process_overwriting icon indicating copy to clipboard operation
process_overwriting copied to clipboard
verified publisher icon hasherezade

How was created the payload?

Open stuxve opened this issue 10 months ago • 2 comments

I am using a bin created from an exe with donut and is prompting:

"Cannot read payload!"

stuxve avatar Apr 09 '25 13:04 stuxve

Hi @stuxve ! It seems like the payload that you are trying to supply is not a valid PE, and this loader works for PEs only. Are you sure it is a valid PE? Maybe it was shellcodified with the stub being appended at the beginning? Does it run independently, or can be loaded by PE editors such as PE-bear ?

hasherezade avatar Apr 10 '25 21:04 hasherezade

It is a beacon from sliver C2, the exe shlud be running fine. Maybe the injected exe is much larger file than the targeted exe?

stuxve avatar Apr 11 '25 12:04 stuxve