{"id":55694,"date":"2024-03-27T14:31:42","date_gmt":"2024-03-27T14:31:42","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35707\/Analyse-Hunt-And-Classify-Malware-Using-.NET-Metadata.html"},"modified":"2024-03-27T14:31:42","modified_gmt":"2024-03-27T14:31:42","slug":"analyse-hunt-and-classify-malware-using-net-metadata","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/","title":{"rendered":"Analyse, Hunt, And Classify Malware Using .NET Metadata"},"content":{"rendered":"<h2><span face=\"Calibri, sans-serif\"><span>Introduction<\/span><\/span><\/h2>\n<p><span id=\"docs-internal-guid-ddbf1ea6-7fff-517f-ebd7-24b3b8893fa1\"><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Earlier last week, I ran into a sample that turned out to be <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.purecrypter\" target=\"_blank\" rel=\"noopener\">PureCrypter<\/a>, a loader and obfuscator for all different kinds of malware such as Agent Tesla and RedLine.&nbsp;<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Upon further investigation, I developed Yara rules for the various stages, which can be found here (excluding the final payload):<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">With that out of the way, all of this reminded me of the fact that we can also write Yara rules for unique identifiers specific to malware written in .NET, or any other .NET assemblies for that matter.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\"><span>A bit of history<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">This isn\u2019t my first encounter with analysing .NET malware at scale: several years ago, I co-authored a <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference_slides\/2016\/Parys_Pontirolli-vb-2016-All-your-creds-are-belong-to-us.pdf\" target=\"_blank\" rel=\"noopener\">presentation<\/a> with <a href=\"https:\/\/twitter.com\/spontiroli\" target=\"_blank\" rel=\"noopener\">Santiago<\/a> on hunting SteamStealer malware, which was surging exponentially at the time (the malware intended to steal your Steam inventory items and\/or your account). A huge thanks goes to Brian Wallace who had developed a tool at the time called <a href=\"https:\/\/github.com\/cylance\/GetNETGUIDs\" target=\"_blank\" rel=\"noopener\">GetNetGUIDs<\/a> with which it<\/span><span face=\"Calibri, sans-serif\"> was trivial to extract all the GUID types and start clustering to identify patterns: basically, which of the malware samples are likely authored by the same person or belong to the same attack campaign.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">.NET assemblies or binaries often contain all sorts of metadata, such as the internal assembly name and GUIDs, specifically; the MVID and TYPELIB.<\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span><b>GUID<\/b>: Also known as the TYPELIB ID, generated when creating a new project.<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span><b>MVID<\/b>: Module Version ID, a unique identifier for a .NET module, generated at build time.<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span><b>TYPELIB<\/b>: the TYBELIB version \u2013 or number of the type library (think major &amp; minor version).<\/span><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">These specific identifiers can be parsed with the <b>strings <\/b>command and a simple regular expression (regex): <\/span><span face=\"Calibri, sans-serif\">[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Taking a sample of <a href=\"https:\/\/twitter.com\/James_inthe_box\/status\/1767548157003743382\" target=\"_blank\" rel=\"noopener\">PureLogStealer<\/a> posted by <a href=\"https:\/\/twitter.com\/James_inthe_box\" target=\"_blank\" rel=\"noopener\">James_in_the_box<\/a><\/span><span face=\"Calibri, sans-serif\">, you could then write a Yara rule based on the MVID or Typelib detected.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">As shown on <a href=\"https:\/\/www.virustotal.com\/gui\/file\/c201449a0845d659c32cc48f998b8cc95c20153bb1974e3a1ba80c53a90f1b27\/details\" target=\"_blank\" rel=\"noopener\">VirusTotal<\/a> for this sample:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screen shot of a computer Description automatically generated\" height=\"119\" src=\"https:\/\/lh7-us.googleusercontent.com\/Ii2V66C2ouCm-yf_MWXj-3_0Nik4yoIVNabcpJxPbK2s6I_poVqLt4Ftjbx4pa5e03bM50bNNB-qo8huPJZCcyvVV-LxNSZ47uBoz9GAYNHe_9HKHyRg_Euj8FDuLJ3V2FTelzeCzYhbDbXDw5dn9A\" width=\"531\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 1 &#8211; Sample with MVID&nbsp;<span face=\"Calibri, sans-serif\">9066ee39-87f9-4468-9d70-b57c25f29a67<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">And the resulting (simple) Yara rule, could then be as follows:<\/span><\/p>\n<p dir=\"ltr\"><span><span>rule PureLogStealer_GUID<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>{<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>strings:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>$mvid = &#8220;9066ee39-87f9-4468-9d70-b57c25f29a67&#8221; ascii wide fullword<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>condition:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>$mvid<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>}<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">There are however some issues with this:&nbsp;<\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>The MVID is stored as a <b>binary <\/b>value rather than a <b>string<\/b>, whereas the Typelib GUID is effectively stored as a string and since we only have the MVID here, the sample above will <i>not <\/i>be detected with this rule.