Analyse, hunt and classify malware using .NET metadata

This report presents a methodology and tooling for hunting and classifying .NET malware using metadata-based identifiers (Typelib GUID and MVID), demonstrating YARA rules (via the dotnet and console modules) and a Python script to extract and analyze assembly metadata at scale. Applying this approach to families including PureCrypter/Pure*, Agent Tesla, RedLine, Quasar, and AsyncRAT, it shows how GUIDs and assembly names can cluster samples, inform high-confidence YARA detections, and surface potential crypters (e.g., “Cronos-Crypter”), while noting caveats like spoofed/empty GUIDs and obfuscation effects.