How to deobfuscate this malware ?

[Ternick]

I can not unzip this sample. Obfuscated BE CAREFULLY(DON'T RUN ON MAIN PC).exe code all the time.

Most likely packed with this https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed.
But his application for unpacking from his own tread does not work for this sample.

Edited February 17, 2020 by Ternick

[BlackHat]

Hi, His Unpacker is for Vanilla Only not for Modded Version. 

 

[Ternick]

24 minutes ago, BlackHat said:

Hi, His Unpacker is for Vanilla Only not for Modded Version. 

 

Thank,but I can't find Unpacker for Modded Version. May poorly searched. Do you have thoughts how unpack this sample?

[localhost0]

Edited February 18, 2020 by mamo434376

[Ternick]

Just now, mamo434376 said:

How? Please make guid for me.

My dnSpy:

How deobfuscate ?

Edited February 18, 2020 by Ternick

[Josman]

On 2/18/2020 at 10:59 AM, Ternick said:

How? Please make guid for me.

My dnSpy:

How deobfuscate ?

To deobfuscate this virus just use UD_PRO you can download it here: https://github.com/imnobodyxd/UD-PRO

[Junk]

Futhermore, We can see that this is beds constants and anti-tamper from the fake attributes, you can see that this is beds 1.4.1. If you have been looking into beds obf, you will recognise the fake attributes and the constants. 

Edited February 10, 2021 by Junk