Unclassified .NET Bitmap-Stego Loader

Umbrella label for a .NET Framework PE32 loader family characterized by embedding ~20 small bitmap resources (typically 76×76×24) that serve as encrypted payload or config carriers. Static analysis shows heavy name mangling, control-flow flattening, and System.Resources.ResourceReader stream extraction, but the final decrypted payload is not recoverable without dynamic execution.

Build / RE

• Format: PE32 (GUI) .NET assembly, minimal IAT (mscoree.dll!_CorExeMain only). ^[sample 4bf14434/pefile.txt]
• Obfuscation: Random alphanumeric name mangling (not ConfuserEx base64), flattened IL dispatchers, encrypted strings. floss yields no plaintext API names. ^[sample 4bf14434/floss.txt]
• Resources: Repeated System.Drawing.Bitmap objects referenced in strings; binwalk confirms 20+ PC bitmap structures in .rsrc. ^[sample 4bf14434/binwalk.txt]
• Masquerade: Fabricated VS_VERSIONINFO with nonsense company/product names and version 21.19.1.278. ^[sample 4bf14434/exiftool.json]

Deploy / ATT&CK

• T1620 Reflective Code Loading — Assembly.Load / GetMethod / Invoke strings present; capa confirms. ^[sample 4bf14434/capa.txt]
• T1497.001 Virtualization/Sandbox Evasion — Anti-VM Xen strings detected by capa. ^[sample 4bf14434/capa.txt]
• T1083 File and Directory Discovery — File existence/extension checks flagged by capa. ^[sample 4bf14434/capa.txt]
• T1036.002 Masquerading — Fake version-info block. ^[sample 4bf14434/exiftool.json]

Capabilities

• dotnet-manifest-resource-decryption
• bitmap-embedded-payload-steganography
• name-mangling-obfuscation
• control-flow-flattening
• version-info-masquerade
• reflective-assembly-loading
• anti-vm-xen-detection

Related

• Fits under umbrella unclassified-pe32-dotnet but distinguished by systematic bitmap-resource payload hiding.

Note

No runtime C2 IOCs recovered; payload logic is ciphertext inside bitmaps. Requires detonation or manual stream extraction + decryption key recovery.