4n4lDetector 2.7

4n0nym0us

New Member
Thread author
May 5, 2024
7
This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
- 32 bits (8086, x86, ARMv7)
- 64 bits (AMD64, x86-64, x64, ARMv8)

Buttons code:
- Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
- The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
- Purple buttons announce the activation of online interactions.
- The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
- [A] Main analysis tab
- [W] Analysis tab in modifiable HTML format for report (WebView)
- Viewer of strings extracted from the parsed file
- [V] Module with the Virustotal report using its API

Detections:
- PE Information
- Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
- Packers
- Compilations
- Binders/Joiners/Crypters
- Architectures
- Possible malicious functions
- Registry Keys
- Files Access
- Juicy Words
- Anti-VM/Sandbox/Debug
- URLs Extractor
- Payloads
- AV Services
- Duplicate Sections
- IP/Domains List
- Config RAT (Only In Memory Dumps)
- Call API By Name
- Unusual Chars In Description File (Polymorphic Patterns)
- Rich Signature Analyzer
- CheckSum Integrity Problem
- PE Integrity Check
- SQL Queries
- Emails
- Malicious resources
- PE Carve
- Exploits
- File Rules for Entry Points and more... 😃

Console Options (Analysis to file):
- 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
- 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
- 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
- 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Download:
4n4lDetector
 

Bot

AI-powered Bot
Apr 21, 2016
3,671
Thanks for sharing this detailed information about 4n4lDetector 2.7. It seems like a comprehensive tool for analyzing potentially malicious files, with support for both 32-bit and 64-bit architectures. The various detection features and console options make it a versatile tool for different analysis scenarios. The direct download link is also appreciated.
 

Brie

Level 10
Verified
Well-known
Jan 1, 2018
490
This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
- 32 bits (8086, x86, ARMv7)
- 64 bits (AMD64, x86-64, x64, ARMv8)

Buttons code:
- Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
- The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
- Purple buttons announce the activation of online interactions.
- The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
- [A] Main analysis tab
- [W] Analysis tab in modifiable HTML format for report (WebView)
- Viewer of strings extracted from the parsed file
- [V] Module with the Virustotal report using its API

Detections:
- PE Information
- Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
- Packers
- Compilations
- Binders/Joiners/Crypters
- Architectures
- Possible malicious functions
- Registry Keys
- Files Access
- Juicy Words
- Anti-VM/Sandbox/Debug
- URLs Extractor
- Payloads
- AV Services
- Duplicate Sections
- IP/Domains List
- Config RAT (Only In Memory Dumps)
- Call API By Name
- Unusual Chars In Description File (Polymorphic Patterns)
- Rich Signature Analyzer
- CheckSum Integrity Problem
- PE Integrity Check
- SQL Queries
- Emails
- Malicious resources
- PE Carve
- Exploits
- File Rules for Entry Points and more... 😃

Console Options (Analysis to file):
- 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
- 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
- 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
- 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Download:
4n4lDetector
why are there lines scratched through a lot of things?
 
  • Like
Reactions: simmerskool

likeastar20

Level 8
Verified
Mar 24, 2016
374
Not the only analysis platform that rates it as malicious tho.
Well, he did develop his own RAT, so that's that 🤷‍♂️

1715078256513.png
 

4n0nym0us

New Member
Thread author
May 5, 2024
7
I have been developing antivirus evasion methods as well as various hacking tools for more than 15 years. But if you find malware in 4n4lDetector files, here is more information for my arrest.

 
F

ForgottenSeer 109138

A tool does not need to contain malware to become malicious. There are plenty of benign tools out there until in the wrong hands or used in malicious ways. Then adding the unknown of the developer, and the extreme amount of indicators through hybrid analysis, id be weary.

Personally I'd use Pestudio.
 
Last edited by a moderator:

Trident

Level 29
Verified
Top Poster
Well-known
Feb 7, 2023
1,812
The file itself, according to the analysis linked, does not seem to possess any abilities not presented to the user (such as coming packed with malicious software). The tool provides solely what has been promised to the user.

My concerns are that this tool can be abused and is exceptionally difficult to block as the developer is unknown. A simple update of the packaging algorithms will be enough to evade majority of blocks.
The tool can be abused to extract enough information necessary to deliver a more tailored attack at a later stage.
The author develops several less-than-authoritative tools posing as “security researcher” and does not assume any liability for the same as they are developed “for security research only”.
This is very typical on the malware-as-a-service market, to claim that malicious tools are security projects.

Downloading this tool will not cause any instant, direct harm, but its development and public release is rather unethical.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
I do not like publicly available or "educational" malware either but I think the discussion about this is off-topic and also not same as selling or spreading malware. There are plenty of red teamers writing malware projects because this is part of their professional work. Some decide to publicise them and whether that does more good than harm is a constant debate.

Regarding the tool, I really like the retro design and I believe it can be a useful tool for triage. What advantages are there with your tool over using CAPA and a PE parser like PEStudio? Currently this part is not clear to me but maybe there are features I just could not appreciate from the short testing phase.

Some of the patterns might need more vetting, I tested a random application of mine and got shellcode and filemon patterns, both are not part of the program.

1715237168366.png


However, I did not find the algorithm or pattern for the anti-VM/debug tricks in any of the .rules files that I can inspect via the settings. I would prefer if the way those detections occur are made clear, either by making the signature for it viewable or by making the program open source. It is in the very nature of heuristics and signature patterns that they tend to have false positives. I inspect them to estimate the likelyhood they go wrong and what a finding actually means, so I am not caught up looking for a shellcode (like in this case) that does not exist. Additionally it would be helpful to find the offset/location where this shellcode pattern was found, otherwise the detection is not useful for further analysis.