<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>It is important to note that VirusTotal does not seem to report the Typelib. <\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>It is cumbersome to \u201cdo it the manual way\u201d with strings and regex, especially on larger data sets \u2013 and it\u2019s prone to issues such as:<\/span><\/p>\n<\/li>\n<ul>\n<li aria-level=\"2\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>false positives<\/span><span>: if you run &#8220;<i>strings<\/i>&#8221; on the sample and then use t<a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Regular_expression('User%20defined','%5Ba-fA-F0-9%5D%7B8%7D-%5Ba-fA-F0-9%5D%7B4%7D-%5Ba-fA-F0-9%5D%7B4%7D-%5Ba-fA-F0-9%5D%7B4%7D-%5Ba-fA-F0-9%5D%7B12%7D',true,true,false,false,false,false,'List%20matches')Unique('Line%20feed',false)\" target=\"_blank\" rel=\"noopener\">he following CyberChef recipe<\/a><\/span><span> \u2013 we get plenty of GUIDs, but only 1 is the actual Typelib; <\/span><\/p>\n<\/li>\n<li aria-level=\"2\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>false negatives<\/span><span>: we miss out on unique identifiers, which means we might miss detection of samples, campaigns or actors.<\/span><\/p>\n<\/li>\n<\/ul>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Note that with tools such as <a href=\"https:\/\/github.com\/icsharpcode\/ILSpy\" target=\"_blank\" rel=\"noopener\">IlSpy<\/a> o<\/span><span face=\"Calibri, sans-serif\">r <a href=\"https:\/\/github.com\/dnSpyEx\/dnSpy\" target=\"_blank\" rel=\"noopener\">dnSpy(Ex)<\/a><\/span><span face=\"Calibri, sans-serif\">, you can also view the Typelib GUID and MVID, however, not all tools display all data, for example:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screenshot of a computer program Description automatically generated\" height=\"300\" src=\"https:\/\/lh7-us.googleusercontent.com\/bXV1aPLF8YDQ1Rbd_I2YacKQogKsJs9jq92gXjYroMyv81TnFX3BWRhpp__16Jyy2-9XWg3fGIrF95JFPaQG4Z91KgSwaQ0sBSg0ls48KT-H0GfPYhG9kPwRlNCxWW875LNqwN4I0d8ZnOkj3TzBmQ\" width=\"601\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 2 &#8211; dnSpy detects the Typelib GUID of the sample<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">And if we go the &#8220;oldschool&#8221; route using <\/span><b>ildasm<\/b><span face=\"Calibri, sans-serif\">:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" height=\"560\" src=\"https:\/\/lh7-us.googleusercontent.com\/KydU0fC9_nLyUOuCtxwhmOwVl3sUcIJVKRlBHFxpqVZIo-QF9xOqg24Orkrd23BWbJanzXBpVNkKs1dSagL8pxqVTb5iuP0JCFMMVzXLADXwxe8sdMnqeF8tAyKNtN4QUmaTwEE9KE61SMm_VqK7MA\" width=\"557\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 3 &#8211; ildasm displays the MVID or Module Version ID<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">For all the above reasons, let\u2019s go beyond and do more: both with Yara, and with a new Python tool I\u2019ve created.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\"><span>The now and the tooling<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Before we dive into the tooling, some final history to say that Yara has evolved and thanks to that, we can now hunt and detect more effectively due to the following modules added:<\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>2017: introduction of .NET module (<a href=\"https:\/\/github.com\/VirusTotal\/yara\/releases\/tag\/v3.6.0\" target=\"_blank\" rel=\"noopener\">link<\/a>)<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>2022: introduction of console module (<a href=\"https:\/\/github.com\/VirusTotal\/yara\/releases\/tag\/v4.2.0\" target=\"_blank\" rel=\"noopener\">link<\/a>)<\/span><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">This means that using the .NET module, we can now write a Yara rule like so instead:<\/span><\/p>\n<p dir=\"ltr\"><span><span>import &#8220;dotnet<\/span><\/span><span>&#8220;<\/span><\/p>\n<p dir=\"ltr\"><span><span>rule PureLogStealer_GUID<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>{<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>condition:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>dotnet.guids[0]==<\/span><span> <\/span><\/span><span>&#8220;<\/span><span><span>9066ee39-87f9-4468-9d70-b57c25f29a67<\/span><\/span><span>&#8220;<\/span><\/p>\n<p dir=\"ltr\"><span><span>}<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">And indeed:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" height=\"43\" src=\"https:\/\/lh7-us.googleusercontent.com\/LTVp4-A1cN-0OojHutGcSQqRch20_WJaoF9ObbXjQ9-Z8lzh7ukq-LoOaHlRmQfYaHzh8Ms1qTIvnj5AblaBLtEVf0vKi0gTn-n-yL6w2tawwUKl_uY3qVOUnu3wtHCKy1q3gfRQwekB2IJInDF8Lg\" width=\"557\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 4 &#8211; Yara now detects the sample<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\"><span>Yara rule<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Let\u2019s now leverage the power of Yara and its <i>dotnet <\/i>and <i>console <\/i>modules to write a new Yara rule that displays useful data of any given .NET sample that can be leveraged to create meaningful rules, for example: assembly name, typelib and MVID.