Malware Analysis - Agniane Stealer, Native Stub to .NET Unpacking
We trace API calls of a packed native file using hasherezade’s tiny_tracer and discover that it unpacks a .NET payload. Using x64dbg we unpack the .NET assembly and find it unreadable, among others due to dr4k0nia’s XOR string obfuscation.
Buy me a coffee:
Follow me on Twitter:
Sample:
tiny_tracer:
PortexAnalyzerGUI:
x64dbg:
de4dot:
dnSpy:
1 month ago 00:09:02 1
1 month ago 00:41:39 1
2 months ago 00:31:23 1
2 months ago 00:08:27 1
3 months ago 00:08:01 1
3 months ago 02:27:57 1
4 months ago 00:06:50 1
5 months ago 00:28:31 1
5 months ago 00:31:10 1
5 months ago 00:32:12 1
5 months ago 00:20:53 1
5 months ago 00:57:39 1
7 months ago 00:08:03 1
8 months ago 00:15:34 1
8 months ago 00:08:28 3
8 months ago 00:08:32 5
8 months ago 00:01:15 1
9 months ago 00:39:13 1
9 months ago 00:05:30 1
9 months ago 00:34:03 1
10 months ago 00:13:11 1
10 months ago 00:40:05 1
10 months ago 00:27:09 1
10 months ago 02:09:07 8
