Malware Analysis Video: .NETReactor deobfuscation and configuration extraction of AgentTesla

struppigel

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
This is the sample that we unpacked in the previous episode. It is obfuscated with .NETReactor. We use Shed to obtain decrypted strings and get an idea of what it is doing. Removing the obfuscation with NetReactorSlayer does not work out of the box. Is there a way we make it work to obtain the configuration values?

Tools: DnSpy, Shed, PortexAnalyzer, SystemInformer, NetReactorSlayer

00:00 Intro
00:25 Strings and DnSpy
03:37 Shed - decrypted string extraction
07:46 NetReactorSlayer first attempt
10:39 NetReactorSlayer second attempt
13:00 Config decoding

 
  • +Reputation
  • Applause
  • Like
Reactions: Gandalf_The_Grey, silversurfer, Trident and 4 others

Similar threads

struppigel
    • Applause
    • +Reputation
    • Like
Malware Analysis [Video] 3CX SmoothOperator C2 extraction
Replies
1
Views
716
Malware Analysis
Trident
Trident
struppigel
    • Like
    • Applause
    • +Reputation
Malware Analysis [Video] Analysis of 3CX SmoothOperator ffmpeg.dll with Binary Ninja
Replies
0
Views
614
Malware Analysis
struppigel
struppigel
Lymphocyte
    • Like
    • +Reputation
Security News ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders
Replies
0
Views
2,122
Security News
Lymphocyte
Lymphocyte

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top