Malware Analysis Video: .NETReactor deobfuscation and configuration extraction of AgentTesla


Thread author
Staff Member
Apr 9, 2020
This is the sample that we unpacked in the previous episode. It is obfuscated with .NETReactor. We use Shed to obtain decrypted strings and get an idea of what it is doing. Removing the obfuscation with NetReactorSlayer does not work out of the box. Is there a way we make it work to obtain the configuration values?

Tools: DnSpy, Shed, PortexAnalyzer, SystemInformer, NetReactorSlayer

00:00 Intro
00:25 Strings and DnSpy
03:37 Shed - decrypted string extraction
07:46 NetReactorSlayer first attempt
10:39 NetReactorSlayer second attempt
13:00 Config decoding


About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.