Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Matrix ThePornDude
Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Live Stream VOD: AMSI Bypass Loader Part 1 (Patreon)

Published:
2023-06-20 14:59:02
Imported:
2023-09

Content

In this Twitch stream we begin to triage a new loader that uses AMSI bypasses to avoid detection. The loader itself is .NET but as we dig deeper we discover that the AMSI bypass is implemented in PowerShell, native X64 shell code is used (no yet analyzed) and the final payload is a Async RAT.

For the first half of the stream we triage the .NET loader and PowerShell, then turn our attention to the shell code. The shell code analysis has a few tricks that might be useful for general shell code analysis...  then next stream we will do full triage of the shell code. 

Sample

43cc6ed0dcd1fa220283f7bbfa79aaf6342fdb5e73cdabdde67debb7e2ffc945 


Notes

AMSI Bypass In The Wild - Taking a close look at this asyncrat loader with an AMSI bypass 


Files

Live Stream VOD: AMSI Bypass Loader Part 1

This is "Live Stream VOD: AMSI Bypass Loader Part 1" by OALABS on Vimeo, the home for high quality videos and the people who love them.

Comments

techevo

Cyberchef disassemble takes hex input so just past hex input in and it works, no need to convert to / from hex.