Trojan Filetype??

[GGHTC]

Hi,
After Macros and stuff dont work anymore i wanna know what i can use as a first trojan to execute a cmd command for example.
I know about hta´s etc but they are suspicious and well known.

 

[Johnny]

Hi,
After Macros and stuff dont work anymore i wanna know what i can use as a first trojan to execute a cmd command for example.
I know about hta´s etc but they are suspicious and well known.

750mb exe

 

[GGHTC]

750mb exe

Smartscreen etc? I need something that you could attach to gmail

 

[SnakeAPT]

Smartscreen etc? I need something that you could attach to gmail

Hm, i never personally used pumping methods, but as I know 750mb file in zip will b compressed, the zip will be something about 2mb, set password on it (any simple, 123 is would be good too), and you are ready to go
Write me in pm if need any more help.
P.S. AVs are not scanning big files, it SHOULD not trigger Smartscreen.

 

[GGHTC]

Hm, i never personally used pumping methods, but as I know 750mb file in zip will b compressed, the zip will be something about 2mb, set password on it (any simple, 123 is would be good too), and you are ready to go
Write me in pm if need any more help.
P.S. AVs are not scanning big files, it SHOULD not trigger Smartscreen.

tnx buut exe looks reallyyy malicious

 

[SnakeAPT]

tnx buut exe looks reallyyy malicious

Use .scr then (screen saver) You can spoof the name!
You can use .com too.

I personally used this, very easy to use, you can add any icon you want to your spoofed file: https://github.com/henriksb/ExtensionSpoofer

 

[SnakeAPT]

tnx buut exe looks reallyyy malicious

 

[GGHTC]

Скрытое содержимое

I wanna hack a specific person that knows about exe´s and stuff

 

[GGHTC]

Use .scr then (screen saver) You can spoof the name!
You can use .com too.

I personally used this, very easy to use, you can add any icon you want to your spoofed file: https://github.com/henriksb/ExtensionSpoofer

tnx

 

[marauda18]

SmartScreen has nothing to do with file detection. It's all about a unsigned or signed file with a non trusted certificate being downloaded from the web.

To bypass that in direct binaries, you will have to use a signed .exe file with a trusted cert or using a legit .exe and dll sideloading for example OR using something as a first stage like .lnk that will use native trusted binaries already on the machine(LOLBINS) to start the execution chain.

Using vbs or jscript for example, even with the file clean, will show the MOTW warning + the user has to already have chosen to execute this type of scripts before.

And file pump is skid stuff.

 

[SnakeAPT]

SmartScreen has nothing to do with file detection. It's all about a unsigned or signed file with a non trusted certificate being downloaded from the web.

To bypass that in direct binaries, you will have to use a signed .exe file with a trusted cert or using a legit .exe and dll sideloading for example OR using something as a first stage like .lnk that will use native trusted binaries already on the machine(LOLBINS) to start the execution chain.

Using vbs or jscript for example, even with the file clean, will show the MOTW warning + the user has to already have chosen to execute this type of scripts before.

And file pump is skid stuff.

You'r right.
But do you think that for casuall spreading getting an cert is a good idea? You will burn it fast.

 

[marauda18]

You'r right.
But do you think that for casuall spreading getting an cert is a good idea? You will burn it fast.

I only use certs in very specific cases.

For more casual campaigns I don't think is needed if you use the others alternatives I said above. Also for the sake of saving money, if you don't have the resources.

 

[rubikscube]

Usually I use something like this. Containerize the malware in ISO to get through from MOTW. A .LNK file masquerading as a PDF that does 2 things. One, it executes a hidden implant with hidden attribute set inside the ISO. Two, it deploys the decoy PDF so the target doesnt suspect anything. This is still a bit meh. You can use sideloading in here as well. There are some new research on ClickOnce applications as well. You can check that out. What marauda18 said is also pretty good.

 

[rubikscube]

You'r right.
But do you think that for casuall spreading getting an cert is a good idea? You will burn it fast.

if youre lucky you can probably find leaked certificates. but its a really hectic process. i havent been able to find one either but i havent looked too much. you can try.

 

[PlagueMalware]

There are tons of ways to get your payload through! Try putting a decoy in a zip (like a .LNK payload)!

 

[chipster]

SmartScreen has nothing to do with file detection. It's all about a unsigned or signed file with a non trusted certificate being downloaded from the web.

To bypass that in direct binaries, you will have to use a signed .exe file with a trusted cert or using a legit .exe and dll sideloading for example OR using something as a first stage like .lnk that will use native trusted binaries already on the machine(LOLBINS) to start the execution chain.

Using vbs or jscript for example, even with the file clean, will show the MOTW warning + the user has to already have chosen to execute this type of scripts before.

And file pump is skid stuff.

legit.exe still got motw when being download from non official domain. And how is it possible to pack the dll with the exe in a way the victim not seeing the dll ?

 

[PlagueMalware]

legit.exe still got motw when being download from non official domain. And how is it possible to pack the dll with the exe in a way the victim not seeing the dll ?

Some cases we have see with success has the user download a "installer" zip. Sometimes, installers come with MANY files and folders...simply hijack the legit binary with one of your DLLs in the folder. They will not notice if there are many other files (READMEs, 'configs', etc.)