[Mandala]

Looking for something that works well with C++ payloads and lasts more than a few scans.

Or a custom loader is the only way to go?

[Chapo]

Most open-source crypters tend to be basic XOR or lightweight AES setups. They are okay for a quick POC, but AVs catch on fast unless you are tweaking them constantly. Pretty much any crypter that is open-source is already on the radar of malware analysts or other threat intelligence analysts, so they aren't really good for anything besides learning purposes (unless you add some heavy customization ofc).

[Mandala]

Most open-source crypters tend to be basic XOR or lightweight AES setups. They are okay for a quick POC, but AVs catch on fast unless you are tweaking them constantly. Pretty much any crypter that is open-source is already on the radar of malware analysts or other threat intelligence analysts, so they aren't really good for anything besides learning purposes (unless you add some heavy customization ofc).

I dont prefer writing one from scratch!

..so if something works I can try to customize

[vobka]

A lot are based on publicly known sources on how to execute payload (PE/shellcode) in memory, you just have to edit them by yourself such as adding encryption, download to memory on runtime, trash bytes to throw off static scans and Anti VM.

Most important is to throw off heuristics such as NOT calling high risk API's in order, also if you prefer to use syscalls this is not a holy grail if you are working against EDR's.
Also rather not have your malicious instructions in entrypoint / couple calls away from entrypoint (this is only from personal experience especially against WD)

[Chapo]

Most open-source crypters tend to be basic XOR or lightweight AES setups. They are okay for a quick POC, but AVs catch on fast unless you are tweaking them constantly. Pretty much any crypter that is open-source is already on the radar of malware analysts or other threat intelligence analysts, so they aren't really good for anything besides learning purposes (unless you add some heavy customization ofc).

I dont prefer writing one from scratch!

..so if something works I can try to customize

In that case just look on GitHub then, you can find multiple with one search.

[Mandala]

A lot are based on publicly known sources on how to execute payload (PE/shellcode) in memory, you just have to edit them by yourself such as adding encryption, download to memory on runtime, trash bytes to throw off static scans and Anti VM.

Most important is to throw off heuristics such as NOT calling high risk API's in order, also if you prefer to use syscalls this is not a holy grail if you are working against EDR's.
Also rather not have your malicious instructions in entrypoint / couple calls away from entrypoint (this is only from personal experience especially against WD)

I tried PPID spoofing with NtCreateProcessEx and got nuked every time. Do you have a preferred open-source crypter?

Most open-source crypters tend to be basic XOR or lightweight AES setups. They are okay for a quick POC, but AVs catch on fast unless you are tweaking them constantly. Pretty much any crypter that is open-source is already on the radar of malware analysts or other threat intelligence analysts, so they aren't really good for anything besides learning purposes (unless you add some heavy customization ofc).

I dont prefer writing one from scratch!

..so if something works I can try to customize

In that case just look on GitHub then, you can find multiple with one search.

Thanks, I tried hCrypt and PureCrypter but the stubs dont stay FUD for longer than a week. If you find a good one, holler at me.

[vobka]

Have you checked what creates the detection? Comment out code until you are not getting detected and slowly start narrowing down the point. After this you can try to throw off the heuristics unless its completely ruined by AV. Such as WD will flag for persistence when trying to run key to the binary from where the call is coming from.

[Mandala]

Have you checked what creates the detection?

The stub’s memory allocation method (VirtualAlloc + RWX) is getting nuked.

Comment out code until you are not getting detected and slowly start narrowing down the point. After this you can try to throw off the heuristics unless its completely ruined by AV. Such as WD will flag for persistence when trying to run key to the binary from where the call is coming from.

Thinking of switching to indirect syscalls + RW -> RX remapping and wishing it works. To be honest, I did not want to write my own crypter, but maybe it will be easier than trying to modify existing crypters.

[argue]

Go custom and save yourself wasted time searching, modifying code. For one offs modified will work but if you are trying to stay FUD from scans, a lot more checks within your code for anti-analysis need to be in place. As mentioned before, heuristics will get you, so pay attention. Might need to take several steps/methods to achieve. Really depends on the AV/EDR you are going up against also.

[Alcxtraze]

this is only from personal experience especially against WD "xD"

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Attempted Scamming Thread-DATABASE-Database-Empik-com-Poland-11-825-92 | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.