Complex Rat/Payload system

Deet · 03-17-2015, 01:58 AM

Almost done with my Rat(very VERY COMPLEX) using my own payload system written in C# Somewhat an undertandable graph below-

[Image: Te8j1r3.jpg]

Basically the injected process carries out the commands after the encrypted payload process is ran as not to bring suspicion to the actual rat(meaning the cpu usuage will show up in the injected process instead of the actual rat) Then comes the payload part- if you know C# or VB.net you can write your own payloads(scripts) to add and have the rat to execute. meaning you don't have to wait for a feature to be added + it won't be detected in runtime or scantime. The default features of the rat ATM are startup persistance, process persistance, stability, UDP, SYN, icon changer, assembly changer, and much more.

The only thing that is getting detected is the injection into processes after that it will be %100 FUD-

Begining of the day scan -
RESULTS: 4/35
AVG Free - OK
Avast - MSIL:GenMalicious-ALB [Trj]
AntiVir (Avira) - TR/Dropper.Gen
BitDefender - OK
Clam - OK
COMODO - OK
Dr.Web - OK
eTrust-Vet - OK
F-PROT - OK
F-Secure - OK
G Data - OK
IKARUS - OK
Kaspersky - OK
McAfee - OK
MS Essentials - OK
ESET NOD32 - Trojan.MSIL/Injector.FHV
Norman - OK
Norton - OK
Panda - OK
A-Squared - OK
Quick Heal - OK
Solo - OK
Sophos - OK
Trend Micro - OK
VBA32 - OK
Zoner AntiVirus - OK
Ad-Aware - OK
BullGuard - OK
FortiClient - OK
K7 Ultimate - OK
NANO - Trojan.Win32.Inject.dkjscy
Panda CommandLine - OK
SUPERAntiSpyware - OK
Twister - OK
VIPRE - OK

File Name masterblock.exe
File Size: 487424
File MD5: 65172e04036f5a9616250b547902960b
File SHA1: ff7c892281c557fd24ddb8c1129d06365576f342
Check Time: 2015-03-13 02:36:56

Scan report generated by
Scan4You.Net

Just Now -
RESULTS: 2/35
AVG Free - OK
Avast - OK
AntiVir (Avira) - TR/Dropper.Gen
BitDefender - OK
Clam - OK
COMODO - OK
Dr.Web - OK
eTrust-Vet - OK
F-PROT - OK
F-Secure - OK
G Data - OK
IKARUS - OK
Kaspersky - OK
McAfee - OK
MS Essentials - OK
ESET NOD32 - OK
Norman - OK
Norton - OK
Panda - OK
A-Squared - OK
Quick Heal - OK
Solo - OK
Sophos - OK
Trend Micro - OK
VBA32 - OK
Zoner AntiVirus - OK
Ad-Aware - OK
BullGuard - OK
FortiClient - OK
K7 Ultimate - OK
NANO - Trojan.Win32.Inject.dkjscy
Panda CommandLine - OK
SUPERAntiSpyware - OK
Twister - OK
VIPRE - OK

File Name believe me.exe
File Size: 458752
File MD5: 1b262acab8f9726e099d170528cc24f7
File SHA1: 0d966bb704fbd287749db8310abb40ad6a3133c9
Check Time: 2015-03-17 02:44:14

Scan report generated by
Scan4You.Net

Rat is going to be $40 Lifetime when released. Will be updated very often and is very very fast and stable

Pirate · 03-17-2015, 02:29 AM

Never used RATS really. But nice job.

9gag · 03-17-2015, 02:34 AM

Seems very cool.
Meanwhile here, im still fucking using darkcomet

Bag · 03-18-2015, 06:31 PM

(03-17-2015, 02:34 AM)9gag Wrote: Seems very cool.
Meanwhile here, im still fucking using darkcomet

Darkcomet isn't really bad for what it's intended for; beginner use.

THC · 03-18-2015, 06:51 PM

Wow this is some next level shit. Nice work on the obfuscation for the anti-virus bypass. What obfuscator do you use?

Deet · 03-19-2015, 02:27 AM

Well I built my own obfuscator using the mono.cecil library. But honestly the obfuscation isn't what is bypassing it. What is bypassing most of them is encryption and using code not many people know about in vb.net . BTW right now it is 1/35 as we speak.

Ducati · 04-04-2015, 12:08 PM

GG, never really been intro Rats, more into Social Engineering and that shit.

bitm0de · 05-15-2015, 01:16 AM

And what's your idea of bypassing HIPS or do you only attempt to find and inject into certain non-protected processes? What if none are available? What method of injection are you using? This thread isn't much more than theory.

Guyfawkes_ · 05-31-2019, 12:19 AM

how do you infect the target though

Complex Rat/Payload system
Author Message