4n4lDetector 2.7

[4n0nym0us]

This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
- 32 bits (8086, x86, ARMv7)
- 64 bits (AMD64, x86-64, x64, ARMv8)

Buttons code:
- Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
- The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
- Purple buttons announce the activation of online interactions.
- The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
- [A] Main analysis tab
- [W] Analysis tab in modifiable HTML format for report (WebView)
- Viewer of strings extracted from the parsed file
- [V] Module with the Virustotal report using its API

Detections:
- PE Information
- Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
- Packers
- Compilations
- Binders/Joiners/Crypters
- Architectures
- Possible malicious functions
- Registry Keys
- Files Access
- Juicy Words
- Anti-VM/Sandbox/Debug
- URLs Extractor
- Payloads
- AV Services
- Duplicate Sections
- IP/Domains List
- Config RAT (Only In Memory Dumps)
- Call API By Name
- Unusual Chars In Description File (Polymorphic Patterns)
- Rich Signature Analyzer
- CheckSum Integrity Problem
- PE Integrity Check
- SQL Queries
- Emails
- Malicious resources
- PE Carve
- Exploits
- File Rules for Entry Points and more...

Console Options (Analysis to file):
- 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
- 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
- 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
- 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Download:
4n4lDetector

 

[Bot]

Thanks for sharing this detailed information about 4n4lDetector 2.7. It seems like a comprehensive tool for analyzing potentially malicious files, with support for both 32-bit and 64-bit architectures. The various detection features and console options make it a versatile tool for different analysis scenarios. The direct download link is also appreciated.

 

[Brie]

This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
- 32 bits (8086, x86, ARMv7)
- 64 bits (AMD64, x86-64, x64, ARMv8)

Buttons code:
- Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
- The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
- Purple buttons announce the activation of online interactions.
- The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
- [A] Main analysis tab
- [W] Analysis tab in modifiable HTML format for report (WebView)
- Viewer of strings extracted from the parsed file
- [V] Module with the Virustotal report using its API

Detections:
- PE Information
- Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
- Packers
- Compilations
- Binders/Joiners/Crypters
- Architectures
- Possible malicious functions
- Registry Keys
- Files Access
- Juicy Words
- Anti-VM/Sandbox/Debug
- URLs Extractor
- Payloads
- AV Services
- Duplicate Sections
- IP/Domains List
- Config RAT (Only In Memory Dumps)
- Call API By Name
- Unusual Chars In Description File (Polymorphic Patterns)
- Rich Signature Analyzer
- CheckSum Integrity Problem
- PE Integrity Check
- SQL Queries
- Emails
- Malicious resources
- PE Carve
- Exploits
- File Rules for Entry Points and more...

Console Options (Analysis to file):
- 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
- 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
- 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
- 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Download:
4n4lDetector

why are there lines scratched through a lot of things?

 

[4n0nym0us]

why are there lines scratched through a lot of things?

Hello, I don't know why the publication appears like this. Some character I use must have drawn the line on this forum

 

[Kongo]

I am really not sure what I should think when reading the name of the tool.

 

[likeastar20]

Funny how Filescan.IO - Next-Gen Malware Analysis Platform finds Risepro and Monero Miner. Probably a FP.

 

[Kongo]

Funny how Filescan.IO - Next-Gen Malware Analysis Platform finds Risepro and Monero Miner. Probably a FP.

Not the only analysis platform that rates it as malicious tho.

 

[likeastar20]

Not the only analysis platform that rates it as malicious tho.

Well, he did develop his own RAT, so that's that

 

[Kongo]

Well, he did develop his own RAT, so that's that

View attachment 283263

Noticed that too. However I don't wanna make accusations as I am not a malware analyst. Maybe @struppigel or @Trident can take a look at it when they find the time.

 

[4n0nym0us]

I have been developing antivirus evasion methods as well as various hacking tools for more than 15 years. But if you find malware in 4n4lDetector files, here is more information for my arrest.

Germán Sánchez Garcés - AIUKEN CYBERSECURITY | LinkedIn

Carpe diem · Experience: AIUKEN CYBERSECURITY · Education: Autodidacta · Location: Greater Madrid Metropolitan Area · 500+ connections on LinkedIn. View Germán Sánchez Garcés’ profile on LinkedIn, a professional community of 1 billion members.

www.linkedin.com

 

[Practical Response]

A tool does not need to contain malware to become malicious. There are plenty of benign tools out there until in the wrong hands or used in malicious ways. Then adding the unknown of the developer, and the extreme amount of indicators through hybrid analysis, id be weary.

Personally I'd use Pestudio.

