Closed codings9 closed 3 years ago
Something its wrong then ..
because Client.exe
(Agent) its the same implant that both of us have been working on ..
Gist: https://gist.github.com/r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309#gistcomment-3153563
1º - does dropper.exe as is icon changed from exe to pdf icon ?
2º - does dropper.exe downloads/executes the pdf document ?
3º - does dropper.exe downloads/executes the Client.exe ?
4º - does venom listenner recive the connection from Client.exe ?
1º - So review the Wine32
settings (multi-arch support)...
More info about the module can be found Here
2º - Or review the lib used by venom.sh to compile the dropper.exe
i586-mingw32msvc-gcc (32bits)
OR i686-w64-mingw32-gcc (64bits)
Review the venom.sh -> 3 settings under your arch:
3º - OR maybee x64 bits arch compiled payload (agent) its giving an error under target x64 bits... Try to change venom.sh configs from x64 to x32 bits -> and build/test the agent then
Something its wrong then .. because
Client.exe
(Agent) its the same implant that both of us have been working on .. Gist: https://gist.github.com/r00t-3xp10it/13e1bd5c657a1bd38bdf0a82d0e63309#gistcomment-3153563step by step
1º - does dropper.exe as is icon changed from exe to pdf icon ? YES. 2º - does dropper.exe downloads/executes the pdf document ? YES. 3º - does dropper.exe downloads/executes the Client.exe ? YES. 4º - does venom listenner recive the connection from Client.exe ? NO. No connection, from Linux side, tested on x86 (xterm opens and shuts down) and x64 same picture i posted earlier, even put this on Parrot OS, nothing.
**>>I did notice that you are using: Sign Executable for AV Evasion (Carbon Copy)
Dropper Certificate: www.microsoft.com Client Certificate: www.microsoft.com** That is the only difference i can see.
review
1º - So review the
Wine32
settings (multi-arch support)... Wine32 is multi-arch support: YES. More info about the module can be found Here2º - Or review the lib used by venom.sh to compile the dropper.exe > This is good as well, no issues here.
i586-mingw32msvc-gcc (32bits)
ORi686-w64-mingw32-gcc (64bits)
> This is good as well, no issues here. Review the venom.sh -> 3 settings under your arch: > This is good as well, no issues here. 3º - OR maybee x64 bits arch compiled payload (agent) its giving an error under target x64 bits... Yes , error only occurs when using x64, not x86. Try to change venom.sh configs from x64 to x32 bits -> and build/test the agent then > Tried, same issue, will stick with x86 for architecture it works, but it just closes Xterm after i have executed the client.exe on targetTarget machine (windows 10 - x64bit)
Attacker machine (Linux Kali - x32bit)
Yes, attacker is now x86 target is x64.
its not because of this I did notice that you are using: Sign Executable for AV Evasion (Carbon Copy)
that it fails ...
But after i have figure it out whats appening on your side.. i will say how to use that hidden fuction ;) ..
Lol, it's because I updated my Kali, so winetricks dotnet45 is generating errors per the microsoft side of things. i upgraded my Kali, and now i am over here fighting with winetricks dotnet45🤣😂
Working now ..
Thank you, here is the video: https://lbry.tv/@MunYa:d/Fake-PDF-Trojan-Horse:0?r=2Doo3VYrEzk9UmEw9kKFmbfEZtFZBjrx
Not messing with Youtube, and 3 strikes, lol, again thanks.
On Tue, Oct 6, 2020 at 3:28 AM pedro ubuntu notifications@github.com wrote:
Closed #78 https://github.com/r00t-3xp10it/venom/issues/78.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/r00t-3xp10it/venom/issues/78#event-3844667711, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABOUOMB5SHGD45BIVFOZJKTSJLWNDANCNFSM4R74G43A .
tell me .. why the dropper does not present the PDF icon ??
its because its inside the archive when you execute it ??
.
Take a look at Test.exe
file on my desktop ..
Windows systems (vista|7|8|8.1|10)
8 (Amsi Evasion) | Agent nº5
Version v1.0.17 Changelog
Hey, i was about to do a video for LBRY on Fake PDF Trojan Horse, and i ran upon this hiccup. Let me know what steps i can take to fix this or help you fix it, thank you!