Intel Name: Uncovering .net malware obfuscated by encryption and virtualization
Date of Scan: March 4, 2025
Impact: High
Summary: This article explores obfuscation techniques in popular malware families and highlights opportunities for automating the unpacking process. We analyze observed samples, demonstrating how to extract configuration parameters by unpacking each stage. Automating this process would enable sandboxes performing static analysis to retrieve critical malware configuration data. Adversaries use techniques like code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads to distribute malware such as Agent Tesla, XWorm, and FormBook/XLoader.
