.NET Manifest Resource Decryption

.NET assemblies often store encrypted payloads as embedded manifest resources. At runtime the malware calls Assembly.GetManifestResourceStream to retrieve the blob, then decrypts it (commonly AES + Base64) and loads the resulting assembly reflectively or writes it to disk.

Indicators in strings

• GetManifestResourceStream
• CreateDecryptor, set_Key, set_Mode
• FromBase64String, TransformFinalBlock

Observed in

• unclassified-pe32-dotnet — d5b11a1cb3ad (SmartAssembly + Xenocode protected .NET binary)