malware Mortar Loader source code

[xmyriy]

Собственно, сабж.
Описание:
red teaming evasion technique to defeat and divert detection and prevention of security products.Mortar Loader performs encryption and decryption of selected binary inside the memory streams and execute it directly with out writing any malicious indicator into the hard-drive. Mortar is able to bypass modern anti-virus products and advanced XDR solutions and it has been tested and confirmed bypass for the following:

• Kaspersky
• ESET
• Malewarebytes
• Mcafee
• Cortex XDR
• Windows defender
• Cylance

https://github.com/0xsp-SRD/mortar

 

[Azuret-Calyx]

Thank you so much

 

[DildoFagins]

Mortar is able to bypass modern anti-virus products and advanced XDR solutions

Не понимаю, там же самый обычный ссаный RunPe, чего он там из адвенст солюшнс обходит? Или я в глаза долблюсь и элитных техник не увидел поэтому?

 

[Azuret-Calyx]

Не понимаю, там же самый обычный ссаный RunPe, чего он там из адвенст солюшнс обходит? Или я в глаза долблюсь и элитных техник не увидел поэтому?

Hello i am not experienced like you and when i can bypass Windows defender and get shell i happy so i understand for experience people its nothign

 

[mose3c]

I don’t understand, the most common pissing RunPe is there, what does he bypass from Advent Solutions? Or am I pecking in the eyes and didn’t see the elite technicians for this reason?

He patch the amsi then use winapi to load his payload , this will bypass most of AV including Avast and Node32
i have test this techinuqe with c++ and powershell and meterpreter open success on Avast

 

[DildoFagins]

He patch the amsi then use winapi to load his payload , this will bypass most of AV including Avast and Node32

AMSI only catches JScript/VBScript evaluation through IActiveScript, Powershell evaluation and Assembly.Load in dotnet 4.8, AMSI has nothing to do with native binaries executed via RunPE.

Where is the code that does AMSI patch in this repo anyway?

 

[mose3c]

AMSI only catches JScript/VBScript evaluation through IActiveScript, Powershell evaluation and Assembly.Load in dotnet 4.8, AMSI has nothing to do with native binaries executed via RunPE.

Where is the code that does AMSI patch in this repo anyway?

yes but when you use native api from powersell you can bypass the AV .
and these days only few developers use powershell.exe thease days most all guys use powershell without powershell from C# or clr c++ then patch the amsi and load runpe using powershell script

I tested on my VM Eset antivurs and Avast windows 10 the AV completely blind and as i said the Session recive in parrot

 

[DildoFagins]

and these days only few developers use powershell.exe thease days most all guys use powershell without powershell from C# or clr c++ then patch the amsi and load runpe using powershell script

Like wtf? We are talking about native RunPE loader written in FreePascal here. It has nothing to do neither with AMSI nor with PowerShell.

 

[mose3c]

on github forgot the source code and go to the tutorial was created from author of this crypter this source code created from thats tutorial .
know you know wtf

 

[omerta]

Free Pascal был первым языком, который я выучил. Он был очень простым, поэтому мне интересно, зачем вам использовать для него free pascal?