The following samples are being used as a POC for a solution:
7b9779a86781667aef8bfd44225deb0aaa61e0e7dbaa1ec1f3d3e3ec99bf5282
9a55f8490f17e095899df8bd57cbc2e8a451f01573d3763fb87d9186addc7d4e
These samples both have 460 DLL included in the Single File .NET binary. The sample Tony analyzed had 94 PE. In my observation, this number is growing over time with the result of binaries getting larger.
The files identified by those hashes are 184 MB.
I have a temporary work around here: https://github.com/Squiblydoo/DotNetDebloat
I can write all the files from a bundle to disk using a .NET EXE that leverages AsmResolver
Another method of bloat that cannot be solved at this time includes use of the .NET Single File feature. Tony wrote about analyzing such a DuckTail sample here: https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/
The following samples are being used as a POC for a solution: 7b9779a86781667aef8bfd44225deb0aaa61e0e7dbaa1ec1f3d3e3ec99bf5282 9a55f8490f17e095899df8bd57cbc2e8a451f01573d3763fb87d9186addc7d4e
These samples both have 460 DLL included in the Single File .NET binary. The sample Tony analyzed had 94 PE. In my observation, this number is growing over time with the result of binaries getting larger. The files identified by those hashes are 184 MB.