This is the sample that we unpacked in the previous episode. It is obfuscated with .NETReactor. We use Shed to obtain decrypted strings and get an idea of what it is doing. Removing the obfuscation with NetReactorSlayer does not work out of the box. Is there a way we make it work to obtain the configuration values?

Tools: DnSpy, Shed, PortexAnalyzer, SystemInformer, NetReactorSlayer

Malware course: https://www.udemy.com/course/windows-...
Sample: https://malshare.com/sample.php?actio...

Twitter:   / struppigel  

00:00 Intro
00:25 Strings and DnSpy
03:37 Shed - decrypted string extraction
07:46 NetReactorSlayer first attempt
10:39 NetReactorSlayer second attempt
13:00 Config decoding

#dotnet #netreactor #malware #reverseengineering #agenttesla #malwareanalysis