- What does VGL4NT mean?
V.G.L.4.N.T. is a play on "Vigilant" and stands for "Visual Guided Learning 4 Neutralizing Threats"
- What is the primary purpose of your webapp and the main problem it solves?
The primary purpose of the webapp is to quickly and accurately identify the packer used in a malware sample by leveraging machine learning.
- What are some common use cases or target audience for your webapp?
The webapp is designed for malware analysts, cybersecurity professionals, and researchers who need to quickly and accurately identify the packer used in a malware sample.
- What types of files can be uploaded to your webapp for analysis?
Users can upload executable files (EXE, Bin, ELF, DLLs) with a maximum limit of 10MB.
- How does your machine learning model classify the packers used in the uploaded files?
The bytes of the uploaded file are converted into grayscale values forming an image. This image is then passed to an image machine learning model that has been trained on a large number of packed malware samples.
- Are there any limitations or restrictions users should be aware of?
Currently, the model can only classify a limited number of packer tools (See list under notes above). This is due to limitations of the current hardware, but there are plans to invest in better hardware to cater to more categories in the future.
- How accurate is the model?
The model's accuracy is constantly evaluated by comparing its predictions to the actual packer labels in a test dataset, which consists of samples the model hasn't seen before. However, there may be a possibility of false positives, so it's still a good idea to cross-check the results with other packer detection tools to ensure the most accurate identification.
- How long does it take for the webapp to classify a packer, and are there any factors that can affect the processing time?
The model can classify an uploaded file in a matter of seconds, as it has already been trained and knows what to look for in packer patterns. However, factors such as server load and file size may affect the processing time to some extent.
- Is user data and uploaded file information kept confidential and secure?
User data is not kept, and the webapp prioritizes confidentiality and security. The uploaded malware samples are stored on the server and used for further training the model. Previously unseen malware samples may be shared with other services like MalwareBazaar to make them freely available to the community.
- How can users provide feedback, report issues, or request new features for the webapp?
Users can reach out via email at firstname.lastname@example.org or on Twitter at @vgl4nt for feedback, issues, or feature requests.
- How can users stay updated on the latest news and updates about the webapp?
Users can stay updated on the latest news and updates about the webapp by following @vgl4nt on Twitter or regularly checking the webapp's website for announcements. The model will be updated on a regular basis (weekly, for now), and the accuracy results of the model will be published to help users understand its performance.
Disclaimer - This tool is still in open beta and is currently being improved. Expect false positives.
How does it work? - The app converts the uploaded file into an image and it feeds this into a machine learning model. The model then detects compression and obfuscation patterns that are innate to the packer utilized.
- Currently, can only detect the following packers: aspack alienyze amber beroexepack enigma_virtual_box eronana_packer exe32pack expressor fsg jdpack mew mpress molebox neolite nspack pecompact petite themida upx
- Model assumes that the uploaded file is packed. If it is not, then it will still try to classify it according to the list above.
Frequently Asked Questions
- 2023-05-20 - Improvement to approach that combines predictions. More info here.
- 2023-05-13 - Can now classify between 20 categories. More to come soon
- 2023-04-27 - First 4096 bytes of the file's headers and sections are now used for classification.
- 2023-04-23 - Updated training dataset using sanitized samples from this repository.
- 2023-04-19 - Initial model release
- Get more packed samples for training the model to increase accuracy, .
- Get more hardware to increase capability to detect more packer categories
- Implement smart detection of important packer sections for better accuracy
Big thanks to
- Awesome Executable Packing - A curated list of awesome resources related to executable packing
- MalwareBazaar - MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
- Unpac.me - UNPACME is an automated malware unpacking service.