AV's detect the code

[ghost]

how i can optimize encryption to stay out from detection?

[Tylous]

What do you mean by that, are you saying that a security product is able to decrypt AES 256 encrypted shellcode, with a key and IV value?

[ghost]

I'm saying the windows defender is detecting the file on scanner, use antiscan.me ir kleenscan and check this

[Tylous]

So recently windows defender has created some IoCs for Scarecrow, I have addressed this and will be released a completely new version next week (I am currently testing to make sure no unintended bugs or IoCs were introduced with the overhaul), That being said it has nothing to do with encryption. Also, just some friendly advice be careful uploading your loaders. Most of them just do scanning, no behavior/runtime stuff so it can lead to a false sense of security. Stay tuned next week :D

[ghost]

Thanks, i wait next update

[Tylous]

Please see the latest update.

[ghost]

thanks, i will try now :P

[corsch]

I can also confirm, that Symantec Endpoint Protection 14.3 RU4 is able to detect the latest version. Old binaries from January are still not detected!

[Tylous]

That seems odd...I've tested with the latest SEP I have access to and as you can see working, I wonder if this might be something outside of Scarecrow's reach? It is quite odd that the older version worked as you said. Without any details, I can not address this issue. I will be closing this issue based on the original issue being resolved. If you want to open a new issue track I would recommend you provided lots of information to help confirm this (type of shellcode, tested on all loaders, and the command's used to generate the loader) As these help me recreate the issue.