Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
26 item(s) found so far for this keyword.
EasyCrypter Packers
EasyCrypter is the crypter that is being sold via an automated bot on Telegram. The crypter uses a method known as "mutation", which involves replacing instructions in the file with their analogues or a sequence of instructions that yield the same outcome as the original code. EasyCrypter supports a maximum file size of 5MB and is only applicable for x86 …
TrueCrypt Packers
TrueCrypt, a crypter developed and sold by the developers behind Meduza Stealer, which features LoadPE functionality and is written in Golang, supports both native (x32) and .NET binaries. This crypter has been used by Lumma, Vidar, Raccoon, MetaStealer, Redline stealers, and DCRAT.
PureCrypter Packers
PureCrypter, a multi-functional crypter/loader developed in C#, was first introduced in hacking forums on March 17, 2021. This tool is compatible with both 32-bit and 64-bit native as well as .NET payloads. It features multiple injection modes, including reflection, RunPE, and shellcode. PureCrypter can deliver payloads either via a URL or offline. It has been noted for its use in …
LimeCrypter Packers
Limecrypter is a sophisticated obfuscation tool designed for both native and .NET files. It employs a unique approach to secure payloads by encrypting them within a .NET-based stub. This stub acts as a container for the encrypted payload, ensuring its contents remain concealed until execution.
NtDelayExecution Sandbox Evasion Anti-Debugging
NtDelayExecution can be used to delay the execution of the calling thread. NtDelayExecution accepts a parameter "DelayInterval", which is the number of milliseconds to delay. Once executed, NtDelayExecution "pauses" execution of the calling program whuch can cause a timeout of the sandbox or loss of control in a debugger.
Additionally, some higher level WinAPI functions invoke NtDelayExeuction. For example, …
Cronos-Crypter Packers
Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An …
Detecting Virtual Environment Artefacts Sandbox Evasion
Malware often checks for artifacts left by virtualization platforms to determine if it is running inside a virtual environment. Detecting such artifacts allows the malware to adapt its behavior, delay execution, or avoid exposing malicious functionality during analysis.
-
QEMU: QEMU registers artifacts in the Windows registry. For example, the key
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical …
Checking Specific Folder Name Sandbox Evasion
Specific directories, such as "C:\Cuckoo", can serve as indicators of a sandboxed or virtualized environment when present on a guest system. Consequently, a savvy piece of malware could potentially use the detection of this particular directory as a means of evading analysis. This would allow the malicious software to alter its behavior or even halt its execution altogether when it …
Detecting Hooked Function Sandbox Evasion
To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.
Checking Pipe Sandbox Evasion
Cuckoo is an open-source automated malware analysis system that performs dynamic analysis by running suspicious files in isolated virtual environments.
To facilitate communication between the host system (analysis environment) and the guest system (execution environment), Cuckoo uses a named pipe: \.\pipe\cuckoo
Detection Technique
Malware running inside the guest can check for the existence of this named pipe. …