Malware Analysis in an Isolated Lab: Safe Setup with FlareVM and REMnux

You pulled a suspicious sample from a real phishing campaign, unzipped it on your desktop, and realized too late that Defender already shipped the hash off to MAPS. Congratulations, you just burned an IOC, polluted telemetry, and possibly tipped off the adversary. Before you touch any binary with a .exe, .iso, or .lnk extension, you need an isolated, reproducible, disposable lab. The FlareVM (Windows, offensive and analysis) plus REMnux (Linux, defensive and network tooling) combo has been the de facto standard since 2020. In this walkthrough we build it from scratch on VirtualBox 7.1, with versioned snapshots and a host-only network that has no gateway to anywhere real.

Start with the hypervisor. VirtualBox 7.1 or VMware Workstation 17 both work; avoid KVM unless you already own libvirt and vlans, because the odds of misconfiguring a bridge and exposing your sample to the home LAN are non-trivial. Spin up two VMs: a Windows 10 22H2 box (not 11, some implants check the build) with 4 vCPU, 8 GB RAM, an 80 GB dynamic disk, and an Ubuntu 22.04 box that will become REMnux. Disable every host integration: shared folders, clipboard, drag-and-drop, USB passthrough. Use a host-only network without DHCP, assign 10.66.66.10 and 10.66.66.20 by hand. If you came from the web side, you have done this dance in Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite.

FlareVM installation demands a fresh Windows install, not domain joined, no pending updates, with Defender temporarily disabled via local policy. Mandiant's installer (the `install.ps1` script from the FLARE-VM repo) pulls down dozens of Chocolatey packages: x64dbg, IDA Free, Ghidra, dnSpy, PE-bear, Detect It Easy, FLOSS, CAPA, pestudio. Budget around two hours and 30 GB of download. When it finishes, take the snapshot named 'Clean-FlareVM-Base' before any execution. That snapshot is your sacred rollback: every detonated sample reverts to it. Document each tool version in a versioned markdown file, because CAPA 7.x and 8.x produce incompatible outputs.

REMnux serves as the passive tap and fake services box. Instead of installing from scratch, grab the official OVA appliance from Lenny Zeltser, import it, and on first boot run `remnux update` then `remnux upgrade`. Configure INetSim in `/etc/inetsim/inetsim.conf` to bind on 10.66.66.20, enabling HTTP, HTTPS, DNS, SMTP, IRC, and FTP. On the FlareVM side, point the default gateway and DNS at 10.66.66.20. Net result: any C2 the malware tries to reach lands in INetSim, which returns fake binaries and logs every byte. It gives you the same visibility you would get with Burp in REST and GraphQL API Pentest: Technical Checklist for Legal Bug Bounty but at the raw packet level.

Traffic capture is the second pillar. Run Wireshark on REMnux in promiscuous mode on the host-only adapter, plus tcpdump in parallel writing 100 MB rotated PCAPs. Layer Suricata as an IDS with ET Open rules, and Emerging Threats Pro if you have a research license. For samples that speak TLS, set up MITMproxy with a root cert pushed into the Windows trust store. Yes, this breaks pinning, but most commodity stealers (Redline, Vidar, Lumma) do not implement it. Heavier gear like Cobalt Strike beacons or Sliver implants requires unhooking; we covered that theory in EDR Evasion for Research: Direct Syscalls Explained Without the Hype and the C2 counterpart in Building C2 Infra with Sliver in an Isolated Lab for Defensive Research.

Detonation workflow: copy the sample with shared folders DISABLED. Use scp from REMnux to FlareVM over a temporary SSH service, then kill the service. Compute SHA256 with `Get-FileHash`, log it in your spreadsheet alongside source, date, and initial hypothesis. Run FLOSS to extract obfuscated strings, CAPA to map capabilities to MITRE ATT&CK, and Detect It Easy to fingerprint the packer. UPX? `upx -d` it. Custom packer? x64dbg with ScyllaHide, dump at OEP, same logic defenders apply in Memory Forensics with Volatility 3: Analyzing Dumps in a Reproducible Lab but inverted. Procmon and Process Hacker in the background capture filesystem and registry IOCs in real time.

Operational hygiene separates the serious researcher from the amateur who becomes patient zero. Never wire the analysis VM into your real LAN. Never sign into a personal account inside it. Treat every hash as potentially tied to an actor with retaliation capability, principles we unpack in OPSEC for Security Researchers: Building a Personal Threat Model and Digital Compartmentalization: Separate Identities Without Leaking Metadata. VirusTotal submissions are public: assume the adversary monitors their own hashes. Use Malware Bazaar to collect, Triage or Any.Run to detonate publicly when OPSEC allows, and keep samples encrypted in VeraCrypt containers offline.

Practical takeaway: spend your first weekend just building the lab and grinding known samples from Malware Bazaar (the 'Emotet' or 'AgentTesla' tags work great as training wheels). Before you run a real customer sample, do three rounds of detonation, snapshot rollback, and verification that INetSim captured traffic the way you expected. If you cannot reproduce the same result twice in a row, your lab is not ready, and you will contaminate the investigation. Reproducibility beats speed every single time.