Jump to content
Tuts 4 You
hex4d0r

Obfuscated Malware Sample

Rate this topic

Recommended Posts

hex4d0r

Hi all,

RDG says It's DotWall Obfuscator but I think its somehow different or I'm too sh*tty to deobfuscate it. I couldn't deobfuscate fully. Could you help about it and tell me how it is different or what i did wrong? Btw It's a malware sample.

Thanks in advance.

infected.zip

Share this post


Link to post
Share on other sites
kao

Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. ;)

There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 
One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi.

 

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...