looking for some anti-vm/anti-sandbox technique. so our crypts will live longer

[sea256]

can you recommend something Unam? or anyone else share your knowledge pls
bcz I'm a lil bit stuck at that point, I can evade some sandboxes but I want to find a more universal method

[Alcinzal]

I would recommend looking into pafish, it's a repo that aims to detect VMs. You can look at the different methods they use. However keep in mind that there isn't really one global way of detecting VMs, it's a never ending sort of thing, one part finds new ways to detect VMs, and the other part finds new ways to hide their VMs.

Good luck!

[sea256]

I would recommend looking into pafish, it's a repo that aims to detect VMs. You can look at the different methods they use. However keep in mind that there isn't really one global way of detecting VMs, it's a never ending sort of thing, one part finds new ways to detect VMs, and the other part finds new ways to hide their VMs.

Good luck!

Thank you so much! I've heard already about some of techniques that are used in pafish, but it seems a lil bit too complicated bcz idk C language, so it's hard for me to implement those features to my python dropper... but finally I found a solution that suits me, vm-blacklist so there is a lot of VM signs-rules that are up-to-date
And added some vm recognition tools myself and now it checks by 23 signs (20 offline and last 3 online) so hopefully sandboxes won't be big of a deal now

[sea256]

wow, I just saw that detections decreased from 5 to 3, I didn't know it is possible, am I trippin or anti-vm features works =)

[sea256]

Nevermind, it was the second file I uploaded... so detections cannot decrease on the same file
BTW it looks like my file got additional attention (bcz submitted by more than 1 person I guess) and was inspected not by automated sandbox but from a real person who tried to run for a couple of times looking at task manager :)

[Silentsniper1]

Nevermind, it was the second file I uploaded... so detections cannot decrease on the same file BTW it looks like my file got additional attention (bcz submitted by more than 1 person I guess) and was inspected not by automated sandbox but from a real person who tried to run for a couple of times looking at task manager :)

contact me on discord my username is Silentsniper0

[DLK2]

If you want someone to pack it with anti-VM features i can help. DM me on Session if you're interested: 0507ba426543260ca92f64756546b095189f10e310cfde998fe770730d7bf60315

[Alcinzal]

Nevermind, it was the second file I uploaded... so detections cannot decrease on the same file BTW it looks like my file got additional attention (bcz submitted by more than 1 person I guess) and was inspected not by automated sandbox but from a real person who tried to run for a couple of times looking at task manager :)

vm-blacklist was a nice find, however I must warn you against scanning your files on VirusTotal (if you are), since VirusTotal will distribute all detections it gets. I might be wrong here, but distribution, in this context, will mean that if you upload your file to VirusTotal, and lets say Avast detects your program as a virus, but Windows Defender does not, then VirusTotal will send a message to Windows Defender saying "Hey, Avast detects this program as a virus", and then Windows Defender might also end up detecting it as a virus.

It's probably an incorrect explanation, but I am pretty sure that it works like that in one shape or another. The solution to this would be to scan your files on no-distribute scanning sites. The downside to this is that it often costs money. I personally use kleenscan, they gave me like 5 free scans at first, then when I added $10 to my balance I also got $15 extra. Each scan is then 0.05 dollars, so that means I could do 500 scans.

Although maybe it's not worth it, since the program is bound to get scanned on VirusTotal sooner or later, by clients downloading the file. Good luck further :)