 Hello and welcome to malware analysis for Hedgehogs. One of the videos with the most views is the .NET unpacking video where I unpacked a nano-coret. And I don't think it's quite that good, because I was quite confused while using the Anspy. The reason is that I used an old version of it, and I was expecting features that this old version didn't have. So I would like to make an update on how to use the Anspy, the new version of it, probably. Actually, you don't even need .NET unpacker or mega-dump anymore, because now you can use the Anspy to dump the memory yourself. But we will just see how we use the Anspy with this sample. So that's our sample right here. Just the way I usually get it without an extension and without, well, any information on it. And most of the time, I like to check it first with, well, where is it? P studio or POTX analyzer or anything similar. Just to take a look into if it's a P file, of course. So no. P studio has a GUI that POTX analyzer doesn't have, so it's most of the time easier to see the important stuff. And let's check this. Okay, this is, well, firstly, this is not a .NET file. It has several imports. .NET file usually just has one import. And also, if you look at those strings in here, it doesn't look like a typical .NET file, which would use functions related to .NET. But this looks like a raw SFX file. You see the debug path here, or also here, that this is a serve extracting executable. And also, the archive is in the overlay, and usually all that all this executable does is unpacking the archive in the overlay, and maybe doing some installation on running something. Yeah. So you can simply unpack this with 7zip. So we will just do that right here. Okay, three files. These, I don't want to click it. So I should use my disarm script here, but I didn't install it on this machine, because I prepared them just right before I make the videos. So, okay. But this had an interesting icon already, and those are just some unknown binary files, which we should look at. Okay. And this too. Now, this doesn't make much sense here, but it has patterns. It has, if it's something that's encrypted, it's likely not a cryptographically save encryption because of the patterns. And if this would be XOR, you might conclude that these parts here are the key. Usually, the key will show in the zero areas of the file. Okay. What's this? It's also just stuff, and we can't do anything with it. It looks pretty dense too, and if you put this in Portex Analyzer, you would probably see a high entropy image here. Yeah. Okay. Mostly, but it's not everywhere. So, okay. Yeah. And the other one? No. Okay. No. I just confused them. This is the one where I said we have these patterns, which might be an XOR encryption. So, you see that there is, although there are high entropy areas, there are also some low entropy areas. So, there's still kind of a structure in this file. And for that one, I think it should be, yeah. Yeah. This is how a more safe encryption would look like, or even compression. But I don't know what it is. So, let's check our .exe file. We don't need those anymore. Yes, please. This one. That's the .net file. We already see here that the signature is there, and also the one and single import that's usually done for .net file with mscory.dll. And here you can see some, yeah, .net typical functions, and system refection is quite typical for injectors, for .net packed files that use reflection to run the packed file inside. So, yeah. Let's take a look at it with a decompiler. Okay. This is the metadata information, and it's already not that... Well, if I would see this, I would immediately assume it's malware, because legend files do not use random strings normally. I mean, there are always exceptions of people who like to protect the files and with protection that's kind of malware-like. But most of the time it's really malware, if you see this. Yeah. Okay. Let's just take more of an overview. Here's a late call. That's probably where the packed file is called. No, the question is, where's the packed file? Okay. That looks good. There's something that's worth remembering is that 77 and 90 are m and z. So, this looks like a p-file that's saved right here in the byte area, because it starts with mz, then there are zeros mostly, and then there's the ms.submessage. I assume it is. I'm not able to see the matrix, but the pattern really looks like it. The cool thing with .net is if you like to unpack it statically, you can just use for instance visual studio to copy and paste the decompile code in there and unpack it this way. We will just do it here. Visual C-sharp, Alex C-sharp, more than visual basic. I can just pause it better. Read it faster. Okay. Let's create the project. Copy this. Now just remove this. We don't need that. And we don't need that. And we will create an array here. This is our byte array. Then we will just write this stuff to, I think it's, oh, I hate the auto correction. File, write all bytes, I guess. Then it should be the path, and then it should be the byte array. And for the path, I'll come on double slashes. There's the dump one here. And I think it needs an import. Yes. And it tells me system IO. We will use that import. Okay. And if I run it, it should create our dumped file on the desktop. If I did everything correct. Let's check. And it didn't. Oh, it took a while. Failure. Okay. I made some mistake in the path. Problem now. That's the same, right? Please do that again. Okay. The debug go wasn't set. What's that? Oh, wait. I really hate that. I think the error message was not related at all to the course. And that's something I really hate. Okay. But now, yeah, now it worked. Okay. That's our dumped file. And if you check this in the hex editor, you can see that it's indeed starting with MZ. And here's this program cannot be run in the smart step message. Okay. It's quite small. The file is small. How much is that? Okay. Only four kilobytes. That's not much. I guess we will have to unpack further. And let's check this file. Here's the dump. Okay. Yeah, interesting. Now, we could now proceed doing the same thing we already did. We could now just copy and paste the code and