Security Magic

The following is a test run of using Malcat with MCP . Malware Analysis Report — xchanger.exe Malware Analysis Report File: xchanger.exe  |  Analyzed: 2026-03-12  |  Tool: Malcat + .NET Disassembly MALICIOUS — Trojanized Installer / C2 Dropper File Metadata Filename xchanger.exe File Size 1,779,416 bytes (~1.7 MB) Type PE / .NET (DOTNET) Version 2.0.20.403 Internal Name XChanger.exe Copyright XChanger Copyright © 2026 SHA-256 356ca46f39b480d0ab523535f98e64ae0ec58fe1fdbb8ffc02f54b814445e9d0 Hardcoded XOR Key NetworkManager — Scramble / Unscramble Xt7Kp2Lm9Qw4Rv8Y-x1729583156 Length: 29 characters  |  Found at EA: 0xE771, 0xFB1A // Rolling XOR per character, then Base64-encoded for transmission byte lambda(char c, int i) { return (byte)(c ^ "Xt7Kp2Lm9Qw4Rv8Y-x1729583156"[i % 29]); } // Called by: PostPayloadAsync, SendConfigNotificationAsync, // TransmitProfileReportAsync, BeginSe...

In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is DailyFile , which can be found on dailytapp[.]com.  The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications. Analysis: The analysis of this started by pivoting off of other known indicators, primarily the certificate signer: "Astras Novei LTD" which had also been observed with a malicious python based converter Ziply .  Additionally, "A1A Marketing Ltd." had been previously observed with other YAPA sites like pdf-star[.]com and powerdocapp[.]com. We also see "Sherlock Tech Ltd" which points to other YAPA samples as well. This is a .NET application, which makes it easy to load and observe in DnSpy. The YAPA here performs similar functions as previously observed instances. We can see simple obfuscation of "Google and Chrome", we can see i...