search

GetRektBoy724 / BetterXencrypt

A better version of Xencrypt.Xencrypt it self is a Powershell runtime crypter designed to evade AVs.
GNU General Public License v3.0
207 stars 45 forks source link

Payload still getting flagged #4

Open init5-SF opened 3 years ago

init5-SF commented 3 years ago

Hey there, I've ran the script using 1 iteration but the resultant payload still got flagged, also importing the encrypted script took a very long time, is that normal?

PS D:\Tools\AVtest> Invoke-BetterXencrypt -infile D:\Tools\AVtest\Invoke-DCSync.ps1 -outfile D:\Tools\AVtest\Invoke-xen.ps1 -iterations 1
 ____       _   _          __  __                                _
| __ )  ___| |_| |_ ___ _ _\ \/ /___ _ __   ___ _ __ _   _ _ __ | |_
|  _ \ / _ \ __| __/ _ \ '__\  // _ \ '_ \ / __| '__| | | | '_ \| __|
| |_) |  __/ |_| ||  __/ |  /  \  __/ | | | (__| |  | |_| | |_) | |_
|____/ \___|\__|\__\___|_| /_/\_\___|_| |_|\___|_|   \__, | .__/ \__|
                                                     |___/|_|
----------------------------------------------------------------------
[-----------------Your Lovely FUD Powershell Crypter-----------------]
[-----------------Recoded With Love By GetRektBoy724-----------------]
[------------------https://github.com/GetRektBoy724------------------]
[*] Reading 'D:\Tools\AVtest\Invoke-DCSync.ps1' ...
[*] Starting code layer  ...
[*] Compressing ...
[*] Generating encryption key ...
[*] Encrypting with AES...
[*] Encrypting with XOR ...
[*] Finalizing code layer ...
[*] Writing 'D:\Tools\AVtest\Invoke-xen.ps1' ...
[+] Done!
PS D:\Tools\AVtest> . .\Invoke-xen.ps1
IEX : At line:1 char:1
+ function Invoke-DCSync
+ ~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At D:\Tools\AVtest\Invoke-xen.ps1:65 char:1
+ IEX($iqshjgzoxhqtihsn)
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
GetRektBoy724 commented 3 years ago

oh shit, firstly, yea it's normal to take that long. second, try to set the iteration to the default, which is 2. lemme know what's the result after you set the iteration to 2. I'm so sorry about this, I've been focusing on other project. And do you ever get caught by AVs when using Powershell before, cause it can be the problem, please try it on a freshly installed Windows 10. Oh, and can you give me the script that you have encrypted?

init5-SF commented 3 years ago

Tried with 2 iterations, same result unfortunately. (Also the script exceeded 1mb in size)

Here's the script - https://gist.githubusercontent.com/monoxgas/9d238accd969550136db/raw/7806cc26744b6025e8f1daf616bc359cb6a11965/Invoke-DCSync.ps1

GetRektBoy724 commented 3 years ago

Tried with 2 iterations, same result unfortunately. (Also the script exceeded 1mb in size)

Here's the script - https://gist.githubusercontent.com/monoxgas/9d238accd969550136db/raw/7806cc26744b6025e8f1daf616bc359cb6a11965/Invoke-DCSync.ps1

Oh sorry,what i mean is please upload the output of the BetterXencrypt.I will test them on my VM when i get time 😉

init5-SF commented 3 years ago

Sure, Here!

GetRektBoy724 commented 3 years ago

Sure, Here!

Ok, Thx! Gotta test it on my VM when I have time

NadSeries commented 2 years ago

Same thing for me I have used Invoke-Mimikatz using the default 2 iterations, changed the name into Invoke-DilanDog and used the classic powershell directive like so : Capture Those are the results.

GetRektBoy724 commented 2 years ago

Sorry, I've been busy working on something else. I'm going to update the stub as soon as I have time.

martdev123 commented 2 years ago

I'm trying to make my own Crypter for Linux, you can give it a look from my repository on my own profile