run it. So, unpack it basically with our code, statically. But there's a faster way and that's using the Nspy. And I will just do that now. Let's check first what happens here. That's the main method. And it reads all bytes from array two. And here's array. Array is created from the data in here. And it applies the split method on that. So, it was split here. And it was split here. And that means array, array. I think due to the split, this should be array two because it splits twice at that point. And array zero is this. Array zero is used here. Okay. Well, I could be wrong, though. Okay. Here's array two. Now, it gets a bit confusing. But let's just unpack it. It looks like it's reading this file here. And then it calls the decrypt with the key array zero, which is this. And then decrypts the data. And afterwards, calls assembly load on the decrypted file. So, that means this file contains our packed file. Yeah. Our study Nspy now. And there it is. The dump. Okay. And we also know where we need to set our breakpoint because at this point, this is the byte array that's passed to the decrypt function. And here it will, in this loop, decrypt the data. And at this point, it should be in memory and in a decrypted state. Okay. So, we add the breakpoint here and run it. And that's something that we couldn't do with this old version of the Nspy. Now, we see here the local variables and their contents. So, yes, please expand it. It says it's too big, but it shows some some values and it starts with 45a. And those are the m and that again. This time in hex instead of decimal values, but it's again a packed part of executable as I would assume. We can now right click here and show in memory. And it has already selected that memory area. And now we can just save the selection to disk. Dump two. Please save. And that's it. We don't want to run it here. Now, we have another dump right there. It's the second dump. And it's, oh, it's, okay, you could see it already here powered by smart assembly. That means it has used an obfuscator. And this version, this obfuscator can be defeated using default dot. So, let's just use that. You just need to drag and drop it in there. Yeah, detected smart assembly. And where is the clean here? It's a clean dump. And now we can just use that one to check. Okay, looks much better already. Now, here's some more, there's some more things going on than just unpacking. It has some entire, well, it tries to detect certain tools like Fiddler and it tries to detect VMware and VirtualBox. So, it would probably not run if it does this, which is interesting. But it, that also depends on certain settings. It's some of those, you see the if, all of the if statements right here. Check some kind of settings that can be set. And so it's probably created by a builder to do this. And here you see get prog address, which is typically and load library typically used by packers. Okay, so I guess we have to unpack again. Let's just do that next layer. And this is really not that uncommon that you have multiple layers. It's not really a problem, but it's annoying having so many layers of packed files. And here, this is the string that's used to set the settings of this. And if you want to, you can kind of will try to analyze it and see what this all means by checking the if statements. But yeah, let's just try to unpack it for now. We'll step into here. There's a split on those. Lots of stuff going on. And I don't know what it does here. But here you can see it reads all bytes from something. Let's see if we get, okay, I think I should go into this one. We will add a breakpoint. Does it go back there? Come on. Okay, we will start it again. Step into breakpoint still set. Yeah, please there then step into then let's check what happens. Here's also some kind of area would just that this is the area of the settings. Yeah. Okay, I guess now that I started it multiple times, it might not unpack properly. So I'm not quite sure if I have to repeat this. Oh, in here, returns here. Well, maybe we can also get it to this point. Okay. What's this? Yes, please expand. We have several arrays. And here's some encoded stuff. And here, yes, please show. It's also some encoded stuff. Step into please. And here it does the decoding. Wow, great. Let's check this. That's not decoded. It's also array. I'm not sure where it is. The array. Yes, please. Oh, no, look at this. I'm not quite sure about the naming here. Why it's called a zero. But here's again, 45 a that's the mz. And I guess it's in this area. But really, I don't know what's named this way. Okay, we will show it here. And then save the selection. And we have our third dump. Three save. Okay, please stop. It's probably not also running in the background, the malware, but I have no internet connection. Nothing should happen. And this is our dump file. And we should take a look at it, I guess. This is not a .NET executable anymore. Oh, yeah, this is how it looks like the enemy. It has an overlay with just zeros in it. So it might be that it, well, that might be caused by a bug when writing or something or just, but not much interesting stuff here. It doesn't look packed though. If you look at those, it looks quite normal. So maybe we are at the end now. And yeah, that's good. If you see this, it's password stealer, credential stealer. He tries to read passwords from Thunderbird and from Mozilla. Here you see this saying on escalate from, I guess, from Mozilla. And maybe also the internet history that's been stolen. I'd look credentials maybe too. And this is quite typical for keyloggers. Because they have to lock the keys that you press and they would do this, this way. Yeah. So I looked up this file, uploaded it to VarusTable, and it showed as netwirerc-backdoor. I'm not sure that it is exactly that vector, but I guess so. I haven't seen it before. So I cannot really recognize it from my experience. Okay. And that's it. We unpacked this file in, well, let's say four layers. The first was this SFX, and then we had two .NET layers. And then we had, the last one was this. Three .NET layers. Okay. Yeah. If you have any questions, please post them below. And thank you for watching.