&nbsp;<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screenshot of a computer code Description automatically generated\" height=\"603\" src=\"https:\/\/lh7-us.googleusercontent.com\/hC-QgX1sRAbxwZsE1IGc2tQQ4sbADYHMdeMtbzIzKWdBUciviQUvK67QqBEXZdrWkW8lINUXZwpj8SCsxpJNnxUpMR2nxZBeDz-Rw-O19bDwY1FoFrPxoMeCUxGccwGyusPMlsRDNWFbDRKsNhdaBQ\" width=\"597\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 5 &#8211; Yara rule to display .NET information to the console<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">We first verify if the binary is a .NET compiled file, if so, log certain Portable Executable (PE) or binary information to the console as well, and then display all relevant .NET information.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">And the output will be, again for the same sample:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A computer screen shot of a computer program Description automatically generated\" height=\"306\" src=\"https:\/\/lh7-us.googleusercontent.com\/Gx500AS1tjTHZGIcajtGdBd_MNnB1oGJsI8Zw6yoEMfVevDOXmiFKz8iPkF9Sg0F_FuAik5ymVZfyj4hq26RfSKcRmIo33d6AxfDMOHohJfz1MJ6bN3XYY-JgmE2Jvd0mCVCSTslc2IG5GWS3Z_aSQ\" width=\"491\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 6 &#8211; Yara rule output: sample metadata!<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Meaning we can now write a rule as follows:<\/span><\/p>\n<p dir=\"ltr\"><span><span>import &#8220;dotnet<\/span><\/span><span>&#8220;<\/span><\/p>\n<p dir=\"ltr\"><span><span>rule PureLogStealer_GUID<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>{<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>condition:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>dotnet.guids[0]==<\/span><span>&#8220;<\/span><span>9066ee39-87f9-4468-9d70-b57c25f29a67<\/span><span>&#8220;<\/span><span> or<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>dotnet.typelib==<\/span><span>&#8220;<\/span><span>856e9a70-148f-4705-9549-d69a57e669b0<\/span><\/span><span>&#8220;<\/span><\/p>\n<p dir=\"ltr\"><span><span>}<\/span><\/span><span face=\"Calibri, sans-serif\"><\/span><\/p>\n<p><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\"><span>Python tool<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">But what if we want to run this on a large set of samples and produce statistics, which we can then use to hunt or classify malware families, or cluster campaigns?<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">A newly developed Python tool will help you do exactly just that. It supports both a single file as well as a whole folder of your samples or malware repository. It will skip over any non-.NET binary and simply report the typelib, MVID and typelib ID (if present, which is seldom the case and rarely useful).<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">If we run it on our single sample like before:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A computer code with white text Description automatically generated\" height=\"84\" src=\"https:\/\/lh7-us.googleusercontent.com\/xXRgtxNP8PKwspdpOmZ0oykPeiUdXvZgoTxR2_JjwSoVJAMJ7j6sKUEh8k5L9VHtWQWqz6bssUUYR90_wKASH5m5aj-ubtTrdgu_85OOoHeerEPGTKZxEdaj74emmyNVnF7I7Zq0IDY35NDO_AOnRA\" width=\"435\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 7 &#8211; New tool output on single sample<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">The tool (or script) has the following capabilities:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screen shot of a computer program Description automatically generated\" height=\"191\" src=\"https:\/\/lh7-us.googleusercontent.com\/UZBznPZwkdXOSaU2eHnDMjEhWHcZRf8UFhHpZTOuL1E6vYAO_M5rqwlQc7lgZ1guG6HrC-S-cZ0ha31MG6SCLdWChSo-3xWAK2_zzV6oJJiGn9v9RjoAiisv5Zg1z9Q2Wfuw_azRM6Qby8M6YpUeEw\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td class=\"tr-caption\">Figure 8 &#8211; Run the tool with <b>-h<\/b> to display usage or help<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div><span>You need Python 3, <i>pythonnet <\/i>and a compiled <i>dnlib.dll<\/i> in order for it to work.<\/span><\/div>\n<div><span face=\"Calibri, sans-serif\">You are of course not limited to just using the MVID or Typelib for .NET malware hunting: you can also use the assembly name and other features that could be unique, using either the Yara rule or the Python tool to extract the data you\u2019d like.<\/span><\/div>\n<div><span><\/p>\n<p><span face=\"Calibri, sans-serif\">I highly recommend to use the tool rather than the Yara rule, as it detects .NET metadata more reliably. Both Yara rule and Python tool can be adapted to display less or more information according to your needs.