Wednesday, December 17, 2025

Malware Analysis Lab — Secure Sample Acquisition (Sacrificial VM Method)

Introduction

This walkthrough demonstrates how to safely acquire malware samples using a temporary sacrificial virtual machine and transfer the encrypted sample into an isolated Windows 10 FLARE VM for analysis, minimizing exposure to the host system.

The goal of this exercise is to practice:

  • Safe malware handling procedures

  • Using a sacrificial VM to isolate risk

  • Secure file transfer between VMs using shared folders

  • Preparing samples for static and dynamic malware analysis

Lab Environment

  • Host OS: Windows 11

  • Virtualization: VirtualBox

  • Sacrificial VM: Windows 10 (temporary, internet-enabled)

  • Analysis VM: Windows 10 FLARE VM (no internet)

  • Malware Source: MalwareBazaar

  • Transfer Method: VirtualBox Shared Folder

  • Malware State: Password-protected ZIP (never executed)

  • Malware Sample SHA256 Hash: 025323036275f6ca30f6c79c80d2c999fe0451fe943b668055dc7bd3f8770727


Step 1 — Create the Sacrificial Downloader VM

  1. In VirtualBox, click Machine → New

  1. Name the VM: Malware_Downloader_Temp

  1. Choose:

    • ISO Image: Your downloaded Windows10.iso file

    • Type: Microsoft Windows

    • Version: Windows 10 (64-bit)


  1. Allocate:

    • Memory: 4 GB (minimum)

    • CPU: 2 processors 

  1. Create a new virtual hard disk

  1. Click Finish

This VM is temporary and can be deleted after use.

Step 2 — Configure Network Isolation (Important)

  1. Select the Malware-Downloader-Temp VM

  1. Go to Settings → Network


  1. Adapter 1:

    • Attached to: NAT

    • Purpose: Temporary internet access only

Do not enable host-only or bridged networking on this VM.

Step 3 — Take a Clean Snapshot (Strongly Recommended)

Before downloading anything:

  1. Select the Malware-Downloader-Temp VM

  1. In the top click  Snapshot → Take

  1. Click Take Snapshot and name it something like: Clean State - Before Malware Download

This allows instant rollback if needed.

Step 4 — Download Malware Sample (Safely)

Inside the Malware-Downloader-Temp VM:

  1. Open a browser


  1. Go to MalwareBazaar

  1. Select a Commodity Infostealer/Loader malware sample (AgentTesla, RedLine, FormBook, AsyncRAT, LummaStealer)

    • Common in real SOC alerts

    • Touch registry, files, processes

    • Good for beginners



  1. Download only the password-protected ZIP

MalwareBazaar | SHA256 025323036275f6ca30f6c79c80d2c999fe0451fe943b668055dc7bd3f8770727 (AsyncRAT)

Important safety rules

  • Do NOT extract the ZIP

  • Do NOT rename it to .exe

  • Do NOT open it

  •  Leave it encrypted

Step 5 — Prepare the File for Transfer


  1. Create a folder in Local Disk and name it VM Shared Files:

  1. Move the downloaded malware ZIP into this folder

  1. Rename it clearly: Malware Sample [Hash]

This prevents accidental execution.

Step 6 — Create a Shared Folder in VirtualBox

Now we’ll create a one-way transfer path.

On the Host Machine:

  1. Create a folder in the C: Drive and name it VM_Shared_Malware

In VirtualBox:

  1. Power off Malware-Downloader-Temp

  1. Go to Settings → Shared Folders

  1. Click Add New

  1. Configure:

  1. Start the sacrificial VM

Step 7 — Install Guest Additions to Access Shared Folder

Inside Malware-Downloader-Temp VM:

  1. Go to Devices and click Insert Guest Additions

  1. Click Run VBoxWindowsAdditions.exe

  1. Reboot the VM

Now, you will be able to access the shared folder.

Step 8 — Copy Malware ZIP to Shared Folder

Inside Malware-Downloader-Temp VM:

  1. Open File Explorer and Navigate to:  \\VBOXSVR\SharedMalware

  1. Copy malware_sample_[Hash].zip into the shared folder


The file is now accessible to other VMs using the same shared folder.

Step 9 — Disconnect Internet on the Downloader VM

Once the transfer is complete:

  1. Power off Malware-Downloader-Temp

  1. Go to Settings → Network

  1. Disable the Adapter that allows Internet or set it to Not Attached

At this point, the malware ZIP is:

  • Encrypted

  • Offline

  • Not executable

  • Minimally exposed to the host OS

Step 10 — Mount the Shared Folder on FLARE VM

  1. Attach the host VM_Shared_Malware folder to your Windows 10 FLARE VM

  1. Start your Windows 10 FLARE VM

  1. Ensure Guest Additions are installed

  1. In File Explorer, navigate to: \\VBOXSVR\SharedMalware

  1. Copy the malware ZIP from the shared folder to your FLARE VM malware folder 


Step 11 — Lock Down the Environment

After successful transfer:

On the Host:

  • Delete the ZIP from C:\VM_Shared_Malware

In VirtualBox:

  • Remove the shared folder (since we will do malware analysis, it is best to remove the shared folder to minimize the attack surface and reduce the risk of malware leakage)

Optional (Recommended):

  • Delete the Malware-Downloader-Temp VM entirely

  • Or revert it to the clean snapshot



Final Outcome

  • Malware sample was safely acquired using a sacrificial VM

  • Malware sample remained encrypted throughout transfer

  • No malware was ever extracted or executed on the host

  • FLARE VM is now ready for static and dynamic analysis
at
Labels: ,

Popular Posts