Beginner Malware Analysis: DCRat with dnSpy (Stream 03/06/2025)

In this stream we analyzed a DCRat .NET assembly with dnSpy, wrote Python automation to decrypt its configuration items, found additional samples with unpac.me and Yara, then tested our decryption script against additional samples.

Learn how to reverse engineer malware: https://training.invokere.com/
Notes: https://github.com/Invoke-RE/stream-n...
Twitch:   / invokereversing  
Twitter:   / invokereversing  
BlueSky: https://bsky.app/profile/invokerevers...
Mastodon: https://infosec.exchange/@invokerever...

Introduction 00:00
Global Setting Decryption 05:50
Anti-Analysis 14:38
Mutex Creation 17:47
Process Killing Thread 18:24
Privilege and BSOD Protection 20:59
Persistence 23:17
Clear Settings 27:46
AMSI Bypass 28:14
Command and Control 33:14
Camera Functionality 37:10
Hardware ID Generation 37:52
Information Collection 38:50
Decrypting Configuration Items with Cyberchef 40:19
Decrypting Configuration with Python dncil 53:15
Python Decryption Working with dncil 01:25:22
Testing Against Other Samples 01:26:48
Writing Yara to Find More Samples 01:29:26
Testing with AssemblyLine 01:33:37