[New WTFBin]: WTFBIN Here

mttaggart / wtfbins

WTF are these binaries doing?! A list of benign applications that mimic malicious behavior.

MIT License

142 stars 10 forks source link

[New WTFBin]: WTFBIN Here #20

Closed dakinedakine99 closed 1 year ago

dakinedakine99 commented 2 years ago

Contributor Name: Bumbucha
Application/Executable: SenseNdr.exe
WTF Behavior Description: Totally normal command of 4000 characters in base64. Only legitimate use of this much base64 in history.
Link to Documentation of Behavior: Documentation
Please provide any images for additional evidence.

mttaggart commented 2 years ago

@dakinedakine99, thank you for the submission!

Before approval, I need a little more info about this! Many other components of Windows management actually use base64 Powershell encoding (one of them is already a WTFbin!). Please decode one of these commands and provide that screenshot as well to indicate what this executable is really doing.

dakinedakine99 commented 2 years ago

Don't want to include the entire command since it includes network info, but mainly regexes related to network vulnerabilities. I assume this is for transparency. masquerading potential imo. wtfbin

dakinedakine99 commented 2 years ago

sensendr.exe "encoded text", there's no decode, so not that big of a deal, but still, wtf.

mttaggart commented 1 year ago

Added in c2fb3fc4da2041d2b2d867170da3a51363903490

chiwawa969 commented 12 months ago

@dakinedakine99 What base64 is used for the sensendr.exe ? Tried a whole bunch of formats UTF-8, UTF-16 with Cyberchef but cannot decrypt. I see from your screenshot you are using Cyberchef, can you give me the recipe please? Thanks

Ragex0 commented 10 months ago

This is what I used

cyberchef_recipe