Jump to content
Tuts 4 You

Obfuscated Malware Sample


Recommended Posts

Hi all,

RDG says It's DotWall Obfuscator but I think its somehow different or I'm too sh*tty to deobfuscate it. I couldn't deobfuscate fully. Could you help about it and tell me how it is different or what i did wrong? Btw It's a malware sample.

Thanks in advance.


Link to comment
Share on other sites

Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. ;)

There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 
One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi.


  • Like 4
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...