CAPEv2 cannot handle with GoLang go-clr-based droppers

kevoreilly / capemon

capemon: CAPE's monitor

GNU General Public License v3.0

100 stars 49 forks source link

CAPEv2 cannot handle with GoLang go-clr-based droppers #55

Closed yevhenprotsenko closed 7 months ago

yevhenprotsenko commented 2 years ago

GoLang_ServHelper.zip

The password is infected. The final payload should be ServHelper RAT. The dropper should load the .NET ServHelper dropper into memory to execute it.

kevoreilly commented 2 years ago

Thanks - it's a well known issue that golang samples do not work well in cape. I'm actively researching the issues which are related to golang's use of its own stack which causes issues with api hooking. Watch this space.

kevoreilly commented 7 months ago

I am happy to say that with the sands of time capemon has improved to the point that when I test on today's version, these samples appear to detonate perfectly with the .NET ServHelper dropper being captured as well as another stage in payloads.

So this issue and the issues with golang binaries more generally seem to be solved. Please let me know if there are any further issues that come to light.