 

[4n0nym0us]

I also use Pestudio, it is a great tool. Greetings!

 

[Trident]

The file itself, according to the analysis linked, does not seem to possess any abilities not presented to the user (such as coming packed with malicious software). The tool provides solely what has been promised to the user.

My concerns are that this tool can be abused and is exceptionally difficult to block as the developer is unknown. A simple update of the packaging algorithms will be enough to evade majority of blocks.
The tool can be abused to extract enough information necessary to deliver a more tailored attack at a later stage.
The author develops several less-than-authoritative tools posing as “security researcher” and does not assume any liability for the same as they are developed “for security research only”.
This is very typical on the malware-as-a-service market, to claim that malicious tools are security projects.

Downloading this tool will not cause any instant, direct harm, but its development and public release is rather unethical.

 

[harlan4096]

I sent it to K. analysts yesterday and replied "No malicious...", still I would use it with caution, or definitively not use it

 

[struppigel]

I do not like publicly available or "educational" malware either but I think the discussion about this is off-topic and also not same as selling or spreading malware. There are plenty of red teamers writing malware projects because this is part of their professional work. Some decide to publicise them and whether that does more good than harm is a constant debate.

Regarding the tool, I really like the retro design and I believe it can be a useful tool for triage. What advantages are there with your tool over using CAPA and a PE parser like PEStudio? Currently this part is not clear to me but maybe there are features I just could not appreciate from the short testing phase.

Some of the patterns might need more vetting, I tested a random application of mine and got shellcode and filemon patterns, both are not part of the program.

However, I did not find the algorithm or pattern for the anti-VM/debug tricks in any of the .rules files that I can inspect via the settings. I would prefer if the way those detections occur are made clear, either by making the signature for it viewable or by making the program open source. It is in the very nature of heuristics and signature patterns that they tend to have false positives. I inspect them to estimate the likelyhood they go wrong and what a finding actually means, so I am not caught up looking for a shellcode (like in this case) that does not exist. Additionally it would be helpful to find the offset/location where this shellcode pattern was found, otherwise the detection is not useful for further analysis.

Minor thing: When I click on the .rules, they do not open unless I know that I have to choose a text editor.

Are these EP rules PEiD signatures? They seem like it.

 

[4n0nym0us]

My concerns are that this tool can be abused and is exceptionally difficult to block as the developer is unknown. A simple update of the packaging algorithms will be enough to evade majority of blocks.
The tool can be abused to extract enough information necessary to deliver a more tailored attack at a later stage.
The author develops several less-than-authoritative tools posing as “security researcher” and does not assume any liability for the same as they are developed “for security research only”.
This is very typical on the malware-as-a-service market, to claim that malicious tools are security projects.

Hello @Trident, a pleasure. My tool does not send data anywhere, currently it only downloads the signature files and the notifications section in "Settings". In that tab I send a notice to the user about how its development is going, since I have been developing this tool for 9 years, the first version is documented on my blog.
On the other hand, I have been working professionally for more than 15 years as a teacher, writer, pentester, developer, forensics and malware analyst. Within malware analysis I also develop antivirus evasion methods, which I have published since my beginnings. I have never been linked to legal problems because I have not participated in criminal actions outside of sharing my progress with the community.
--------------------
Hello @struppigel, thanks for trying the tool. It is true that to see the potential of the tool you have to spend some time on it, because it only shows the information it finds and the rest of the functionalities are hidden. If you need more information or have questions, I can explain it to you without problems. I am currently developing a next version that is even faster and more powerful.

That shellcode detection is a generic detection that one day a long time ago I incorporated into the code, luckily it doesn't usually appear hehe but it can help you be alert about what you analyze. If you search for "Filemon" in the strings tool search engine, you will probably find the word. I would not pay too much attention to that detection since that word can be found written as a set of another function. However, you can visit the 4n4lDetector rules folder to see all the rules that can be modified so you can add or delete rules. Plus there is the entire database of the Detect its easy (DIE) tool.

If you have suggestions for removing any detections outside of the rules files, let me know and I'll look into it and may remove them.

The extension of relga files is not linked to the operating system to be opened by any application. I leave that at your disposal, you just have to choose it the first time.

As for Entry Point rules, I've included rules from many different sites. Currently the content of these rules is reviewed, expanded and cleaned. It even has Shellcode detections hehe. Think that I do all this as a hobby, I am a restless person and I enjoy doing new things, greetings!

 

[4n0nym0us]

I finally removed the "Filemon" detection and the generic detection of that "Shellcode" because they could really be misleading. On the other hand, I am already developing an advanced search functionality, which includes the option to extract Offsets... among other new functionalities

Greetings from Spain!