[New WTFBin]: WTFBIN Here

Question

[New WTFBin]: WTFBIN Here

dakinedakine99 opened this issue 3 years ago · 6 comments

Contributor Name:
Bumbucha
Application/Executable:
SenseNdr.exe
WTF Behavior Description:
Totally normal command of 4000 characters in base64. Only legitimate use of this much base64 in history.
Link to Documentation of Behavior:
Documentation
Please provide any images for additional evidence.

Answer 1 · 2022-04-15T14:07:39.000Z

@dakinedakine99, thank you for the submission!

Before approval, I need a little more info about this! Many other components of Windows management actually use base64 Powershell encoding (one of them is already a WTFbin!). Please decode one of these commands and provide that screenshot as well to indicate what this executable is really doing.

Answer 2 · 2022-04-25T06:05:54.000Z

Don't want to include the entire command since it includes network info, but mainly regexes related to network vulnerabilities. I assume this is for transparency. masquerading potential imo.

Answer 3 · 2022-04-25T06:19:25.000Z

sensendr.exe "encoded text", there's no decode, so not that big of a deal, but still, wtf.

Answer 4 · 2023-04-07T04:30:53.000Z

Added in c2fb3fc

Answer 5 · 2023-07-28T00:44:29.000Z

@dakinedakine99 What base64 is used for the sensendr.exe ? Tried a whole bunch of formats UTF-8, UTF-16 with Cyberchef but cannot decrypt. I see from your screenshot you are using Cyberchef, can you give me the recipe please? Thanks

Answer 6 · 2023-09-26T13:47:24.000Z

This is what I used