Talk to Sales

    Please leave your details and our representative would contact you immediately

    First Name

    Last Name

    Job Title

    Company

    Business email

    Country

    Phone (optional)

    We’re using

    Radare Plugin is Here for Intezer Community

    Written by Joakim Kennedy - 8 February 2022

      Share article
      FacebookTwitterLinkedInRedditCopy Link

      Get Free Account

      Join Now

      Top Blogs

      When you reverse engineer code as part of an incident response team, you want to quickly get information about what kind of threat you’re dealing with.

      A while back we released Intezer Analyze plugins both for IDA Pro and Ghidra to help you zero in on a file’s malicious and unique code. Now it is Radare’s turn. Radare2 (r2) is an open-source tool chain for reverse engineering and forensics. With the release of the community plugin r2analyze, r2 users can now supercharge their reversing session with code genomics from Intezer to attribute the malware family or threat actor.

      The Radare Plugin for Reverse Engineering

      How to get started:

      1. Make sure you have an Intezer Analyze community account, or a paid team account. (If not, register here.)
      2. Submit the file to Intezer Analyze.
      3. Install the plugin via pip: pip install r2analyze.
      4. Add your API key as an environment variable named INTEZER_API_KEY.
      5. Open the file in r2 and perform an initial analysis (aaa).
      6. Run the plugin as a r2pipe command (#!pipe r2analyze).

      Here is an example using a ScarCruft sample (7c82689142a415b0a34553478e445988980f48705735939d6d33c17e4e8dac94). The result from Intezer Analyze is shown below.

      radare-plugin-reverse-engineering
      Intezer Analyze result for a ScarCruft sample.

      If you open the sample and run the plugin, you can see below that four items in the flag space called gene have been created. 

      Executing r2analyze as a r2pipe plugin.

      If selecting only that flag space and listing all the flags, you can see that four functions have been identified as unique to ScarCruft.

      Listing detected functions.

      If Radare2 is your preferred framework for reverse-engineering and analyzing binaries, now you can use this Intezer Analyze plugin to save time and get additional insights for your incident response team.

      Intezer automates the malware analysis process to quickly identify and classify malware families. Analyze malware and unknown files for free at analyze.intezer.com

      Additional Resources

      Joakim Kennedy

      Dr. Joakim Kennedy is a Security Researcher analyzing malware and tracking threat actors on a daily basis. For the last few years, Joakim has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.

      Recommended Articles

      Generic filters
      Exact matches only
      Search in title
      Search in content
      Search in excerpt