Jump to content
itman

Eset Detects .Dll But Not .Exe Version?

Recommended Posts

There is a SRP/AppLocker and also Eset recommended ransomware rules PowerShell bypass; one of dozens that exist, on Github: https://github.com/p3nt4/PowerShdll .

Eset detects the .dll version of this as  MSIL/Agent.SXW upon download. However, there is also a .exe version of this bypass that Eset does not detect. Not even after a LiveGrid upload of it after download:

Time;Component;Event;User
7/9/2020 1:50:52 PM;ESET Kernel;File 'https://raw.githubusercontent.com/p3nt4/PowerShdll/master/exe/bin/Release/Powershdll.exe' was sent to ESET Virus Lab for analysis.;SYSTEM

Why not? If Eset detects the .dll version, it should also detect the .exe version.

Powershdll.zip

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, Peter Randziak said:

Hello @itman,

the .exe itself is not malicious, it loads the .dll, which is being detected...

Peter

Depends how you look at it. Since the .dll is embedded in the .exe, it is in reality part of the .exe.

Also the AV detection's on this one are a bit strange. Eset was one of the few who detected the .dll. On the other hand, Kaspersky and Checkpoint, plus now others, originally detected the .exe. Note that Eset does not detect the .exe version on VirusTotal.

Detection of .dll after .exe startup is post-execution detection. As Eset points out in its write ups on post-execution detection, it is a less desirable detection method since system modifications may have occurred prior to detection. However in this case, it is N/A since the .dll is actually not being run by the .exe.

Finally as I understand this bypass, it is using a .Net based .dll that only runs on .Net 2.0 or 3.5. In other words, the .dll is running actually via .Net. Therefore all the .exe version is doing is the equivalent to e.g. rundll32.exe PowerShdll.dll.

So the question remains why can't Eset detect by signature the .dll code embedded in .exe as it can for the standalone .dll? I do not beleive the code in the .exe is hidden in any way by packing, encryption, or obfuscation.

Edited by itman

Share this post


Link to post
Share on other sites

Hello @itman,

thank you for your submission, I contacted the lab and they decided to add the exe to detection as well Powershdll.exe - MSIL/Agent.SXW trojan

Peter

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...