From a Fabian Wosar retweet
Excerpt from GDATA article:
"Feature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released. We analyzed the malware in-depth.
While searching for new malware via suspicious pathes, a fake svchost.exe in %APPDATA%/Microsoft tipped us off. The sample[1] is a .NET application which is packed with ConfuserEx. The file was uploaded as netRat.exe to Virustotal. The same name is also stated in the file's version information as InternalName and OriginalFilename. Version information also has a copyright statement for 2019.
PortexAnalyzer output for ConfuserEx packed Pekraut sample
PortexAnalyzer output for unpacked Pekraut sample
Via similarity search we found a second sample[2] that was uploaded to Virustotal a day later. It is not packed but obfuscated with Dotfuscator. Unpacking the ConfuserEx sample[1] results in a file that is almost the same as the second sample[2].
The obfuscation removed the original names of .NET symbols like classes, variables and methods. We didn't find any non-obfuscated Pekraut sample, so we manually named the symbols based on their usage resulting in sample[3]. The deobfuscated sample[3] is also used for screenshots in this article. Please note that those symbol names aren't part of the original source code and thus do not suffice for signatures."
....
Excerpt from GDATA article:
"Feature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released. We analyzed the malware in-depth.
While searching for new malware via suspicious pathes, a fake svchost.exe in %APPDATA%/Microsoft tipped us off. The sample[1] is a .NET application which is packed with ConfuserEx. The file was uploaded as netRat.exe to Virustotal. The same name is also stated in the file's version information as InternalName and OriginalFilename. Version information also has a copyright statement for 2019.
PortexAnalyzer output for ConfuserEx packed Pekraut sample
PortexAnalyzer output for unpacked Pekraut sample
Via similarity search we found a second sample[2] that was uploaded to Virustotal a day later. It is not packed but obfuscated with Dotfuscator. Unpacking the ConfuserEx sample[1] results in a file that is almost the same as the second sample[2].
The obfuscation removed the original names of .NET symbols like classes, variables and methods. We didn't find any non-obfuscated Pekraut sample, so we manually named the symbols based on their usage resulting in sample[3]. The deobfuscated sample[3] is also used for screenshots in this article. Please note that those symbol names aren't part of the original source code and thus do not suffice for signatures."
....
