Closed sa6ta6ni6c closed 2 months ago
bytecode77
commented
3 months ago The entire rootkit is fileless, and Stager.exe is written to the registry, not the disk. It can't be scanned by AV there in the same way a file is scanned.
And when using Install.exe, you should really execute it using RunPE. To save you the effort, I have written a shellcode variant of the installer, which already does RunPE for you, as you can see in the code - and that's why it's only 1 KB bigger.
sa6ta6ni6c
commented
3 months ago If I want to map Install.exe to memory (load in mem), should I compile it with x64_x86 or x86 and set it to autostart so it works? Or it is run once?
bytecode77
commented
3 months ago The Installation is required only once and persists r77 on the system, until you perform an Uninstall. The documentation explains in some more depth what the installer does.
So, yes, you can map the shellcode to memory and execute it; Or you could run the Install.exe from disk (which I don't recommend). Either way, r77 will be persisted from that point forward with no files on the disk whatsoever.
If you choose the shellcode installation, you need to compile with x86, because the shellcode is a 32-bit assembly.
Hello!
I do not understand what is the point of shellcode installation, if it still drops Stager.exe on disk? The point of shellcode is for fileless execution, right?