Minor thing: When I click on the .rules, they do not open unless I know that I have to choose a text editor.

2.png


1.png

Are these EP rules PEiD signatures? They seem like it.
 
Last edited:

4n0nym0us

New Member
Thread author
May 5, 2024
7
My concerns are that this tool can be abused and is exceptionally difficult to block as the developer is unknown. A simple update of the packaging algorithms will be enough to evade majority of blocks.
The tool can be abused to extract enough information necessary to deliver a more tailored attack at a later stage.
The author develops several less-than-authoritative tools posing as “security researcher” and does not assume any liability for the same as they are developed “for security research only”.
This is very typical on the malware-as-a-service market, to claim that malicious tools are security projects.
Hello @Trident, a pleasure. My tool does not send data anywhere, currently it only downloads the signature files and the notifications section in "Settings". In that tab I send a notice to the user about how its development is going, since I have been developing this tool for 9 years, the first version is documented on my blog.
On the other hand, I have been working professionally for more than 15 years as a teacher, writer, pentester, developer, forensics and malware analyst. Within malware analysis I also develop antivirus evasion methods, which I have published since my beginnings. I have never been linked to legal problems because I have not participated in criminal actions outside of sharing my progress with the community.
--------------------
Hello @struppigel, thanks for trying the tool. It is true that to see the potential of the tool you have to spend some time on it, because it only shows the information it finds and the rest of the functionalities are hidden. If you need more information or have questions, I can explain it to you without problems. I am currently developing a next version that is even faster and more powerful.

That shellcode detection is a generic detection that one day a long time ago I incorporated into the code, luckily it doesn't usually appear hehe but it can help you be alert about what you analyze. If you search for "Filemon" in the strings tool search engine, you will probably find the word. I would not pay too much attention to that detection since that word can be found written as a set of another function. However, you can visit the 4n4lDetector rules folder to see all the rules that can be modified so you can add or delete rules. Plus there is the entire database of the Detect its easy (DIE) tool.

If you have suggestions for removing any detections outside of the rules files, let me know and I'll look into it and may remove them.

The extension of relga files is not linked to the operating system to be opened by any application. I leave that at your disposal, you just have to choose it the first time.

As for Entry Point rules, I've included rules from many different sites. Currently the content of these rules is reviewed, expanded and cleaned. It even has Shellcode detections hehe. Think that I do all this as a hobby, I am a restless person and I enjoy doing new things, greetings! :)
 

4n0nym0us

New Member
Thread author
May 5, 2024
7
I finally removed the "Filemon" detection and the generic detection of that "Shellcode" because they could really be misleading. On the other hand, I am already developing an advanced search functionality, which includes the option to extract Offsets... among other new functionalities ;)

4N4LDetector v2.8.png


Greetings from Spain!
 

4n0nym0us

New Member
Thread author
May 5, 2024
7
Version 2.8 of #4n4lDetector has already been released, along with a video to learn how to analyze the #LarryLurexRAT Trojan server. This is a modification of #DarkComet made from #debugger by myself. I also review behavior-based antivirus engine evasion techniques and #EDR systems. Additionally, I address the extraction of #IOCs and the collection of information prior to a #malware #reversing exercise.

Download:
Video (Spanish):


Added in this version:
[+] A notice is added to the sections section when the identified section is executable.
[+] The SHA-256 and SHA-1 Hashes of all analyzed files are now also calculated.
[+] Including the original name of the analyzed library in the "[Export Table]" button.
[+] Now 4n4lDetector is able to identify content in the Import Table even though the "Original First Thunk" Offset is at "0" as in UPX tablets.
[+] The "Settings" module now has a subtle optimization to avoid freezes when downloading notifications.
[+] The code responsible for resource extraction has been optimized, it is now faster.
[+] Entry Point extraction has been restructured, optimizing its code and improving extraction speed.
[+] Optimized and removed some of the internal rules of 4n4lDetector to avoid some false positives.
[+] The file description extractor algorithm was modified, it is now more effective.
[+] The Carving PE result is now stored in a folder called PECarve within the analysis section.
[+] Virustotal information has been relocated to the main panel. (Use your personal API_KEY).
[-] SORRY MICROSOFT... I think we are at peace after that CobaltStrike detection <3
[+] The "IT Functions:" section of the main analysis is now called "Suspicious functions:", this being more accurate.
[-] Functions now have a description of their functionalities.
[+] The "Strings" functionality now runs automatically, visible in the "S" button after scans while "Intelligent Strings" is active.
[-] Increased the effectiveness and speed of the "Intelligent Strings" module and the "Strings" functionality.
[+] The "Sections Info" option is now internal and in its place an optional one has been created to decompress UPX samples.
[-] The unzipped samples are stored in the analysis path, within a folder called UPX.
[-] The UPX binary is located in the root of 4n4lDetector, in a folder called "bin" and can be modified by the user.
[+] The verification of signed executables, the checksum signature and the Rich signature are now grouped in the "Signatures" section.
[+] Changes in the management of the Rich firm.
[-] The entire signature is extracted, not just the first part.
[-] Added a hash for detection.
[-] its integrity is verified with a review of the old algorithm.
[+] A new tool has been added to extract Offsets directly from the executable and view its contents.
[-] It is now possible to manually perform code searches in hexadecimal, ASCII and UNICODE.
[-] A functionality to review the assembly code has also been included.
[-] This tool executes its main functions automatically with the Entry Point after each analysis.
[+] Added extraction of import and export tables from the rest of the existing executable architectures.
[-] Alpha AXP, ARM, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel Itanium (IA-64), Intel i860, M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS little-endian, MIPS little-endian WCE v2, MIPS with FPU.

Photo Example:
GPEnE4LXIAA-gBJ
 
  • Like
Reactions: likeastar20

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top