Today, i’ll Do analysis for a Obfuscated Bladabindi RAT (NjRAT) Sample.
First of all, i will check for any obfuscated code in the Sample
By Opening it in a .NET Decompiler, i will use DnSpy.
Note : This Analysis is On A VM,Don’t Work with Malware Samples
on your host machine.
After Opening The Sample on DnSpy
We Can See that its Obfuscated.
Lets Go To The Main Function
So Basically The Sample Is Obfuscated with something named BronCoder, it seems that its binary splitted with ;
And We Can see that there is For loop, Getting The Binary Code , Then Translate it to strings,and it will output a Base64 Strings, It Will Decode it ,Then Execute it in Memory using Assembly.Load.
I’ve Added A BreakPoint in Assembly.Load To Prevent Execution of the malware, And We Will Get The Base64 String.
Lets Start The Sample With breakpoint Added!
Yes!, The Sample stopped on the breakpoint , and we got the Base64 String!
Time For Decoding it!
I will use this base64 Decoder.
And BOOM!, We got the Main Malware,
After Looking in The Code, I Got The Host & Port Easily!
Thanks For Reading!