&nbsp;<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\"><span>Clustering<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Tracking attacker\u2019s campaigns is always an exercise, and can be both fun and exhausting, depending on how many rabbit holes you (want to) go through. An example of clustering campaigns as well as malware developers was done in the work I did with Santiago as mentioned earlier, which resulted in the following graphics:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screenshot of a graph Description automatically generated\" height=\"549\" src=\"https:\/\/lh7-us.googleusercontent.com\/ebl9McoA0Hm5QOKCGPIKW_JKruUOUjYZbde5Ygq0H2szIY0TzBa7mg433ID75EneAd-ox0j4TYrQtF9n9Yiz7AXF5Jq3wfB7Csgyow_ERXAF5UxNsVn2fiQ6ZfBz0Gg3kBoab4h4lJK8FqS5tRdh4Q\" width=\"511\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 9 &#8211; Statistics from 2016 research (bonus obfuscation stats)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">This was a pretty large dataset (1.300 samples!) and specific to SteamStealers at the time<\/span><span face=\"Calibri, sans-serif\">.<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">For our analysis purposes, I took 4 of the most current popular malware (that are .NET based or have at least a .NET variant) according to Any.run\u2019s Malware Trends: <\/span><a href=\"https:\/\/any.run\/malware-trends\/\" target=\"_blank\" rel=\"noopener\"><span face=\"Calibri, sans-serif\">https:\/\/any.run\/malware-trends\/<\/span><\/a><span face=\"Calibri, sans-serif\">. These are:<\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>RedLine<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Agent Tesla<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Quasar<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Pure*: basically anything related to PureCrypter, PureLogs, \u2026<\/span><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Downloading the latest available samples per family from <a href=\"https:\/\/bazaar.abuse.ch\/\" target=\"_blank\" rel=\"noopener\">MalwareBazaar<\/a><\/span><span face=\"Calibri, sans-serif\">, then running my <b>DotNetMetadata <\/b>Python script, and playing around with <a href=\"https:\/\/github.com\/pandas-dev\/pandas\" target=\"_blank\" rel=\"noopener\">pandas<\/a> <\/span><span face=\"Calibri, sans-serif\">and <a href=\"https:\/\/github.com\/matplotlib\/matplotlib\" target=\"_blank\" rel=\"noopener\">matplot<\/a><\/span><span face=\"Calibri, sans-serif\">,&nbsp;we can create the following graphs per family:<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">RedLine \u2013 56 samples<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A pie chart with colorful circles Description automatically generated\" height=\"315\" src=\"https:\/\/lh7-us.googleusercontent.com\/gC35fsDulj6e1P4sWQ2hp5W1W4vhqLR2DW_JOBgk2Wt2bIDTR7GOGSmBQc6_jrLVh0Tm5bv-uB-wBaYe1jUWgPxYcp9BaUVMfze_mLkiYIRkSVKS9-HcuQXsUZcITZ3LCUszfGla8Luc4H1FlCzkqA\" width=\"526\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 10 &#8211; RedLine Typelib GUID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A colorful circular chart with numbers and numbers Description automatically generated\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/4iodvSSHX_djuvo15Ce2Pk2l_aAKWl5-Pze_pkbloiN3TxmNVYfwE5YdQDtqz-4OTEFdijaLBAeyF1iiElV9a2oMbyKlA62bslKraaXGlKTo-FxBsMMRxxnJ2MchrCRU6oCYqXH20i6xSPliq459pQ\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td class=\"tr-caption\">Figure 11 -RedLine&nbsp;MVID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Agent Tesla \u2013 140 samples<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A pie chart with numbers and a number Description automatically generated\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/iEjlYFsZtyXaLwvJRit4Z-J35cfEVkZsDVH6DEFmpof67AddyPp-s3nI2BpsHJPE9GxC3nURKa61Dc6CoHzrkBYvHIuaS4f6NARXeHNDnCIJb8wypgpxyeARnbmUprD4SdHl03_8_NBQ54EYlLvtww\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td class=\"tr-caption\">Figure 12 &#8211; Agent Tesla Typelib GUID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A circular pattern with different colors Description automatically generated with medium confidence\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/Lr4Ls11Qa3s6tpphpoywowFj4er3_G2ds5T6zsSIXk9eWxmX1kIgI1RL21lwdRjOKBncKZ-_Yl58AuOcpj_3YPKWHuByjeb4pmXAy_0nSB_MvDZhUpO2B4ekxWIBkD4N5qosztZXvsUdWFi5Z9okKg\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td class=\"tr-caption\">Figure 13 -Agent Tesla&nbsp;MVID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Quasar \u2013 141 samples<\/span><\/p>\n<p><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A pie chart with colorful circles Description automatically generated\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/gC35fsDulj6e1P4sWQ2hp5W1W4vhqLR2DW_JOBgk2Wt2bIDTR7GOGSmBQc6_jrLVh0Tm5bv-uB-wBaYe1jUWgPxYcp9BaUVMfze_mLkiYIRkSVKS9-HcuQXsUZcITZ3LCUszfGla8Luc4H1FlCzkqA\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td class=\"tr-caption\">Figure 14 &#8211; Quasar Typelib GUID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A pie chart with different colored circles Description automatically generated\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/JNu9qRWEOOBrmU-yL30Y-knNS1C5CwUoI-jFzmwSojNXH43ZhJTFb8X1FvyliSLGOZ5HgjB23wj5MCipiRzDolWOGvCcxjhvay0Xl2RUGfa4v4VJ3Uy0EljyhXVrwgGh8VPvb94UjkYBta5KBr9a8Q\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 