behavior detection bypass

[mose3c]

Hi xss members

I mad my stub clean and work fine on my windows but on my windows freind when he try to lunch the antivurs catch it and status : behavior detection .
Yeb and then delete .

the stub usualy created with c++ he copy them self and run in new process then drop file to temp path
and run it in new process just like this .

so any one has an idea , the insane thing here in memory can bypass without behvaior analysis .

 

[DildoFagins]

Methods to bypass behavior analysis:
- change your malware behavior
- inject your code to legimate process
- run your code fileless

 

[mose3c]

Methods to bypass behavior analysis:
- change your malware behavior
- inject your code to legimate process
- run your code fileless

No cause the malware is encrypted in aes 256 , but file less yes its better but when you have dll .net you need hardcode

 

[mose3c]

Methods to bypass behavior analysis:
- change your malware behavior
- inject your code to legimate process
- run your code fileless

You dont understand me when drop self to run on startup detected from Behavior sheild . just like this for know my Crypter FUD just this function detected
if i delete this function ALL good

 

[boom2c]

Methods to bypass behavior analysis:
- change your malware behavior
- inject your code to legimate process
- run your code fileless

Only first suggestion will stop in-memory analysis from detection, except finding a process which doesn't get scanned and injecting malware it into that. However, there is none that are full proof for many EDR system and even for Windows Defender.

 

[mose3c]

Only first suggestion will stop in-memory analysis from detection, except finding a process which doesn't get scanned and injecting malware it into that. However, there is none that are full proof for many EDR system and even for Windows Defender.

No need for this my crypter is finished and tested success just one more thing i had to done as i said before just adding self to startup and copy self to another directory only this 2 stepts not finished yet other wise i have bypassed The Windows defender , kaspersky , avira , node32 , Avast all bypassed Runtime and scantime
by the way thanks for the replay

 

[boom2c]

No need for this my crypter is finished and tested success just one more thing i had to done as i said before just adding self to startup and copy self to another directory only this 2 stepts not finished yet other wise i have bypassed The Windows defender , kaspersky , avira , node32 , Avast all bypassed Runtime and scantime
by the way thanks for the replay

crypter will help load your malware into memory, but it won't stop heuristic analysis.

 

[mose3c]

crypter will help load your malware into memory, but it won't stop heuristic analysis.

Bro iam the developer , and i told you if the crypter can't bypass heuristic analysis. then its garbage not a crypter
and my crypter the only one reason iam not selling him for this moment becouse my customers wait me for bypassing this feutures thats it and i will bypass it
there a lot of methods , like using HTA and drop it as jpg and hta will load the Main loader in memory alot of ideo in my head
i opend this thread to sharing skills no more

 

[boom2c]

Bro iam the developer , and i told you if the crypter can't bypass heuristic analysis. then its garbage not a crypter
and my crypter the only one reason iam not selling him for this moment becouse my customers wait me for bypassing this feutures thats it and i will bypass it
there a lot of methods , like using HTA and drop it as jpg and hta will load the Main loader in memory alot of ideo in my head
i opend this thread to sharing skills no more

Once your malware is in memory, it can still be analyzed. A crypter can't stop that. The job of a crypter is to get your malware into memory, not stop in-memory analysis. You need to change behaviors for that.

 

[mose3c]

Once your malware is in memory, it can still be analyzed. A crypter can't stop that. The job of a crypter is to get your malware into memory, not stop in-memory analysis. You need to change behaviors for that.

first iam sorry my english not too good sorry may i have miss understaning
second yes the crypter job is to inject the malware in memory , but still after he bypass scantime the crypter can be detected in schudler scan . and i bypass also this

so my crypter bypass scantime , runtime , schudler scan then my crypter is in the top
where iam lost iam finding a method to make the crypter install him self . thats the whole point iam not asking - What is crypter becouse i can google this

thanks.

 

[DildoFagins]

except finding a process which doesn't get scanned and injecting malware it into that

Actually there are some processes that are not scanned that much, if your malware behaviour is similar to the process behaviour (for example, a stiller hat reads chrome's passwords database from the context of chrome process) you can pretty much successfully live with that for a long time.

Once your malware is in memory, it can still be analyzed. A crypter can't stop that.

Well, not that this is a practical thing to do, but still it is possible to do some things:

 

[mose3c]

Actually there are some processes that are not scanned that much, if your malware behaviour is similar to the process behaviour (for example, a stiller hat reads chrome's passwords database from the context of chrome process) you can pretty much successfully live with that for a long time.


