While searching for new malware via suspicious pathes, a fake svchost.exe in %APPDATA%/Microsoft tipped us off. The sample [1] is a .NET application which is packed with ConfuserEx . The file was uploaded as netRat.exe to Virustotal. The same name is also stated in the file's version information as InternalName and OriginalFilename. Version information also has a copyright statement for 2019.

Via similarity search we found a second sample[2] that was uploaded to Virustotal a day later. It is not packed but obfuscated with Dotfuscator. Unpacking the ConfuserEx sample[1] results in a file that is almost the same as the second sample[2].

The obfuscation removed the original names of .NET symbols like classes, variables and methods. We didn't find any non-obfuscated Pekraut sample, so we manually named the symbols based on their usage resulting in sample[3]. The deobfuscated sample[3] is also used for screenshots in this article. Please note that those symbol names aren't part of the original source code and thus do not suffice for signatures.