Hello again, i was selling a loader couple of weeks ago, and i stopped, thats bcz i limit the copies sold [only 7 ppl].
The loader name is: 0x41.
How Does 0x41 work:
1- checks the environment [detect sandboxes / debuggers / virtual machines]
2- download the [encrypted] shellcode file [.bin] if the check succeeded
3- get the syscalls needed, dynamically through hashes, and not predefined code, so u wont find the definition of the syscalls used,
but instead u will find hashes of them
4- reads / loads the binary into memory [still not executed]
Note that the decryption && injections happens together, and not like other loaders in which it decrypts then inject
5- sleep for 10 sec [u can modify this to fit ur need]
6- launch the shellcode;
a. the shellcode will be launched for couple of milliseconds only so that we can have a confirmation that we accessed the target.
b. after the confirmation [heartbeat] is sent, we then generate a random byte [which will be used to encrypt the shellcode], move the shellcode to "page no access",
and encrypt it with the random byte generated earlier.
[ Now: the shellcode is in no access and encrypted, and thus isolated from us (the teamserver of cobalt strike) ]
c. when the sleep on our teamserver is done, we then move the shellcode to "rwx", decode it with our key, and execute the commands [if sent]
d. then it will do the steps again, but with a different encryption keys every time.
Note that an older loader [achlys] does the [no access <--> rwx] tech, but it didn't encrypted it then, plus its totally different signatures,
[changed the whole code [literally] && the programming language]
finally, 0x41 will be sold with:
-python2 script to encrypt the shellcode file
-profile to change the signatures of the network traffic of cobalt strike
-cobalt strike v4.3
-the loader's source code [plus its libraries included]
the final price is 150 $
Demo: https://vimeo.com/manage/videos/588279732
selling for 5 other ppls, feel free to ask any questions
The loader name is: 0x41.
How Does 0x41 work:
1- checks the environment [detect sandboxes / debuggers / virtual machines]
2- download the [encrypted] shellcode file [.bin] if the check succeeded
3- get the syscalls needed, dynamically through hashes, and not predefined code, so u wont find the definition of the syscalls used,
but instead u will find hashes of them
4- reads / loads the binary into memory [still not executed]
Note that the decryption && injections happens together, and not like other loaders in which it decrypts then inject
5- sleep for 10 sec [u can modify this to fit ur need]
6- launch the shellcode;
a. the shellcode will be launched for couple of milliseconds only so that we can have a confirmation that we accessed the target.
b. after the confirmation [heartbeat] is sent, we then generate a random byte [which will be used to encrypt the shellcode], move the shellcode to "page no access",
and encrypt it with the random byte generated earlier.
[ Now: the shellcode is in no access and encrypted, and thus isolated from us (the teamserver of cobalt strike) ]
c. when the sleep on our teamserver is done, we then move the shellcode to "rwx", decode it with our key, and execute the commands [if sent]
d. then it will do the steps again, but with a different encryption keys every time.
Note that an older loader [achlys] does the [no access <--> rwx] tech, but it didn't encrypted it then, plus its totally different signatures,
[changed the whole code [literally] && the programming language]
finally, 0x41 will be sold with:
-python2 script to encrypt the shellcode file
-profile to change the signatures of the network traffic of cobalt strike
-cobalt strike v4.3
-the loader's source code [plus its libraries included]
the final price is 150 $
Demo: https://vimeo.com/manage/videos/588279732
selling for 5 other ppls, feel free to ask any questions
