d5b11a1cb3ada393252b8961fb59295d5a7327bae27eb9fd0b8d1a7a186646b7Deep Analysis — d5b11a1cb3ad
Build / RE
Toolchain — PE32 executable for .NET Framework 4.8 (IL Only, cil subsystem) compiled with the Microsoft.VisualBasic runtime. ^[file.txt] Timestamp Fri May 22 16:25:04 2026 UTC. ^[pefile.txt:34] Single import _CorExeMain from mscoree.dll — standard CLR bootstrap stub. ^[pefile.txt:255]
Obfuscation — Xenocode.Client.Attributes.AssemblyAttributes and SmartAssembly.Attributes both present in recovered .NET metadata strings. ^[strings.txt:1883,1885] SmartAssembly is a commercial .NET obfuscator/packer (Redgate) that adds string encryption, control-flow obfuscation, and anti-tamper delegates; Xenocode is a legacy .NET code-virtualization protector. Their co-occurrence indicates layered protection applied to the original assembly.
Anti-analysis — No dedicated anti-debug or anti-VM strings are visible in the extracted metadata; however, SmartAssembly injects runtime tamper-checks that typically call home or fault the process if a debugger is attached. We cannot confirm the exact checks without a decompiled IL view (dnfile aborted with >3,000 small-stream parse errors during capa enumeration). ^[capa.txt]
Code quality — Standard 3-section .NET PE (.text, .rsrc, .reloc). Version-info resource claims Utility Application, product name Server Development Lty, internal name server1.exe. ^[exiftool.json:36-43] This is deliberate masquerade (see version-info-masquerade).
Embedded artefacts — AES CreateDecryptor with set_Key/set_Mode and Convert.FromBase64String are referenced. ^[strings.txt:2025-2029] GetManifestResourceStream is also present, ^[strings.txt:2050] suggesting an encrypted payload is stored as an embedded manifest resource and decrypted at runtime (see dotnet-manifest-resource-decryption). A plaintext marker Discord Link : v1.0.0-custom sits in the resource area. ^[strings.txt:2051]
Notable functions — No native exports; CLR entry point is via COM descriptor. No CAPE detonation means no runtime call-graph recovery.
Deploy / ATT&CK
Observed capabilities (static inference)
- Spawn child processes via
ProcessStartInfowithUseShellExecute. ^[strings.txt:1298,1973] - AES-encrypted payload decryption with Base64 decode. ^[strings.txt:2025-2029]
- Manifest resource stream extraction. ^[strings.txt:2050]
SoapHttpClientProtocolreference ^[strings.txt:2076] — may indicate SOAP/HTTP C2 channel or may be a SmartAssembly runtime remnant; single reference, low confidence.
TTP mapping (static inference)
| Technique | Evidence | Confidence |
|---|---|---|
| T1027 — Obfuscated Files or Information | SmartAssembly + Xenocode attributes, AES+Base64 decode | high |
| T1059.005 — Visual Basic | Microsoft.VisualBasic runtime, VB.NET project structure |
high |
| T1055 — Process Injection | ProcessStartInfo suggests process spawning; no hollow/inject APIs observed |
low |
| T1071 — Application Layer Protocol | SoapHttpClientProtocol (single reference, may be RTI) |
low |
| T1036.005 — Match Legitimate Name or Location | Version info masquerades as system utility (see version-info-masquerade) | high |
Persistence — None observable statically.
C2 — No hardcoded IP, domain, or URI recovered. The Discord Link string could mark a Discord Webhook configuration channel, but without runtime confirmation this is speculative.
Attribution — None. The submitted filename rTransferencia_22_05_2026.exe (per triage.json) uses Portuguese "Transferência" (bank transfer), suggesting Brazilian lures. Masquerade metadata reinforces Latin-American targeting. No code-reuse or linguistic markers link this to a known family.
Confidence
Low. Static evidence points to a commodity .NET stealer/RAT/Dropper protected with SmartAssembly + Xenocode. Without CAPE runtime data we cannot confirm payload behaviour, C2, or family linkage.