reverse-engineering-dotnet-malware-with-dnspy

Installation
SKILL.md

Reverse Engineering .NET Malware with dnSpy

When to Use

  • A malware sample is identified as a .NET assembly (C#, VB.NET, F#) requiring decompilation
  • Analyzing .NET-based malware families (AgentTesla, AsyncRAT, RedLine Stealer, Quasar RAT)
  • Deobfuscating .NET code protected by ConfuserEx, SmartAssembly, or custom obfuscators
  • Extracting hardcoded C2 configurations, encryption keys, and credentials from managed assemblies
  • Debugging .NET malware at runtime to observe decryption routines and dynamic behavior

Do not use for native (unmanaged) PE binaries; use Ghidra or IDA for native code analysis.

Prerequisites

Installs
66
GitHub Stars
24.2K
First Seen
Mar 18, 2026
reverse-engineering-dotnet-malware-with-dnspy — mukul975/anthropic-cybersecurity-skills