Hard time making a Remote Adminstration Tool

I spent about 1.5 months trying to make my RAT FUD using many techniques like branching a lot, reordering routines, reordering instructions, adding garbage instructions, Encryption, etc. but still I can't get it to bypass windows defender.

Before I knew about any of these techniques it was undetectable by most AVs, It was getting 3/50 on Virustotal, but over time it became easily detected.

Now I have an engine that generates all the c/c++ code of the RAT decryptor that generates random versions of the client with random signatures but I still can't pass the behavioral analysis.

Sometimes It doesn't even pass the heuristics scan, (depends on the generated version).

I've read a lot of PDFs but all of the techniques described in them are kind of old-school, and can easily get detected by an antivirus/antimalware not even a (human analyst).

I don't wanna recreate the client decrypter every time it gets detected.

Do you know any NEW resources where I can learn about NEW AV evasion and sandbox detection techniques?

I am no expert here but maybe veil?

[To see links please register here]

Moved from the Antivirus & Protection forum to Remote Administration & Stress Testing.

(02-03-2022, 12:54 AM)applesauce Wrote:

[To see links please register here]

I am no expert here but maybe veil?

[To see links please register here]

I've read through its source code but I only found some easy and simple techniques like encryption, I was a bit helpful although most of its source code is in python.

First. You really should stop uploading your binaries to VT. Setup a VM, disable samples submission and test there.
Second. There are few tools that can split your binary, so you will know, what part is triggering AV.

(02-02-2022, 09:33 PM)socialwaste Wrote:

[To see links please register here]

I spent about 1.5 months trying to make my RAT FUD using many techniques like branching a lot, reordering routines, reordering instructions, adding garbage instructions, Encryption, etc. but still I can't get it to bypass windows defender.

Before I knew about any of these techniques it was undetectable by most AVs, It was getting 3/50 on Virustotal, but over time it became easily detected.

Now I have an engine that generates all the c/c++ code of the RAT decryptor that generates random versions of the client with random signatures but I still can't pass the behavioral analysis.

Sometimes It doesn't even pass the heuristics scan, (depends on the generated version).

I've read a lot of PDFs but all of the techniques described in them are kind of old-school, and can easily get detected by an antivirus/antimalware not even a (human analyst).

I don't wanna recreate the client decrypter every time it gets detected.

Do you know any NEW resources where I can learn about NEW AV evasion and sandbox detection techniques?

hello i can somewhat help make it fud , i have the latest version of themida protection software if youd like ill give you a copy.

(02-03-2022, 01:59 PM)Pernat1y Wrote:

[To see links please register here]

First. You really should stop uploading your binaries to VT. Setup a VM, disable samples submission and test there.
Second. There are few tools that can split your binary, so you will know, what part is triggering AV.

1) I don't, upload to VT unless it got old enough to trigger windows defender because that's what I care about.
2) I test in a bare-metal machine that is only used for this which has no sample submission disabled.
3) splitting binaries only works for static analysis, mine is detected on the behavioral analysis stage.

I guess they depend on knowing which APIs are you loading, I searched a bit and I found that there are a few ways to make windows defender that you're not using a specific API while you do.

One way is to load copies of system DLLs like system32.dll as another DLL with a different name. I guess this could be helpful.

---

(02-03-2022, 04:40 PM)bitzero0101 Wrote:

[To see links please register here]

(02-02-2022, 09:33 PM)socialwaste Wrote:

[To see links please register here]

I spent about 1.5 months trying to make my RAT FUD using many techniques like branching a lot, reordering routines, reordering instructions, adding garbage instructions, Encryption, etc. but still I can't get it to bypass windows defender.

Before I knew about any of these techniques it was undetectable by most AVs, It was getting 3/50 on Virustotal, but over time it became easily detected.

Now I have an engine that generates all the c/c++ code of the RAT decryptor that generates random versions of the client with random signatures but I still can't pass the behavioral analysis.

Sometimes It doesn't even pass the heuristics scan, (depends on the generated version).

I've read a lot of PDFs but all of the techniques described in them are kind of old-school, and can easily get detected by an antivirus/antimalware not even a (human analyst).

I don't wanna recreate the client decrypter every time it gets detected.

Do you know any NEW resources where I can learn about NEW AV evasion and sandbox detection techniques?

hello i can somewhat help make it fud , i have the latest version of themida protection software if youd like ill give you a copy.

I think this will make it a false positive unless it's signed with a known organization. generally, obfuscation and packing, and encryption are considered suspicious behavior, unless it's signed by a trusted party.

and I think customizing it will make it last longer.