15 -Quasar&nbsp;MVID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Pure* family &#8211; 194 samples&nbsp;<\/span><\/p>\n<p><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A diagram of a pie chart Description automatically generated\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/faQvmkzofZz5gum1rZwq0u-1r_LKzmxspcSlQ2jOCsn-mMx9aiUI2wGc3wtUJrBvxTE1LGyeSrrA9jJxJyuN6PTfF0EQ6bsReZrLzvvY_VntBJV63Rzj_Xeg5ugyqgjUUFqdNwnAsqa4x1otfRFT0w\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 16 &#8211; Pure* Typelib GUID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A circular pattern with different colors Description automatically generated with medium confidence\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/sWiC3m-bZW6F1E-xmCxwNIp_BP2JN6laEjM8QcN_QsBBEEfQ1_mc5GclEbr2FzPt3Wpnh9-OF0GvP5dL1ZB0HnbzveDmCzstleeNx1elibiNN4qKB4hSElofcQ3DiYgHqrhbzanZa06-7-jSs-XD0Q\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 17 -Pure*&nbsp;MVID frequency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">While these piecharts are certainly hypnotic and display the frequency &#8211; or occurrence of the same typelib or MVID, we can also leverage these and create meaningful Yara rules for clustering samples per family, especially in the case of <b>Quasar<\/b>, the <b>MVID <\/b>with GUID &#8220;<\/span><span face=\"Calibri, sans-serif\">60f5dce2-4de4-4c86-aa69-383ebe2f504c<\/span><span face=\"Calibri, sans-serif\">&#8221; appears like a good candidate.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">You might think that while these charts look visually appealing (depending on your art preferences), they may not be particularly useful because they don&#8217;t scale well with larger datasets. You\u2019re exactly right! By limiting the amount of results displayed, we can indeed produce even better results. In our sample dataset for the 4 malware families above, so a total of <b>531 <\/b>samples, let\u2019s run our visualisations again and now we will:<\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Run it on the whole sample set<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Extract the assembly name<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>List only the top 10 of assembly names<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Use a bar chart instead of a pie<\/span><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">And the result:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A bar chart with blue squares Description automatically generated\" height=\"340\" src=\"https:\/\/lh7-us.googleusercontent.com\/qssSTTHjxqLCvq-Xfcx2tcY17uzMLwYEQ_daLz2ra7g5RpxW9WhFZP0NDcQq2dvJBjTIpUVfQrdzCsFrTFcQ_Z0XNqploArcR3aMz2M6A_1R9s0o-g3wpXoMxA_3u3w9yOXBgOBW3vibPsApDlERWw\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 18 &#8211; Assembly name frequency &#8211; looking better right?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">The top 3 is then:<\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>\u201cClient\u201d: Quasar family<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>\u201cProduct Design 1\u201d: Pure family<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>\u201cSample Design 1\u201d: Pure family<\/span><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\"><i>Client <\/i>is likely the default assembly name when compiling the Quasar malware (project), and <i>Product Design<\/i> and <i>Sample Design<\/i> are likely default assembly names from the PureCrypter builder.&nbsp;<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">If we then want to write a Yara rule for Quasar based on the default assembly name:<\/span><\/p>\n<p dir=\"ltr\"><span><span>import &#8220;dotnet<\/span><\/span><span>&#8220;<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>rule Quasar_AssemblyName<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>{<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>condition:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>dotnet.assembly.name == <\/span><span>&#8220;<\/span><span>Client<\/span><\/span><span>&#8220;<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>}<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">But why stop there? We can build a Yara rule to classify our malware dataset or repository:<\/span><\/p>\n<p dir=\"ltr\"><span><span>import <\/span><span>&#8220;<\/span><span>dotnet<\/span><\/span><span>&#8220;<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>import <\/span><span>&#8220;<\/span><span>console<\/span><\/span><span>&#8220;<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>rule DotNet_Malware_Classifier<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>{<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>condition:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>(dotnet.assembly.name == <\/span><\/span><span>&#8220;<\/span><span>Client<\/span><span>&#8220;<\/span><span> and console.log(\u201cLikely Quasar, assembly name: <\/span><span>&#8220;<\/span><span>, dotnet.assembly.name)) or<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>(dotnet.assembly.name == <\/span><\/span><span>&#8220;<\/span><span>Product Design 1<\/span><span>&#8220;<\/span><span> and console.log(<\/span><span>&#8220;<\/span><span>Likely Pure family, assembly name: <\/span><span>&#8220;<\/span><span>, dotnet.assembly.name)) or<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>(dotnet.assembly.name == <\/span><\/span><span>&#8220;<\/span><span>Sample Design 1<\/span><span>&#8220;<\/span><span> and console.log(<\/span><span>&#8220;<\/span><span>Likely Pure family, assembly name: <\/span><span>&#8220;<\/span><span>, dotnet.assembly.name))<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>}<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">And we run this new Yara rule on the combined samples of the Pure family and Quasar:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screenshot of a computer Description automatically generated\" height=\"427\" src=\"https:\/\/lh7-us.googleusercontent.com\/Cw6aCnyNBy3oWelYfXTq8-t4CLTthBcSKVobBOWWPzeW8R-TRszdXsPbM81RGn1utbRyL2KDZPLhH1KUNrI2COK1RjlknGjQoIVvV9WOc63EWvRzetd4XWhXNQfC4DAj470bgHHXVerA_PfKnn39BQ\" width=\"454\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 19 &#8211; Simple &#8220;malware classifier&#8221;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">We can combine sets of Yara rules bases on assembly name, Typelib, MVID and so on to create rules with a higher confidence, and we can use this in further hunting, classification and&#8230; much more.&nbsp;<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Bonus<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">If you\u2019ve made it this far, it only makes sense to add in an additional extra use-case for all of this: finding new crypters or obfuscators!&nbsp;<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">When I ran the script on the +500 samples, there was 1 assembly \/ binary that stood out:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A cartoon of a bathtub Description automatically generated\" height=\"45\" src=\"https:\/\/lh7-us.googleusercontent.com\/ZbDh1R-g6qouAYQaHujAsnWZBrO5ML2Zpy3GOwnzeIugZQsScJLPnR98AI49qvHjD7j8oY036C4v3OIa8OUJmzW4_NAyrVfhULHhKCpWPr2A5LXBrQyvAaiEKi-CLmN28s4yczBN20-51vSTEcY8ew\" width=\"352\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 20 &#8211; Potential new crypter &#8220;Cronos&#8221;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Making a simple Yara rule again:<\/span><\/p>\n<p dir=\"ltr\"><span><span>import &#8220;dotnet<\/span><\/span><span>&#8220;<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>rule cronos_crypter<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>{<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>strings:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>$cronos = <\/span><span>&#8220;<\/span><span>Cronos-Crypter<\/span><span>&#8220;<\/span><span> ascii wide nocase<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>condition:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>dotnet.is_dotnet and $cronos<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>}<\/span><\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Running this on the <a href=\"http:\/\/Unpac.me\" target=\"_blank\" rel=\"noopener\">Unpac.me<\/a> dataset yields:<\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screenshot of a computer Description automatically generated\" height=\"171\" src=\"https:\/\/lh7-us.googleusercontent.com\/_H6VGCsQItV1JcMozc34fU0_ri1quxwtG1fXdHbN0VNfqfw0LDNWaLXmNiOtPmzmt_8fzhR9xu548mPU5pZyRGqjBfCVsqL6y5yhJg93aKvrgIfVH22KCQM7aaceBSsZdJONce3RaVFMkRraJI9cuA\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 21 &#8211; Unpac.me Yara hunt results<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">4 matches in 12 weeks: it appears <a href=\"https:\/\/github.com\/TalosSec\/Cronos-Crypter\" target=\"_blank\" rel=\"noopener\">this crypter<\/a> <\/span><span face=\"Calibri, sans-serif\">is not popular (yet): 2 Async RAT samples and 2 PovertyStealer samples have used it so far.&nbsp;<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Bonus on Bonus<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Let\u2019s go with a final bonus round: improving the previous \u201cclassification\u201d rule by also reviewing results for Async RAT. Seeing the previous crypter was used on at least 2 Async RAT samples, I wanted to see some statistics for this malware as well, for just the assembly name. This results in the following, based on 86 samples: <\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A pie chart with different colored circles Description automatically generated\" height=\"361\" src=\"https:\/\/lh7-us.googleusercontent.com\/76e1uWaCFCQHEDfQSrUYvR4MLmxf9iCKB52grDM7fLgRvQh1oQkUfbuojqLhH5ZpU4VMSCSxksuHIUhZsGv6GK7t8NxcVGFnAH1K4gOokDJq4UFen-l1J5S2xi-OEYm8BnrPZcJ6vJnuzlt0IkJYOw\" width=\"602\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 22 &#8211; Another pie chart: AsyncRat top used assembly names<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\"><span><span><br \/>\n<\/span><span face=\"Calibri, sans-serif\"><span>Jumping out are the following assembly names:<\/span><\/span><\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>AsyncClient<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Client <\/span><span>????