| Welcome, Guest |
You have to register before you can post on our site.
|
| Online Users |
There are currently 9 online users.
» 0 Member(s) | 9 Guest(s)
|
|
|
| Salat Stealer - Malware Analysis |
|
Posted by: Unix_Root - 06-19-2025, 04:30 PM - Forum: Writes-up
- Replies (1)
|
 |
Summary This report analyzes a UPX-packed Windows executable file identified as a Salat Stealer. The malware collects the victim's keystrokes, system information, browser-stored credentials, cryptocurrency wallet data, and messaging applications data. It can also access the victim's webcam and microphone. It compresses the collected data and then exfiltrates it to the command-and-control (C2) server over the Quick UDP Internet Connections (QUIC) protocol.
Link:
https://blog.pwndesal.xyz/salat-malware-...e-analysis
|
|
|
| How to develop a malware? |
|
Posted by: zed - 06-19-2025, 06:11 AM - Forum: General discussion
- Replies (3)
|
 |
How to develop a malware?
That Question is always running on my mind when i was a beginner, but now every thing change until i saw this MalDev Academy, This is not promotion I just want to share it here maybe they know it.
This is the website : https://maldevacademy.com/ I hope It's helps.
|
|
|
|
| Builder for analysis-aware Windows droppers |
|
Posted by: Unix_Root - 06-17-2025, 09:02 PM - Forum: Popular tools
- No Replies
|
|
Quote:Cheska is intended for red teamers, researchers, and malware analysts operating within legal boundaries and in controlled, consented environments. Unauthorized deployment or use against systems you do not own or have explicit permission to test is illegal.
Requirements
Python 3
MinGW-w64 (sudo apt install mingw-w64)
How it works
Cheska is a builder for analysis-aware Windows droppers. All the user has to provide is the payload file and an optional output path where the resulting dropper will be saved.
When executed, the build script does the following in a nutshell:
validates that the provided payload is a valid Windows PE executable.
generates a random 3-character key used to XOR encode the payload and strings in the stub (e.g. DLL names).
generates a random 3-5-character string to be used as the resource name for the encoded payload.
configures the stub with the key and now encoded string values.
compiles the stub and embeds the encoded payload as a resource.
The dropper, upon execution, does the following:
Performs anti-analysis checks (detailed below)
Loads and decodes the payload from the resources section
Drops and executes the payload
Anti-Analysis Techniques
Category Technique Description
Anti-debugging Unhandled exception filter Detects attached debugger via custom exception logic.
Anti-sandbox Mouse presence check Detects whether a mouse device is installed.
Number of processors (<=2) Flags limited CPU environments.
RAM size (<2GB) Detects low-memory VMs or sandboxes.
Anti-VM Virtualization feature flag Uses PF_VIRTUALIZATION_ENABLED to detect VT-x/AMD-V.
Native VHD boot check Detects OS booted from VHD, common in VMs/sandboxes.
Additional Defense Evasion Techniques
To further minimize detection and complicate analysis, the stub also employs:
PEB walking for stealthy module enumeration
Dynamic API resolution to bypass static import detection
String obfuscation (e.g. XOR-encoded DLL and function names)
Setup
The builder was developed and tested on a Linux environment, leveraging MinGW-w64 for cross-compiling Windows binaries.
Clone this repository
git clone https://github.com/nemuelw/cheska.git
Navigate to the project directory
Create a virtual environment and activate it
python3 -m venv .venv
. .venv/bin/activate
Install project dependencies
pip3 install -r requirements.txt
Usage
python3 cheska.py -p <PAYLOAD_FILE> [-o <OUTPUT_FILE>]
Contribution
Contributions are welcome! Ideas for improvement include:
Better anti-VM techniques (e.g. VM driver or MAC address checks)
Additional anti-sandbox methods
Stub optimization or improved evasion heuristics
Link:
https://github.com/nemuelw/cheska
|
|
|
|
|
