a snapshot of the virtual machine. You can then customize your FLARE VM environment according to your specific needs:

  • Update the installed tools and software to ensure you have the latest versions.
  • Configure network settings according to your preferences, for example by switching to NAT or bridge mode if necessary.
  • Install additional tools or utilities that might be useful for your analysis workflow.
  • Customize the user interface settings and preferences to your liking.

And off you go!

If you want to go further and contribute to the improvement of FLARE-VM, check out the project’s GitHub repositories:

Did you enjoy this article? Feel free to share it on social media and subscribe to our newsletter so you never miss a post!And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
⚠️ Legal Disclaimer: This website is an informational and educational tech blog. The content provided aims to help users better understand technologies, software, online tools, and digital practices.

We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.

Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.

We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.

Categorized in:

Tech

Tagged in: