Windows Detections

[varysuzuki]

some streamer opened my binded file, the problem was that it seemed that it didnt drop the real app and open it, i guess due to detections? or what could have caused that, he managed to get it to work but he had to open it like 7 times. also what could i do to make it more stabily drop and open process? since it doesnt seem to work or isnt stable this way

[UnamSanctam]

Could be detections, do you have "Add Windows Defender Exclusions" enabled? I haven't ever really experienced any instability, if I open a bound file with 2 files in it a hundred times then it opens the files correctly every time. Also, if you have a "Start Delay" enabled then there will be a delay. Can you press "Save" in the builder and then zip the .xml file and send it here?

[UnamSanctam]

i think the reason was i modified it a bit, varysuzuki is my other acc. i had add windows defender exclusions enabled for temp and the place i dropped the miner. the stealer screenshoted it and i could see it live that he had to open it 7 times the stealer and miner opened ig but the real app didnt.

Is "Run as Administrator" supposed to be disabled? Or are you running it as administrator in some other way?

the thing is i dont care if the executable is detected i want it to open the app without antivirus kicking in. could i do it like this, i use runpe to inject the stealer, and make the miner just be dropped to a wd excluded path and add it to startup with a command? and then idk how im going to inject or assembly.load the python file thats converted to exe (whats the real app) since it isnt c# so how should i do this? could i inject it into the application itself?

Which antiviruses runtime scans are you trying to avoid, only Windows Defender or all of them? You should be able to inject a converted python file since it's most likely a native file.

these are the detections of the stealer and miner. could the problem be that the tool itself is detected and then windows defender ignores the exclusion?

Well antiscan and other no-distribute scanners don't do all scans such as "Cloud Protection" since using them would distribute the file so they're not entirely accurate. Windows Defender usually doesn't ignore exclusions with the exception of being Assembly.Load (because it's in memory) though that can be bypassed by using an AMSI bypass so that shouldn't really be a problem.

[UnamSanctam]

I mean 95% have windows defender so im trying to avoid that. Yeah but how do i inject it without them seeing its in another location or something? I want them to see that its the app that they opened

If you inject it then they will see the file that you injected into, since that's the point of injection. You could of course create a "fake" file in the real location and inject into that but that would be a bit reduntant.

this is currently the code, i added the miner and stealer manually to the resources so i can just inject them but then id have to use Applaunch from the runtime directory, that will make it really detected right, no? cause im worried if i make it shellcode it'll be alot more detected since shellcode yeah

If you inject something there it shouldn't really get detected by Windows Defender.

[UnamSanctam]

so how could i do this? i got an idea should i make it do all the powershell amsi shit and inject the stealer. miner (hidden of course) and then finally inject the real app into application.executablepath and close itself. but wouldnt that make it open in like 6 seconds? i dont wanna make it inject the real app first and then do the shit cause then if the miner and stealer injection part will get detected and deleted then the real app would still work and then they wont disable their av for it cause it already works and then i wont get anything

Well injection is nearly instant so injecting the three programs shouldn't even take a second.

is it bad to cipherreplace the #RESPARENT with parentid instead of just replacing it

Doesn't really matter usually, but you can do that if you want.

and also if i inject the real app inside the binded.exe then it would only show the real app and not do anything that the binded app would've done right? so when i would inject the real app inside Application.Executablepath it wouldnt just do all the commands again and inject again, inevitably just making it spam open/inject the real app and it would lag their pc out

I'm not fully sure how your entire flow is set up, but I don't really understand what you're saying here.

i think i know what happened. in ur binder, the wd exclusion does this, open "powershell" and the argument "-EncodedCommand 'blablabla'" but it only works with "powershell", "powershell -EncodedCommand 'blabla'" i just tested it

How it is should work fine, I just tested it like it currently is myself and it worked well for me on both my main computer and VM.

is it a better idea to inject the shellcode of the stealer to conhost or to inject the stealer to applaunch

For Windows Defender it shouldn't really matter, it doesn't generally detect injections.

[UnamSanctam]

Is it a native application? And is it 32-bit or 64-bit?

[UnamSanctam]

The injector (if you took the one from the miner) is only for 64-bit so make sure that it's built as 64-bit.

[UnamSanctam]

Both probably.

[UnamSanctam]

Yes that seems fine, and you can have a .bat file sure, it would probably help.

[varysuzuki]

Yes that seems fine, and you can have a .bat file sure, it would probably help.

yo btw whats the progress with the clipper and the stealer?

[UnamSanctam]

yo btw whats the progress with the clipper and the stealer?

Now I'm working on the miner again since I got some inspiration from my other projects, but the clipper is basically done though I've gotten quite a few requests not to release it because it would be bad for crypto, and that it's also more malicious in nature compared to everything else I have released.

[UnamSanctam]

Sure, looks good.

[UnamSanctam]

Since you have a try catch inside the functions then they're not really needed outside around the call of the function. It's better to have it inside the function usually since then you only have to do one.

[UnamSanctam]

Sure you can have them there, since you're calling multiple functions but otherwise for the most part you call functions without any arguments.

[UnamSanctam]

now when i try injecting the converted python with runpemethod to conhost it works only for a second then closes

Does the converted python program work if you start it normally?

hey i thought of making a c# dll that the tool includes in itself instead of a binder do u know how i can do this?

Not sure what you mean, what would the C# DLL do and what tool would you include it in? If you want to include it in a C# program then just make it a resource and then load it, if it's for another language then there are other ways instead (such as using bin2h to make it into a header file for C/C++).

[varysuzuki]

Not sure what you mean, what would the C# DLL do and what tool would you include it in? If you want to include it in a C# program then just make it a resource and then load it, if it's for another language then there are other ways instead (such as using bin2h to make it into a header file for C/C++).

i meant putting the stealer injection and miner drop in the C# dll itself and then calling the dll function from the "real app" that the victim will download, but idk how to do that without the dll getting flagged or the person thinking its a suspicious dll

[UnamSanctam]

Well, you can embed the DLL into the real app, and then add exclusions in the real app before loading the DLL (might have to use and AMSI bypass first).