False Positive

xiaobingbing · November 29, 2018, 12:17pm

Maybe the file is safe.

andreipopovici · November 29, 2018, 12:26pm

Hello,
Thanks for your submission. We’ll check this matter and get back to you soon.

Best regards,
Andrei Popovici

andreipopovici · November 29, 2018, 12:39pm

Hello,

The file has been checked and it’s not a false-positive.

Best regards,

Andrei Popovici

xiaobingbing · November 29, 2018, 1:05pm

would you please check it again?It’s a rare useful tool,called VPN.

jay2007tech · December 5, 2018, 12:38am

would you please check it again?It's a rare useful tool,called VPN.

it may work, but it's defiantly PUA (Potentially UWanted) at the very lest

Source

Signature Match - THOR APT Scanner
Detection

Rule: Ebowla_Golang_EXE_Supicious_1
Ruleset: Hacktools 1
Description: Detects suspicious compiled Golang Executable with certain imports
Reference: GitHub - Genetic-Malware/Ebowla: Framework for Making Environmental Keyed Payloads (NO LONGER SUPPORTED)
Author: Florian Roth
Score: 50

if you follow the link from /oCPFmY, You’ll find this
GitHub - Genetic-Malware/Ebowla: Framework for Making Environmental Keyed Payloads (NO LONGER SUPPORTED)
My favorite part in here is

Contributing
If you have a bug report, submit an issue. Include the OS that you tested everything on, including the server (victim).

github.com

PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

function Invoke-ReflectivePEInjection
{
<#
.SYNOPSIS

This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.

1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process.

This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system,
this will load and execute the DLL/EXE in to memory without writing any files to disk.

2.) Reflectively load a DLL in to memory of a remote process.
As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process.

This is probably most useful for injecting backdoors in SYSTEM processes in Session0. Currently, you cannot retrieve output
from the DLL. The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the

This file has been truncated. show original

edited to remove comment*