Keypoints
- The sample is a 32-bit .NET executable obfuscated with Confuser/ConfuserEx, complicating static analysis.
- Traditional .NET inspection with dnSpy showed heavy obfuscation, making manual extraction of C2 difficult.
- Garbageman intercepts .NET memory management and can capture decrypted strings created during execution.
- Use Garbageman’s “Execute” option (not attach) and configure multiple snapshots (recommended 3 snapshots, 1000ms interval) to capture runtime data.
- Inspect the final snapshot and use Tools → Search → Network → Urls to filter for URL/IP strings among thousands of objects.
- The analysis revealed a C2 IP and port: 5.42.92[.]51:19057 (multiple occurrences), which was validated via VirusTotal and used as a pivot for further infrastructure discovery with Censys.
MITRE Techniques
- [T1027] Obfuscated Files or Information – The sample was protected with an obfuscator: (‘the file is a 32-bit .NET executable that has been obfuscated using Confuser’).
- [T1140] Deobfuscate/Decode Files or Information – The malware produced decrypted configuration/C2 strings in memory at runtime that Garbageman captured: (‘we can easily obtain c2 information that has temporarily been allocated to memory during the execution of .NET-based malware’).
- [T1204] User Execution – The analysis used execution of the malware to trigger runtime behavior rather than attaching to an existing process: (‘we want to use “execute” to launch a new copy, rather than attaching to an existing running copy of the malware’).
- [T1071] Application Layer Protocol (Command and Control) – The captured runtime data included a network C2 endpoint and port used by the sample: (‘an IP address 5.42.92[.]51 and port number 19057 that appears 3 times within the file’).
Indicators of Compromise
- [IP Address] C2 endpoint observed in memory – 5.42.92[.]51:19057 (appeared multiple times; 11 references found after searching).
- [Obfuscator] Packing/obfuscation tool – Confuser / ConfuserEx used to protect the .NET executable.
- [Archive Password] Sample extraction credential – ‘infected’ used as the ZIP password to extract the sample.
- [Sample Reference] Targeted sample name/context – Redline sample (referenced as “Redline Sample Download” in the article).
Garbageman is designed to intercept and record .NET runtime memory artifacts so analysts can recover decrypted configuration values that never appear in the file on disk. In the walkthrough, the analyst first identified the artifact as a 32-bit .NET executable obfuscated with Confuser (ConfuserEx derivative), which made static inspection with dnSpy impractical for finding the C2 address.
The analyst then executed the sample under Garbageman (choosing “Execute” rather than attaching to an existing process) and configured snapshot-based scanning—three snapshots with a 1000 ms interval is the recommended starting point. After starting execution, Garbageman captured runtime strings; switching to the final snapshot and focusing there improved the chance of seeing runtime-decrypted items created later in execution.
To isolate network configuration, the analyst used Garbageman’s search (Tools → Search → Network → Urls) to filter thousands of strings and quickly located the C2 IP and port 5.42.92[.]51:19057. Searching that IP across the captured data revealed 11 references, VirusTotal showed 12/88 detections for the IP, and the discovered C2 was then used as a pivot (e.g., via Censys) to enumerate additional infrastructure.
Read more: https://embee-research.ghost.io/basic-dotnet-configuration-extraction-with-garbageman/