Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

I have a malicious dotnet sample

Hacktreides
Hacktreides
in Malware Reverse Engineering

Featured Replies

Posted

Hello,

I have a malicious dotnet sample packer, anyone known the packer type and how to unpack it? I have try de4dot but it's failed.

Thank you

Dumped.zip

You seem to have taken the time to upload it and write all that, but didn't took the time to specify the password, Great start.

it's the industry standard - "infected" :)

 

    • Like 1
    10 hours ago, kao said:

    it's the industry standard - "infected" :)

     

    Oh... *brain fart* :> thanks xD

     

    @Hacktreides this is the only thing I could recover from it (sample corrupted):

    https://mega.nz/#!agw12KzJ!upg0JNycjHRRcPqvb2r3zVjTQN1B7iohEZMHOLcSp6o

    (note: it's a auto-decompressing exe)

     

    Also with DotNetResolver + Strings plugin you will be able to see most of the strings and stuff, sorry couldn't give you a more cleaner sample, couldn't get past the cflow obfuscation.

    Protector is ConfuserEx just as ExeInfo and PEID specified it's in between the 0.3.0 and 0.4.0 version.

    Edited by 0xNOP

    • Author

    @0xNOP nice work! Thank you :)

    Can you explain me the workaround? I have downloaded dotnet resolver form here but i'm unable to find the compiled dll plugin for strings. And after that how you get the unpacked binary?

    And how you indentify confuserEX? On my dumped file rdg protector say dotnet crypter and my peid says just "Microsoft Visual C# / Basic .NET [Overlay]".

    Well, once you study ConfuserEx for a while you get used to see so many landmarks within the protected assemblies that it's not strange to see them to the naked eye afterwards, you just need to really know them for example, the CCTOR body at the entry-point is very different when you use Normal Anti-Tamper Vs. JIT Anti-Tamper, so once you identify that, you keep on going, then move onto strings decryption and lastly cflow, everything is hosted on GitHub so it's easier to see where you're stepping through if you feel kinda lost, also tools like the ones CodeCracker made and other people as well, will come in handy and don't forget about using a good decompiler / debugger like dnSpy and that's it!

     

    For better signature recognition I recommend either a PEiD with updated signatures and top-most suggestion is get PiD from GameCopyWorld or w.e. it is the website :>

     

    Good luck!

     

    Note: Attached below is my DotNetResolver with working Strings Plugin.

    DotNetResolver.7z

    Edited by 0xNOP

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.