How to deobfuscate this malware ?

Posted February 17, 20205 yr

I can not unzip this sample. Obfuscated BE CAREFULLY(DON'T RUN ON MAIN PC).exe code all the time.

Most likely packed with this https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed.
But his application for unpacking from his own tread does not work for this sample.

Edited February 17, 20205 yr by Ternick

February 18, 20205 yr

Hi, His Unpacker is for Vanilla Only not for Modded Version.

February 18, 20205 yr

Author

24 minutes ago, BlackHat said:

Hi, His Unpacker is for Vanilla Only not for Modded Version.

Thank,but I can't find Unpacker for Modded Version. May poorly searched. Do you have thoughts how unpack this sample?

February 18, 20205 yr

Edited February 18, 20205 yr by mamo434376

February 18, 20205 yr

Author

Just now, mamo434376 said:

How? Please make guid for me.

My dnSpy:

How deobfuscate ?

Edited February 18, 20205 yr by Ternick

2 months later...

May 4, 20205 yr

On 2/18/2020 at 10:59 AM, Ternick said:

How? Please make guid for me.

My dnSpy:

How deobfuscate ?

To deobfuscate this virus just use UD_PRO you can download it here: https://github.com/imnobodyxd/UD-PRO

9 months later...

February 10, 20214 yr

Futhermore, We can see that this is beds constants and anti-tamper from the fake attributes, you can see that this is beds 1.4.1. If you have been looking into beds obf, you will recognise the fake attributes and the constants.