flare-floss icon indicating copy to clipboard operation
flare-floss copied to clipboard

Published 20 hours ago verified publisher icon mandiant

terminated by signal SIGKILL (Forced quit) when attempting to deobfuscate strings in packed .NET binaries

Open seanthegeek opened this issue 11 months ago • 2 comments

Hash: ed0074c644b448eda3a6fa4b3fd83bdcbebe958cae85b759b1c621cd9162fcc0

Packed sample of Lumma stealer.

Reference: https://github.com/kevoreilly/CAPEv2/issues/2440

seanthegeek avatar Dec 23 '24 19:12 seanthegeek

team feel free to ping me in internal chat if needed

the provided hash is the initial hash, that hash works just fine and is not the issue. the issue is with captured file 8961fee08f2fd802c671b00dd845f7dfad9748c317e57aa675774a034319d89e uploaded to vt

for context it happens only if you press yes/has yes for deobfuscate strings. i have added that by just ignoring dotnet samples

floss /opt/CAPEv2/storage/analyses/151/CAPE/8961fee08f2fd802c671b00dd845f7dfad9748c317e57aa675774a034319d89e
WARNING: floss: .NET language-specific string extraction is not supported yet
WARNING: floss: FLOSS does NOT attempt to deobfuscate any strings from .NET binaries
Do you want to enable string deobfuscation? (this could take a long time) [y/N]

doomedraven avatar Dec 23 '24 20:12 doomedraven

attaching copy here as VT analysis is queued and takes a lot of time 8961fee08f2fd802c671b00dd845f7dfad9748c317e57aa675774a034319d89e.zip

doomedraven avatar Dec 23 '24 20:12 doomedraven