Fortunately, de4dot did all the dirty work for me and within seconds I was left with a compact code consisting of several classes. I opened the file in dnSpy and immediately encountered first obstacle - code was obfuscated with SmartAssembly. Oh boy, how little did I know… (Re)discovery Well, I thought, even if the file turns out to be non-malicious, there must be a reason for it to be obfuscated. At the same time the file was obfuscated (based on a quick look at FLOSS output) and according to VirusTotal it was detected as “potentially malicious” by several antivirus products. NET binary located in a seemingly legitimate subdirectory under Program Files. Several weeks ago, during one of the investigations, I needed to triage a few potentially malicious Windows executables.
0 kommentar(er)
