This first screenshot is parsing a dotnet resource from a malicious file using YARA to find the offset and size and then dump that location.
The last cell shows the start of the ICO icon and then the PNG image data.
And here is a screenshot of dotnetfile parsing the same file.
There appears to still be some dotnet-looking header data between the start of the "data" and the ICO icon.
Is this header structure able to be parsed? The sample in question in both screenshots is:
40cd96e25835eeba956645398ed73a0f0e14563375530fa5f2db3bcf44dd88d7
This first screenshot is parsing a dotnet resource from a malicious file using YARA to find the offset and size and then dump that location.
The last cell shows the start of the ICO icon and then the PNG image data.
And here is a screenshot of
dotnetfile
parsing the same file.There appears to still be some dotnet-looking header data between the start of the "data" and the ICO icon.
Is this header structure able to be parsed? The sample in question in both screenshots is: 40cd96e25835eeba956645398ed73a0f0e14563375530fa5f2db3bcf44dd88d7