hex4d0r Posted March 7, 2019 Posted March 7, 2019 Hi all, RDG says It's DotWall Obfuscator but I think its somehow different or I'm too sh*tty to deobfuscate it. I couldn't deobfuscate fully. Could you help about it and tell me how it is different or what i did wrong? Btw It's a malware sample. Thanks in advance. infected.zip
kao Posted March 7, 2019 Posted March 7, 2019 Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi. 4 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now