SmartAssembly Obfuscation

SmartAssembly is a commercial .NET obfuscator/packer by Redgate. Malware authors abuse its string encryption, control-flow obfuscation, and anti-tamper features.

Detection

• String artefacts: SmartAssembly.Attributes, SmartAssembly.Licensing, PoweredBySmartAssembly
• Metadata: ObfuscationAttribute with feature string "SmartAssembly"
• Blocked dnfile/ILSpy decomposition due to invalid stream sizes (small stream parse failures)

Impact on analysis

• Plaintext .NET metadata strings are encrypted; only resolved at runtime via delegate stubs.
• Stack traces and exception messages are often stripped or rewritten.
• Anti-tamper can fault the process under debuggers.

Observed in

• unclassified-pe32-dotnet — d5b11a1cb3ad (co-occurs with Xenocode)