<\/span><span> Also seen in Quasar!<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>XClient<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Output<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Loader<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>Stub<\/span><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">AsyncClient is likely the default name when building the Async RAT project. But we are interested in widening the net: from the previous rule <\/span><span face=\"Calibri, sans-serif\">DotNet_Malware_Classifier, <\/span><span face=\"Calibri, sans-serif\">let\u2019s update it with these new \u201cgeneric\u201d or default assembly names:<\/span><\/p>\n<p dir=\"ltr\"><span><span>import &#8220;dotnet<\/span><\/span><span>&#8220;<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>import <\/span><span>&#8220;<\/span><span>console<\/span><\/span><span>&#8220;<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>rule DotNet_Malware_Classifier<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>{<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>condition:<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>(dotnet.assembly.name == <\/span><span>&#8220;<\/span><span>Client<\/span><span>&#8220;<\/span><span> and console.log(<\/span><span>&#8220;<\/span><span>Suspicious assembly name: <\/span><span>&#8220;<\/span><span>, dotnet.assembly.name)) or<\/span><\/span><\/p>\n<p dir=\"ltr\"><span><span>(dotnet.assembly.name == <\/span><\/span><span>&#8220;<\/span><span>Output<\/span><span>&#8220;<\/span><span> and console.log(<\/span><span>&#8220;<\/span><span>Suspicious assembly name: <\/span><span>&#8220;<\/span><span>, dotnet.assembly.name)) or<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>(dotnet.assembly.name == <\/span><\/span><span>&#8220;<\/span><span>Loader<\/span><span>&#8220;<\/span><span> and console.log(<\/span><span>&#8220;<\/span><span>Suspicious assembly name: <\/span><span>&#8220;<\/span><span>, dotnet.assembly.name)) or<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>(dotnet.assembly.name == <\/span><\/span><span>&#8220;<\/span><span>Stub<\/span><span>&#8220;<\/span><span> and console.log(<\/span><span>&#8220;<\/span><span>Suspicious assembly name: <\/span><span>&#8220;<\/span><span>, dotnet.assembly.name))<\/span><\/p>\n<p><\/span><span><\/p>\n<p dir=\"ltr\"><span><span>}<\/span><\/span><\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\">\n<tbody>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" alt=\"A screenshot of a computer Description automatically generated\" height=\"223\" src=\"https:\/\/lh7-us.googleusercontent.com\/Iegxbg0L6Wuu3Wx-HApY-9BI7FIdrEcZo3CdIW410uIO4sZyMg-_0_HHlNYJmA89sTCc3nngmaSmN9U5Re3hAXpQ3I7F5ANn6mmN1EIQ0fGQtfYgyhe-xvxUzV5FRgThBGaBBAHLaruq2mns0leHWg\" width=\"580\"><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\">Figure 23 &#8211; Classifier Yara rule results<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 dir=\"ltr\"><span><br \/><\/span><\/h2>\n<h2 dir=\"ltr\"><span>Conclusion<\/span><\/h2>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">In this blog post, two new tools were presented to extract metadata from .NET malware samples. Specifically, we can now reliably extract 2 unique GUIDs: the Typelib and the MVID.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\"><b>The Python script<\/b> is capable of extracting the desired data from a large set of .NET assemblies, whereas <b>the Yara rule<\/b> is tailored for use with one particular sample. Of course, either of them can be used interchangeably: you can still fine-tune the Yara rule for a large set and work this way if you don\u2019t want to rely on an external script. Similarly, the script can be extended to extract more data to be used.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Based on the output of these tools, you can then create Yara hunting rules, combine it with your existing rule sets, or use them in an attempt to classify malware families or specific attack campaigns.<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Some closing remarks:<\/span><\/p>\n<ul>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>GUIDs could be spoofed or even removed. <b>No method is 100% reliable.<br \/>\n<\/b><br \/>\n<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>However, this method can enhance already existing rulesets, especially those where .NET obfuscators (e.g. SmartAssembly) obfuscate (user) strings, modules and more, making it harder to write Yara rules for a malware family. Detecting based on GUID however, can work regardless of obfuscation method. <\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>That said, obfuscating or deobfuscating <\/span><span>may<\/span><span> also alter the GUIDs. Keep this in mind when creating your detection rules based on an original or unpacked\/deobfuscated sample. <\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>If you encounter a GUID comprised entirely of zeros, such <\/span><span>as<\/span><span> 00000000-0000-0000-0000-000000000000<\/span><span>, avoid using it for hunting since it&#8217;s an empty GUID.