.net binaries

Go to your windows vm and do this.

GitHub - dnSpy/dnSpy: .NET debugger and assembly editorGitHub

CascAudit.exe

RunAudit.bat shows that CascAudit.exe is run with the db file as an argument:

root@kali# cat RunAudit.bat 
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db"

It’s a .NET binary:

root@kali# file CascAudit.exe 
CascAudit.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

I’ll jump over to a Windows VM and use DNSpy to take a look. In the MailModule, there’s this code:

namespace CascAudiot
{
  // Token: 0x02000008 RID: 8
  [StandardModule]
  internal sealed class MainModule
  {
    // Token: 0x0600000F RID: 15 RVA: 0x00002128 File Offset: 0x00000328
    [STAThread]
    public static void Main()
    {
      if (MyProject.Application.CommandLineArgs.Count != 1)
      {
        Console.WriteLine("Invalid number of command line args specified. Must specify database path only");
        return;
      }
      checked
      {
        using (SQLiteConnection sqliteConnection = new SQLiteConnection("Data Source=" + MyProject.Application.CommandLineArgs[0] + ";Version=3;"))
        {
          string str = string.Empty;
          string password = string.Empty;
          string str2 = string.Empty;
          try
          {
            sqliteConnection.Open();
            using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
            {
              using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
              {
                sqliteDataReader.Read();
                str = Conversions.ToString(sqliteDataReader["Uname"]);
                str2 = Conversions.ToString(sqliteDataReader["Domain"]);
                string encryptedString = Conversions.ToString(sqliteDataReader["Pwd"]);
                try
                {
                  password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
                }
                catch (Exception ex)
                {
                  Console.WriteLine("Error decrypting password: " + ex.Message);
                  return;
                }
              }
            }
            sqliteConnection.Close();
          }
          catch (Exception ex2)
          {
            Console.WriteLine("Error getting LDAP connection data From database: " + ex2.Message);
            return;
          }
...[snip]...

It is opening an SQLite connection to the database passed as an arg, reading from the LDAP table, and decrypting the password.