Netwire RAT: Facebook Password recovery.exe

显示全部楼层 · 发表于 2017-8-8 16:07:45

VT: https://www.virustotal.com/en/file/484978666d220e03c1196e58c9e31d2fec6cbf197228145d81e449c361c817b1/analysis/1502150467/

TrendMicro OfficeScan missed

显示全部楼层 · 发表于 2017-8-8 16:15:05

ESS

Facebook Password recovery.exe - MSIL/Injector.SRP 特洛伊木马的变种 - 通过删除清除

显示全部楼层 · 发表于 2017-8-8 16:17:37

基本信息
文件名称：
Facebook Password recovery.rar
MD5： 91c35791d2f71a717c32c7935517e02b
文件类型： Rar
上传时间： 2017-08-08 16:14:35
出品公司： N/A
版本： N/A
壳或编译器信息： COMPILER:Microsoft Visual C# / Basic .NET [Overlay]
子文件信息：
Facebook Password recovery.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
Facebook Password recovery.exe / 551460b41f97862801edb2534a60cbe5 / EXE
关键行为
行为描述：跨进程写入数据
详情信息：
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000b48
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x00414000, Size = 0x00002400 TargetPID = 0x00000b48
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x0041e000, Size = 0x00001200 TargetPID = 0x00000b48
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000b48
行为描述：设置线程上下文
详情信息：
C:\Documents and Settings\Administrator\Local Settings\%temp%\996E_unzip\Facebook Password recovery.exe
行为描述：获取TickCount值
详情信息：
TickCount = 278546, SleepMilliseconds = 60000.
TickCount = 278562, SleepMilliseconds = 60000.
TickCount = 278609, SleepMilliseconds = 60000.
TickCount = 278625, SleepMilliseconds = 60000.
TickCount = 278640, SleepMilliseconds = 60000.
TickCount = 278671, SleepMilliseconds = 60000.
TickCount = 278687, SleepMilliseconds = 60000.
TickCount = 278718, SleepMilliseconds = 60000.
TickCount = 278734, SleepMilliseconds = 60000.
TickCount = 278781, SleepMilliseconds = 60000.
TickCount = 229859, SleepMilliseconds = 10000.
TickCount = 221953, SleepMilliseconds = 2000.
TickCount = 280078, SleepMilliseconds = 60000.
TickCount = 280109, SleepMilliseconds = 60000.
TickCount = 280125, SleepMilliseconds = 60000.
行为描述：跨进程写代码段数据
详情信息：
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x00401000, Size = 0x00012600 TargetPID = 0x00000b48
行为描述：设置特殊文件夹属性
详情信息：
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio
行为描述：直接获取CPU时钟
详情信息：
EAX = 0xd099b657, EDX = 0x000000b4
EAX = 0xd099b6a3, EDX = 0x000000b4
EAX = 0xd099b6ef, EDX = 0x000000b4
EAX = 0xd099b73b, EDX = 0x000000b4
EAX = 0xe07552c1, EDX = 0x000000b4
EAX = 0xe075530d, EDX = 0x000000b4
EAX = 0xe0755359, EDX = 0x000000b4
EAX = 0xe07553a5, EDX = 0x000000b4
EAX = 0x25120ac8, EDX = 0x000000b6
EAX = 0x01943a58, EDX = 0x000000b7
进程行为
行为描述：隐藏窗口创建进程
详情信息：
ImagePath = , CmdLine = "cmd.exe"
ImagePath = , CmdLine = C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio\MSASCuiL.exe.bat
行为描述：创建进程
详情信息：
[0x00000afc]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "cmd.exe"
[0x00000b24]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\Windows Audio\MSASCuiL.exe.lnk" /f
行为描述：创建新文件进程
详情信息：
[0x00000b48]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe"
行为描述：跨进程写入数据
详情信息：
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000b48
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x00414000, Size = 0x00002400 TargetPID = 0x00000b48
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x0041e000, Size = 0x00001200 TargetPID = 0x00000b48
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000b48
行为描述：设置线程上下文
详情信息：
C:\Documents and Settings\Administrator\Local Settings\%temp%\996E_unzip\Facebook Password recovery.exe
行为描述：枚举进程
详情信息：
N/A
行为描述：跨进程写代码段数据
详情信息：
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svcost.exe, WriteAddress = 0x00401000, Size = 0x00012600 TargetPID = 0x00000b48
行为描述：创建本地线程
详情信息：
TargetProcess: Facebook Password recovery.exe, InheritedFromPID = 2000, ProcessID = 2744, ThreadID = 2760, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: Facebook Password recovery.exe, InheritedFromPID = 2000, ProcessID = 2744, ThreadID = 2764, StartAddress = 79F91FCF, Parameter = 001A5948
TargetProcess: Facebook Password recovery.exe, InheritedFromPID = 2000, ProcessID = 2744, ThreadID = 2820, StartAddress = 77E56C7D, Parameter = 001E8110
TargetProcess: Facebook Password recovery.exe, InheritedFromPID = 2000, ProcessID = 2744, ThreadID = 2824, StartAddress = 769AE43B, Parameter = 001E2E10
TargetProcess: Facebook Password recovery.exe, InheritedFromPID = 2000, ProcessID = 2744, ThreadID = 2896, StartAddress = 79F91FCF, Parameter = 0020BF88
TargetProcess: svcost.exe, InheritedFromPID = 2744, ProcessID = 2888, ThreadID = 2900, StartAddress = 77C0A341, Parameter = 00903C80
TargetProcess: Facebook Password recovery.exe, InheritedFromPID = 2000, ProcessID = 2744, ThreadID = 2904, StartAddress = 79FDA29C, Parameter = 00000000
