terminated by signal SIGKILL (Forced quit) when attempting to deobfuscate strings in packed .NET binaries

[seanthegeek]

Hash: ed0074c644b448eda3a6fa4b3fd83bdcbebe958cae85b759b1c621cd9162fcc0

Packed sample of Lumma stealer.

Reference: kevoreilly/CAPEv2#2440

[doomedraven]

team feel free to ping me in internal chat if needed

the provided hash is the initial hash, that hash works just fine and is not the issue. the issue is with captured file
8961fee08f2fd802c671b00dd845f7dfad9748c317e57aa675774a034319d89e uploaded to vt

for context it happens only if you press yes/has yes for deobfuscate strings. i have added that by just ignoring dotnet samples

floss /opt/CAPEv2/storage/analyses/151/CAPE/8961fee08f2fd802c671b00dd845f7dfad9748c317e57aa675774a034319d89e
WARNING: floss: .NET language-specific string extraction is not supported yet
WARNING: floss: FLOSS does NOT attempt to deobfuscate any strings from .NET binaries
Do you want to enable string deobfuscation? (this could take a long time) [y/N]

[doomedraven]

attaching copy here as VT analysis is queued and takes a lot of time
8961fee08f2fd802c671b00dd845f7dfad9748c317e57aa675774a034319d89e.zip