After monitoring MalwareDomainList.com, I noticed locksmithing schools , and an interesting piece of malware showing up on the Recent Updates. It was hosted on OAST.com which is a pretty high-traffic site. I decided to grab a copy of the binary and load it into my VM. To my surprise, it was the first .NET dropper [...]
After monitoring MalwareDomainList.com, I noticed an interesting piece of malware showing up on the Recent Updates. It was hosted on OAST.com which is a pretty high-traffic site. I decided to grab a copy from my lock picking course , of the binary and load it into my VM. To my surprise, it was the first .NET dropper I have came across in the wild.
opened the malware with PEiD and noticed it was a .NET Trojan. This made for an easy and quick reverse engineer.
PEiD – Soulmate
Disassemble and Analyze
Since .NET can easily be decompiled, I launched Red Gate Reflector and opened the binary up to see whats going on inside. Looks like the developer either lacks knowledge on obfuscation or is simply wanting to do it manually.
It looks fairly straight forwarded.
1) Locates the TEMP path
2) Read the executing assembly
3) Calls a function that strips the embedded binary into a separate string
4) Writes the embedded binary into Out.exe in the TEMP path
5) Executes the embedded binary
PEiD on the trojan binary
I decided to write a quick application in .NET to extract the embedded binary using the decompiled code from the dropper. Using PEiD on the new trojan, I noticed it was nothing more then a compressed executable.