On 11/29/2019 at 2:05 AM, kao said:
Injector uses VB P-Code, you'll need to use VB decompiler or some P-Code disassembler for analysis. It's pretty funky code using shellcode, resolving APIs by hash and what not.
Or you can simply put breakpoint on RtlDecompressBuffer and then dump decompressed payload from memory. It's an old shitty backdoor called XpertRAT.
BTW, injector works just fine in my VMWare (32bit Win7).
Yeah thank you for noticing me that it is exactly the backdoor XpertRAT! But I'm still confused about the fact that it doesn't work in my Vmware at all...
Really shitty RAT though