Reversing Trojan.Downloader.MSIL sample

  Dawid Farbaniec

The following sample has entered the laboratory today. The sample analyzed here IS NOT ACTIVE MALWARE (probably the payload has been taken down). According to VirusTotal the sample is 34.58 KB (35408 bytes) in size. It is .NET executable file. First seen in the wild on 2021-07-28 19:48:57.

Calculating hashes...

Computing hashes for file: 19116e822e8178fc103e51fe18c825a4.exe . . . Done!

SHA3-512: E82E7B16CF5DC9018D46473A7839C410BA7933EC5E3EEBD1A8F673CCBA0268ECE6F9BC4FB7822CF376060D7717EE8F2964EB43DD22431F8EB8050D20D7FCB7CF
SHA2-512: 3EFF84D1DD5FD3FB162E25D2E8D7F3CCB12D408EC3CF18C9E644CA3A8B87B5A29E9C0A0726F929EFB890FE8C9CFF3A89709DC3F32A047AE1EDA18296BD20C271
SHA2-384: 13C5F3F85C6904EBD9E224868501DFE03C422E09904261DB017569CE4493A13A6A96768E4547283E30A0802A6583250F
SHA2-256: B9CB59244AE380B87C41822802FE472BBAB263E701339CE83A3D3896FBBDA8D2
SHA1: F590A8F1B2F337864B166D8CE53A53E77089135B
RIPEMD-320: 91284F9A232311C4D48A7BB31A2704129EDCCBED581F54CAEE34A73BA0500CB7CBEF8F3D030B8C7B
RIPEMD-256: AD40DF7678F1A61B4765332DD0B1B146204679F814A7B829C9D830C631E68A08
RIPEMD-160: 297A6E3FCAD4F4F6793F8A6561BB5F95E795F92D
RIPEMD-128: D0384A8DDB362CD3F93750F9DF0F9552
Whirlpool: A53523F5C57281545F9FB2C447B50D5000476CF84A4D84678F334EBFA9924DCA72D140F853ECD6321F097E9F38CCFF71FEBE2135546393F5B3D55377904E1C10
Keccak-288: 714DC4E7A63F906CC7A6FC8EDE21B988699036A8B284ED19B2667FA0CA3F9D671D2CFBA5
MD5: 19116E822E8178FC103E51FE18C825A4

File anomalies

The file creation time is set to 2041-06-23 12:49:13 (today is 2021-10-06).
Don't worry the malware is not from future.

Reconnaissance

We will be dealing with obfuscated .NET executable as we can see in the picture below.



Anti-disassembler techniques

The Main function disassembly in ILSpy is broken as we can see in the picture below.



Complete disassembly after tool change

The disassembly is O.K. when we use other tool (for example dotPeek here).



It's trojan downloader but it's already dead

The network monitor Fiddler shows that malware can not download the payload.



Yes. It's really dead malware.



Let's deobfuscate the .NET code


Main function obfuscated



Main function deobfuscated



Downloader function obfuscated



Downloader function deobfuscated



WebClient class obfuscated



WebClient class deobfuscated

Bibliography

https://www.virustotal.com/gui/file/b9cb59244ae380b87c41822802fe472bbab263e701339ce83a3d3896fbbda8d2 [access: 2021-10-06 16:12]
hxxps://vx-underground[.]org/samples/Families/AgentTesla/19116e822e8178fc103e51fe18c825a4 [access: 2021-10-06 16:15]
haker.info // ethical hacking
Spreading knowledge like a virus.