As the title says, i stumble uppon this problem. After i convert any backdoor that is .bat to .exe it is getting detected by 6 to 9 AVs. Even the download and execute script gets detected. Any suggestions?
Which backdoor is getting detect the fatrat one or empire?? have you tried playing around with its options??
As for the download and execute, the last time I tested it (last week) it passed everything, I will test it again tomorrow when I’m back in the office and I’ll get back to you.
I did the next thing: set up my fatrat, upload it to apache. Modified the download and execute to open a pdf&the fatrat. Converted the download-and-execute.bat to Exe. if i upload it to nodistribute it gets detected by 6 to 10 AVs. also played with the options and even modified the values in hex. still getting detected
Is the fat rat backdoor getting detected? Before adding it to the download and execute script?
Yeah you’re right some AV programs are flagging battoexe files as viruses, this is not right though, cause even if you make a very simple bat with simple code and convert it using battoexe it will be flagged as viruses, so this is a problem with the AV programs, if you look at them you’ll see that all of them are not famous programs except for AVG.
Use the bat without converting it to exe (bat on its own is not getting detected).
Use a different method/program to convert the bat to exe (there are lots online).
Wait for me as I will make another lecture to show one more method to achieve this.
So, i tried using another programs that convert the .bat to .exe. Still getting detected. Also tried with modifying hex values, same problem. Maybe if i use an icon changer+extension spoof it will work.
Like I said this problem is not actually with the download and execute payload, cause the payload itself doesn’t get detected, its the fact that these AV programs are flagging any file generated with battoexe as a virus.
Have you tried a different payload from FatRat and Veil? Try those payloads and see if those work. Also you may try different Empire Stagers e.g. http and https and tcp, to see which of these works. Make sure you have the appropriate empire listener configured.