Security Magic

PureRAT analysis, PYC disassembly, shellcode, and Reactor .NET binaries extracted. IOCs and Detection. Executive Summary I analyzed a malware chain beginning with DriveVideoSetup-x64-0.1.0.exe , distributed through a fake Drive Video /SMVEO-themed lure. The malware uses a staged execution chain that moves from Python bytecode into shellcode, then into multiple protected .NET assemblies. The chain includes heavy obfuscation and encryption, runtime patching ,certificate generation, protobuf references, and authenticated WebSocket communications. Dynamic analysis observed the malware enrolling with infrastructure, creating certificate material under %LOCALAPPDATA%\SMVEO\ , connecting to agent.sm-veo.com , and logging agent starting 2.3.0 , auto-enrolling , and ws connection . Multiple indicators suggest this activity is likely PureRAT . Execution Workflow DriveVideoSetup-x64-0.1.0.exe ↓ Persistence via CurrentVersion\Run ↓ python.pyc ↓ Base85 decode ↓ zlib decompress ↓marshal...