Overview:
One of my friends downloaded third-party software on an unofficial site. He had no idea that the installation package was packaged with a malicious executable (.exe). Soon after installation, the host machine started to show abnormal behavior: files were deleted, and personal directories were read. Personal and financial data was stolen and later the attacker blackmailed my friend.
He was worried about these activities, and he requested the help from me. The suspicious executable was identified in his device and using reverse engineering techniques showed that the malware was a Remote Access Trojan (RAT). Evaluating the network traffic and network configuration parameters, I was able to determine the IP address and the port of the attacker, thus clarifying the remote control of the victim PC and the theft of his sensitive data.
This is how I did that.
Tools used for Reverse Engineering: dnSpy
dnSpy is a free, open-source, .NET debugger and assembly editor intended to be used to debug, decompile, and modify .NET applications. It is targeted at developers, reverse engineers, learners, and hobbyists, and works best on Windows operating systems (7-11). The .NET Core offers limited support to Linux and macOS.
Main Features
- Decompiling Assemblies– Allows compiled .NET binaries and C# to be converted to readable code.
- Inline Code Editing-Decompiled code can be edited in-place and the changes tested, without recompiling the assembly.
- Debugging– Enables the placement of breakpoints, examination of variables, attachment to running processes and single-step execution.
- Assembly Explorer-Allows a tree-based overview of assemblies, classes, methods and resources.
- Plugin Support – Adds support to dnSpy with modules developed by the user.
Requirements
- .NET Framework 4.5+.
- Visual C++ Redistributables.
- A contemporary computer with 4 GB RAM or above.
Installation
- Get the latest release on the official dnSpy GitHub releases.
- Unzip the file.
- Run dnSpy.exe.
- Set to required settings; default settings usually are sufficient.
Reverse Engineering.
Once I loaded the .exe in dnSpy I was able to see the complete code of the exe file.
I started exploring different classes, functions and methods so I can get an Idea that this file actually does.
I found that this malware is connecting somewhere else on a HOST and PORT.
The only problem is that it seems to have some sort of encoding to it.
My next goal was to decode this text into readable format, and I knew that even this malware has some sort of decoding method inside it that’s how it will connect to that Host IP.
I dug down into the code and then I finally found this.
It was amazing how this malware was using the Decrypt method to decrypt the complete data in readable format.
The next thing was to understand its encryption mechanism so we will proceed with decryption.
If we analyze the encoded text it seems like base 64 encoded, we can also verify this by seeing this piece of code
After decoding it into base 64 we got something which was not making any sense.
Here is the result when converted into hex format.
I found this code in the Decrypt method which was actually decrypting this into readable format.
I used ChatGPT to understand this mechanism and told him to create a decryptor in python.
The properties of configuration (e.g., Hosts and Ports) of malware were encrypted using AES-256-CBC and key derivation process is performed as follows:
Encryption Process
Randomization: Randomly produce a 16-byte IV (Initialization Vector)
Encrypted: Data is encrypted with AES-256-CBC (PKCS7 padding).
Final ciphered format: [32-byte HMAC][16-byte IV][ciphertext]
Base 64 Encode: The result is usually Base64-encoded and stored in the resource strings inside malware.
Decryption Process
Base64-decode: Get raw bytes
Splitting: Split into HMAC, IV, and ciphertext
Verification: Verify HMAC for integrity
Decryption: Decrypt ciphertext using AES-256-CBC
Final Touch: Remove PKCS7 padding to recover plaintext
And finally, ChatGPT created a decryption code for us in python,
And finally, we have everything visible over clear text.
Booooommmmm…. I finally managed to get the Attacker’s IP and Port.
After the analysis of further code I noticed that it was a RAT “ASyncRat” which allows the attacker to fully control your device and provides features like .
- Remote desktop viewing
- Keylogging
- Process management
- File management
- Remote shell access
- Audio and camera access
- Screen recording and screenshot capture
- Data exfiltration
- Persistence mechanisms
- Encrypted communication
- Plugin/module support
- Anti-analysis capabilities
- Customizable functionalities
- Self-deletion
- Denial-of-service and crypto-mining capabilities
Conclusion:
The use of reverse engineering, as performed using programs like dnSpy, allows the practitioner to deconstruct and study executable files, thus developing proficiency in a critical computing field.
The widespread distribution of malware and other potentially harmful software, especially online, in modern times shows the practical importance of such expertise.
In addition, dnSpy is often used by professional malware analysts, security researchers and ethical hackers, making it a well-established tool in scenario-specific analysis.
Therefore, reverse engineering is not only a skill that broadens career paths but also makes one less vulnerable to fraud by bad actors.
Overall, dnSpy is a free, user-friendly, and powerful tool to interrogate compiled .NET executables and reconstruct near-original source code, thus becoming an invaluable asset to malware analysis, software validation, and investigative research into the internal code structure.
Disclaimer: This blog is for educational purposes only, promoting awareness of ethical hacking and cybersecurity to help readers protect against cyber threats. All content is based on lawful experiments on our own systems. No illegal activities are endorsed. Users agree to apply the information responsibly and legally. The blog and author are not liable for any misuse. By using this blog, you agree to use all knowledge ethically and legally. [Read full disclaimer].
