CyberLeveling Logo
FLARE VM and REMnux: The Tools Behind Modern Malware Analysis

FLARE VM and REMnux: The Tools Behind Modern Malware Analysis

Feb 17, 2026

When analyzing malware or investigating an incident, the goal isn’t just to “find the bad file.” It’s to understand what happened, how it happened, and what the malware did while it was running.

Two environments are commonly used for this kind of work:

  • FLARE VM for Windows-based reverse engineering and live system analysis
  • REMnux for static analysis and memory forensics

Together, they cover a large portion of the malware investigation workflow.

This article focuses on the tools inside these environments, especially Volatility 3, which is widely used for Windows memory analysis.

FLARE VM: Windows Analysis Environment

FLARE VM is a Windows-based malware analysis distribution. It installs a curated set of tools used for reverse engineering, debugging, and live system inspection.

It is typically used when analyzing:

  • Suspicious executables
  • Packed malware
  • Malicious scripts
  • Runtime process behavior

Some of the most relevant tools include:

Process Explorer

An advanced alternative to Task Manager.

It provides:

  • Detailed process trees
  • Loaded DLL visibility
  • Process handles
  • Digital signature verification

Usage:
Open Process Explorer before executing a suspicious sample in a controlled environment. Observe parent-child relationships and unusual process behavior.

Process Monitor (Procmon)

A real-time system activity logger.

It captures:

  • File system operations
  • Registry changes
  • Process creation
  • Thread activity

Usage:
Start Procmon, apply filters to reduce noise, then execute the sample. Review file writes, registry persistence attempts, and unusual access patterns.

x64dbg

A debugger for 32-bit and 64-bit Windows binaries.

It allows:

  • Breakpoint setting
  • Step-by-step execution
  • Memory inspection
  • API tracing

Usage:
Load the executable into x64dbg to step through its execution and analyze control flow, unpacking routines, or suspicious API calls.

Ghidra

A reverse engineering suite capable of disassembling and decompiling binaries.

Usage:
Import the executable, allow automatic analysis, and review decompiled functions to understand logic, encryption routines, and network communication behavior.

FLARE VM is primarily used for analyzing how malware behaves and how it is written.

But when dealing with a memory dump from a compromised Windows system, a different approach is needed.

REMnux and Volatility 3: Memory Forensics on Windows Images

REMnux is a Linux-based environment designed for malware analysis and digital forensics.

One of its most important tools is Volatility 3, a memory forensics framework used to analyze RAM captures from Windows systems.

Memory analysis is powerful because RAM contains:

  • Running processes
  • Command-line arguments
  • Loaded DLLs
  • Network artifacts
  • Injected code
  • Recently accessed files

Volatility uses plugins to extract different types of forensic information from a memory image.

All Windows plugins follow this format:

vol3 -f <memory_image> <plugin>

Where:

  • -f specifies the memory file
  • <plugin> determines what artifact to extract

Below are the key Windows plugins and how they are used.

Core Volatility 3 Windows Plugins

windows.pstree.PsTree

vol3 -f memory.mem windows.pstree.PsTree

Lists processes in a parent-child tree structure.

Purpose:

  • Identify unusual parent-child relationships
  • Detect malware spawned by legitimate processes
  • Understand process hierarchy at time of capture

This is often the first plugin analysts run.

windows.pslist.PsList

vol3 -f memory.mem windows.pslist.PsList

Lists active processes found in the memory image.

Purpose:

  • Enumerate running processes
  • Identify suspicious names or paths
  • Compare with PsScan results

This gives a structured view of processes at the time of acquisition.

windows.cmdline.CmdLine

vol3 -f memory.mem windows.cmdline.CmdLine

Displays command-line arguments used to start processes.

Purpose:

  • Detect PowerShell abuse
  • Identify encoded commands
  • Reveal execution flags like execution policy bypass

Often provides direct insight into attacker activity.

windows.filescan.FileScan

vol3 -f memory.mem windows.filescan.FileScan

Scans memory for file objects.

Purpose:

  • Identify files referenced in memory
  • Locate suspicious executables
  • Detect temporary or deleted files

This plugin often generates large outputs and may require filtering.

windows.dlllist.DllList

vol3 -f memory.mem windows.dlllist.DllList

Lists loaded DLL modules for each process.

Purpose:

  • Identify unusual or injected modules
  • Detect DLL sideloading
  • Examine module paths for anomalies

Useful when investigating code injection or process hollowing.

windows.psscan.PsScan

vol3 -f memory.mem windows.psscan.PsScan

Scans memory structures directly for process artifacts.

Purpose:

  • Detect hidden processes
  • Identify terminated processes
  • Compare with PsList to find discrepancies

This helps uncover attempts to hide activity.

windows.malfind.Malfind

vol3 -f memory.mem windows.malfind.Malfind

Identifies memory regions that may contain injected code.

Purpose:

  • Detect process injection
  • Identify suspicious memory segments
  • Highlight executable memory regions not backed by files

Malfind is commonly used when investigating advanced malware techniques.

Automating Volatility Output

In real investigations, outputs are often saved for documentation and review.

Instead of running each plugin manually, a loop can be used:

for plugin in windows.malfind.Malfind windows.psscan.PsScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine windows.filescan.FileScan windows.dlllist.DllList; do 
vol3 -q -f memory.mem $plugin > memory.$plugin.txt; 
done

What this does:

  • Iterates through each plugin
  • Runs Volatility in quiet mode (-q)
  • Saves each result into a separate text file

This is standard preprocessing practice in digital forensics.

Extracting Strings from Memory

In addition to Volatility, the Linux strings utility is often used for quick artifact extraction.

Commands:

strings memory.mem > memory.strings.ascii.txt
strings -e l memory.mem > memory.strings.unicode_little_endian.txt
strings -e b memory.mem > memory.strings.unicode_big_endian.txt

Purpose:

  • Extract ASCII strings
  • Extract Unicode little-endian strings
  • Extract Unicode big-endian strings

Strings can reveal:

  • URLs
  • IP addresses
  • File paths
  • Registry keys
  • Embedded commands

It’s a simple tool, but extremely useful.

Putting It Together

FLARE VM focuses on:

  • Reverse engineering
  • Debugging
  • Live behavioral analysis

REMnux with Volatility focuses on:

  • Memory artifacts
  • Process reconstruction
  • Injection detection
  • Forensic evidence preservation

One environment examines the executable itself.
The other examines what it did in memory.

https://tryhackme.com/room/remnuxgettingstarted
https://tryhackme.com/room/flarevmarsenaloftools