<br \/>\nThis indicates the value may not be set or has been altered. This would make for a poor hunting rule as it can be a default value for any .NET project.<\/span><\/p>\n<\/li>\n<li aria-level=\"1\" dir=\"ltr\">\n<p dir=\"ltr\" role=\"presentation\"><span>You can also this for .NET assemblies that are <i>not <\/i>malicious: extract developer information and other metadata per your use case or purpose.<\/span><\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">Happy .NET hunting! You can find the tools and some of the example Yara rules in the repository: <\/span><a href=\"https:\/\/github.com\/bartblaze\/DotNet-MetaData\" target=\"_blank\" rel=\"noopener\"><span face=\"Calibri, sans-serif\">https:\/\/github.com\/bartblaze\/DotNet-MetaData<\/span><\/a><span face=\"Calibri, sans-serif\">&nbsp;<\/span><\/p>\n<p dir=\"ltr\"><span face=\"Calibri, sans-serif\">As always, feedback is welcomed.<\/span><\/p>\n<p><\/span><\/div>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35707\/Analyse-Hunt-And-Classify-Malware-Using-.NET-Metadata.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55695,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[10514],"class_list":["post-55694","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackermalwaremicrosoft"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analyse, Hunt, And Classify Malware Using .NET Metadata 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyse, Hunt, And Classify Malware Using .NET Metadata 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-27T14:31:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/lh7-us.googleusercontent.com\/Ii2V66C2ouCm-yf_MWXj-3_0Nik4yoIVNabcpJxPbK2s6I_poVqLt4Ftjbx4pa5e03bM50bNNB-qo8huPJZCcyvVV-LxNSZ47uBoz9GAYNHe_9HKHyRg_Euj8FDuLJ3V2FTelzeCzYhbDbXDw5dn9A\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Analyse, Hunt, And Classify Malware Using .NET Metadata\",\"datePublished\":\"2024-03-27T14:31:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/\"},\"wordCount\":2291,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/analyse-hunt-and-classify-malware-using-net-metadata.png\",\"keywords\":[\"headline,hacker,malware,microsoft\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/\",\"name\":\"Analyse, Hunt, And Classify Malware Using .NET Metadata 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/analyse-hunt-and-classify-malware-using-net-metadata.png\",\"datePublished\":\"2024-03-27T14:31:42+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/analyse-hunt-and-classify-malware-using-net-metadata.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/analyse-hunt-and-classify-malware-using-net-metadata.png\",\"width\":796,\"height\":178},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyse-hunt-and-classify-malware-using-net-metadata\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,malware,microsoft\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermalwaremicrosoft\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyse, Hunt, And Classify Malware Using .NET Metadata\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyse, Hunt, And Classify Malware Using .NET Metadata 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/","og_locale":"en_US","og_type":"article","og_title":"Analyse, Hunt, And Classify Malware Using .NET Metadata 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-03-27T14:31:42+00:00","og_image":[{"url":"https:\/\/lh7-us.googleusercontent.com\/Ii2V66C2ouCm-yf_MWXj-3_0Nik4yoIVNabcpJxPbK2s6I_poVqLt4Ftjbx4pa5e03bM50bNNB-qo8huPJZCcyvVV-LxNSZ47uBoz9GAYNHe_9HKHyRg_Euj8FDuLJ3V2FTelzeCzYhbDbXDw5dn9A","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Analyse, Hunt, And Classify Malware Using .NET Metadata","datePublished":"2024-03-27T14:31:42+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/"},"wordCount":2291,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/analyse-hunt-and-classify-malware-using-net-metadata.png","keywords":["headline,hacker,malware,microsoft"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/","url":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/","name":"Analyse, Hunt, And Classify Malware Using .NET Metadata 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/analyse-hunt-and-classify-malware-using-net-metadata.png","datePublished":"2024-03-27T14:31:42+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/analyse-hunt-and-classify-malware-using-net-metadata.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/analyse-hunt-and-classify-malware-using-net-metadata.png","width":796,"height":178},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/analyse-hunt-and-classify-malware-using-net-metadata\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,malware,microsoft","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermalwaremicrosoft\/"},{"@type":"ListItem","position":3,"name":"Analyse, Hunt, And Classify Malware Using .NET Metadata"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55694"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55694\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55695"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}