“DotNet-MetaData: A Deep Dive into .NET Malware Analysis” unveils the advanced techniques for analyzing and classifying .NET-based malware.
With a focus on practical tools like Yara rules and Python scripts, this guide provides cybersecurity professionals with the means to extract crucial metadata from .NET binaries, enhancing their malware hunting and classification capabilities.
Explore how to leverage these tools for detailed insights into the inner workings of malware samples.
Yara rule to display binary information to the console. Example use:
yara64.exe DotNetMetadata.yar c:\fakepath\all_samplesThe Yara rule requires at least Yara 4.2.0, that said, it’s always recommended to get the latest release.
Python script to extract the GUID, MVID, TYPELIB, and Assembly Name of .NET binaries. Example use:
python DotNetMetadata.py c:\fakepath\all_samples -c samples_output.csvThe Python script requires pythonnet to be installed (pip install pythonnet) and expects dnlib.dll to be in the same directory.
Get and compile dnlib from or download dnSpy-netframework.zip from. The script should work correctly from dnlib version 3.3.2.0 up to and including 4.4.0.0.
This folder contains sample rules described in the blog post. Do tweak and update according to your needs.
Example output for a single file “Mpyiuepnw”, a version of PureLogStealer with SHA256 hash: c201449a0845d659c32cc48f998b8cc95c20153bb1974e3a1ba80c53a90f1b27
$ yara64.exe DotNetMetadata.yar c:\fakepath\Mpyiuepnw.vir
Original Filename: Mpyiuepnw.exe
Internal Name: Mpyiuepnw.exe
Imphash (use with caution): f34d5f2d4577ed6d9ceec516c1f5a744
Compile timestamp (epoch): 1710224522
Module name: Mpyiuepnw.exe
Assembly name: Mpyiuepnw
Typelib: 856e9a70-148f-4705-9549-d69a57e669b0
# of GUIDs: 1
dotnet.guid: 0
-> guid (MVID) = 9066ee39-87f9-4468-9d70-b57c25f29a67
# of streams: 5
# of resources is: 9
dotnet.resource: 0
-> name = Rdfeunq.Properties.Resources.resources
-> offset = 715528
-> length = 2818774
dotnet.resource: 1
-> name = Mpyiuepnw.Attributes.WrapperManager.resources
-> offset = 3534306
-> length = 180
dotnet.resource: 2
-> name = Mpyiuepnw.Collections.ImporterHelperCollection.resources
-> offset = 3534490
-> length = 180
dotnet.resource: 3
-> name = Mpyiuepnw.Roles.ConfigOrderRole.resources
-> offset = 3534674
-> length = 2932
dotnet.resource: 4
-> name = Mpyiuepnw.Roles.CodeManager.resources
-> offset = 3537610
-> length = 2933
dotnet.resource: 5
-> name = NAudio.Pages.TemplateAuthenticationPage.resources
-> offset = 3540547
-> length = 180
dotnet.resource: 6
-> name = Mpyiuepnw.Roles.SchemaManager.resources
-> offset = 3540731
-> length = 2936
dotnet.resource: 7
-> name = Mpyiuepnw.Polices.SingletonSingleton.resources
-> offset = 3543671
-> length = 180
dotnet.resource: 8
-> name = NAudio.Common.PrototypeSingleton.resources
-> offset = 3543855
-> length = 180
# of module references: 7
# of strings: 710$ python DotNetMetadata.py c:\fakepath\Mpyiuepnw.vir
File: c:\fakepath\Mpyiuepnw.vir
Assembly Name: Mpyiuepnw
MVID: 9066ee39-87f9-4468-9d70-b57c25f29a67
GUID: 856e9a70-148f-4705-9549-d69a57e669b0For more information click here.
Prompt injection is a type of security vulnerability that can be exploited to control the…
Firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly…
Winit is a robust, cross-platform library designed for creating and managing windows in Rust applications.…
In today’s digital age, convenience often comes at the cost of security. One such overlooked…
Terminal GPT (tgpt) offers a seamless way to bring the power of ChatGPT 3.5 directly…
garak checks if an LLM can be made to fail in a way we don't…