Well, not that this is a practical thing to do, but still it is possible to do some things:

Oh dear bro we have powershell without powershell for 2022 is the best method ever trust me and bypass all AV with few tutches i test this trust me

 

[mose3c]

Actually there are some processes that are not scanned that much, if your malware behaviour is similar to the process behaviour (for example, a stiller hat reads chrome's passwords database from the context of chrome process) you can pretty much successfully live with that for a long time.


Well, not that this is a practical thing to do, but still it is possible to do some things:

Anti fronsic i think what i was searching for thanks for sharing dude i will watch this vid

 

[boom2c]

Actually there are some processes that are not scanned that much, if your malware behaviour is similar to the process behaviour (for example, a stiller hat reads chrome's passwords database from the context of chrome process) you can pretty much successfully live with that for a long time.


Well, not that this is a practical thing to do, but still it is possible to do some things:

Some processes are not scanned much, but they are still scanned and will be caught with many good EDR like Sentinel, FireEye, CrowdStrike. Changing behaviors using crypter is very dumb thing to do when instead you can just change behavior in malware source as it is very impractical, except you can use tools like sleep mask kit with cobalt strike to do those things.

 

[mose3c]

Some processes are not scanned much, but they are still scanned and will be caught with many good EDR like Sentinel, FireEye, CrowdStrike. Changing behaviors using crypter is very dumb thing to do when instead you can just change behavior in malware source as it is very impractical, except you can use tools like sleep mask kit with cobalt strike to do those things.

will thats at the end is fact

 

[DildoFagins]

Some processes are not scanned much, but they are still scanned and will be caught with many good EDR like Sentinel, FireEye,

Well, yes, in a general case and if EDRs always worked as intended. But in many cases you can get away by injecting maliware code in legimate processes.

Changing behaviors using crypter is very dumb thing to do when instead you can just change behavior in malware source as it is very impractical, except you can use tools like sleep mask kit with cobalt strike to do those things.

I've never told you to change behavior in a crypter.

 

[mose3c]

Heuristic Engines | so the drop executable file will increase the milicous behavior rate​

Some of the known rules about threat grading;
– Decryption loop detected

– Reads active computer name

– Reads the cryptographic machine GUID

– Contacts random domain names

– Reads the windows installation date

– Drops executable files

– Found potential IP address in binary memory

– Modifies proxy settings

– Installs hooks/patches the running process

– Injects into explorer

– Injects into remote process

– Queries process information

– Sets the process error mode to suppress error box

– Unusual entrophy

– Possibly checks for the presence of antivirus engine

– Monitors specific registry key for changes

– Contains ability to elevate privileges

– Modifies software policy settings

– Reads the system/video BIOS version

– Endpoint in PE header is within an uncommon section

– Creates guarded memory regions

– Spawns a lot of processes

– Tries to sleep for a long time

– Unusual sections

– Reads windows product id

– Contains decryption loop

– Contains ability to start/interact device drivers

– Contains ability to block user input

 

[Indy]

> best method

Скрытия памяти, Друзья вы со своей латинской фигнёй попутали все. Метод есть лишь один.

 

[mose3c]

> best method

Hiding memory, Friends, you have beguiled everything with your Latin bullshit. There is only one method.

Yo wanna see my Crypters , be my guest i will show you how good and how bypass Dynamic analysis and scan time + runtime

and yes there alot of methods you can just load assembly like normal or you can ps.dll and ps script will do the jump with AmsiScanBuffer Patching i know what i said

DWORD WINAPI PatchAmsi ()
{
    byte patchCode[4] = { 0xC2,0x18,0x00,0x00 };
    HMODULE Hamsi = GetModuleHandleA("Amsi.dll");
    LPVOID  FuncAddr = GetProcAddress(GetModuleHandleA("Amsi.dll"), "AmsiScanBuffer");

    WriteProcessMemory(GetCurrentProcess(), FuncAddr, patchCode, 4, 0);
    return 0;
}

 

[Indy]

mose3c

> see my Crypters

Визором его посмотреть, я их видел тысячи криптор по определению унылое говно.

> GetProcAddress(GetModuleHandleA("Amsi.dll")

Ну и дальше чего. Не юзай не нэйтив. Как там у пендюков, see my crap" ?