Jump to content

Eset Detects .Dll But Not .Exe Version?


Recommended Posts

There is a SRP/AppLocker and also Eset recommended ransomware rules PowerShell bypass; one of dozens that exist, on Github: https://github.com/p3nt4/PowerShdll .

Eset detects the .dll version of this as  MSIL/Agent.SXW upon download. However, there is also a .exe version of this bypass that Eset does not detect. Not even after a LiveGrid upload of it after download:

Time;Component;Event;User
7/9/2020 1:50:52 PM;ESET Kernel;File 'https://raw.githubusercontent.com/p3nt4/PowerShdll/master/exe/bin/Release/Powershdll.exe' was sent to ESET Virus Lab for analysis.;SYSTEM

Why not? If Eset detects the .dll version, it should also detect the .exe version.

Powershdll.zip

Link to comment
Share on other sites

2 hours ago, Peter Randziak said:

Hello @itman,

the .exe itself is not malicious, it loads the .dll, which is being detected...

Peter

Depends how you look at it. Since the .dll is embedded in the .exe, it is in reality part of the .exe.

Also the AV detection's on this one are a bit strange. Eset was one of the few who detected the .dll. On the other hand, Kaspersky and Checkpoint, plus now others, originally detected the .exe. Note that Eset does not detect the .exe version on VirusTotal.

Detection of .dll after .exe startup is post-execution detection. As Eset points out in its write ups on post-execution detection, it is a less desirable detection method since system modifications may have occurred prior to detection. However in this case, it is N/A since the .dll is actually not being run by the .exe.

Finally as I understand this bypass, it is using a .Net based .dll that only runs on .Net 2.0 or 3.5. In other words, the .dll is running actually via .Net. Therefore all the .exe version is doing is the equivalent to e.g. rundll32.exe PowerShdll.dll.

So the question remains why can't Eset detect by signature the .dll code embedded in .exe as it can for the standalone .dll? I do not beleive the code in the .exe is hidden in any way by packing, encryption, or obfuscation.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...