文件行为
行为描述：创建文件
详情信息：
C:\Documents
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio\MSASCuiL.exe.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\.Identifier
行为描述：创建可执行文件
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe
行为描述：覆盖已有文件
详情信息：
C:\Documents
行为描述：复制文件
详情信息：
C:\Documents and Settings\Administrator\Local Settings\%temp%\996E_unzip\Facebook Password recovery.exe ---> C:\Documents and Settings\Administrator\Local Settings\Temp\Windows Audio\MSASCuiL.exe.jpg
C:\Documents and Settings\Administrator\Local Settings\%temp%\996E_unzip\Facebook Password recovery.exe ---> C:\Documents and Settings\Administrator\Application Data\Windows Audio\MSASCuiL.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.exe ---> C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe
行为描述：查找文件
详情信息：
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E_unzip
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E_unzip\Facebook Password recovery.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E_unzip\Facebook Password recovery.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
行为描述：修改BAT脚本文件
详情信息：
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio\MSASCuiL.exe.bat ---> Offset = 0
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio\MSASCuiL.exe.bat ---> Offset = 7
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio\MSASCuiL.exe.bat ---> Offset = 9
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio\MSASCuiL.exe.bat ---> Offset = 22
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio\MSASCuiL.exe.bat ---> Offset = 24
行为描述：设置特殊文件夹属性
详情信息：
C:\Documents and Settings\Administrator\AppData\Roaming\Windows Audio
行为描述：修改文件内容
详情信息：
C:\Documents ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\.Identifier ---> Offset = 0
网络行为
行为描述：建立到一个指定的套接字连接
详情信息：
URL: ra****et, IP: **.133.40.**:54984, SOCKET = 0x00000078
行为描述：按名称获取主机地址
详情信息：
gethostbyname: ra****et
注册表行为
行为描述：修改注册表
详情信息：
\REGISTRY\USER\S-*\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
其他行为
行为描述：检测自身是否被调试
详情信息：
IsDebuggerPresent
行为描述：创建互斥体
详情信息：
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
hJqwLUYQ
行为描述：创建事件对象
详情信息：
EventName = Global\CorDBIPCSetupSyncEvent_2744
EventName = Global\crypt32LogoffEvent
行为描述：打开互斥体
详情信息：
ShimCacheMutex
Global\CLR_CASOFF_MUTEX
行为描述：获取TickCount值
详情信息：
TickCount = 278546, SleepMilliseconds = 60000.
TickCount = 278562, SleepMilliseconds = 60000.
TickCount = 278609, SleepMilliseconds = 60000.
TickCount = 278625, SleepMilliseconds = 60000.
TickCount = 278640, SleepMilliseconds = 60000.
TickCount = 278671, SleepMilliseconds = 60000.
TickCount = 278687, SleepMilliseconds = 60000.
TickCount = 278718, SleepMilliseconds = 60000.
TickCount = 278734, SleepMilliseconds = 60000.
TickCount = 278781, SleepMilliseconds = 60000.
TickCount = 229859, SleepMilliseconds = 10000.
TickCount = 221953, SleepMilliseconds = 2000.
TickCount = 280078, SleepMilliseconds = 60000.
TickCount = 280109, SleepMilliseconds = 60000.
TickCount = 280125, SleepMilliseconds = 60000.
行为描述：调整进程token权限
详情信息：
SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
行为描述：打开事件
详情信息：
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2744
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
行为描述：可执行文件签名信息
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe(签名验证: 通过)
行为描述：调用Sleep函数
详情信息：
[1]: MilliSeconds = 60000.
[3]: MilliSeconds = 100.
[2]: MilliSeconds = 2000.
[4]: MilliSeconds = 10000.
[5]: MilliSeconds = 2000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = -1.
[8]: MilliSeconds = 20.
行为描述：可执行文件MD5
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\svcost.exe ---> fde05b629ccc93b8ba55167750bfe5a9
行为描述：直接获取CPU时钟
详情信息：
EAX = 0xd099b657, EDX = 0x000000b4
EAX = 0xd099b6a3, EDX = 0x000000b4
EAX = 0xd099b6ef, EDX = 0x000000b4
EAX = 0xd099b73b, EDX = 0x000000b4
EAX = 0xe07552c1, EDX = 0x000000b4
EAX = 0xe075530d, EDX = 0x000000b4
EAX = 0xe0755359, EDX = 0x000000b4
EAX = 0xe07553a5, EDX = 0x000000b4
EAX = 0x25120ac8, EDX = 0x000000b6
EAX = 0x01943a58, EDX = 0x000000b7
进程树
facebook password recovery.exe (PID: 0x00000ab8)
svcost.exe (PID: 0x00000b48)
cmd.exe (PID: 0x00000afc)
reg.exe (PID: 0x00000b24)

显示全部楼层 · 发表于 2017-8-8 16:36:28

Kaspersky
08.08.2017 16.35.57;Detected object (file) deleted;C:\Users\Ivan\Desktop\Malware\Facebook Password recovery.exe;C:\Users\Ivan\Desktop\Malware\Facebook Password recovery.exe;HEUR:Trojan.MSIL.Generic;Trojan program;08/08/2017 16:35:57

显示全部楼层 · 发表于 2017-8-8 16:37:28

卡巴

显示全部楼层 · 发表于 2017-8-8 16:58:24

安天公有云Kill

显示全部楼层 · 发表于 2017-8-8 17:29:44

360

显示全部楼层 · 发表于 2017-8-8 18:29:21

njrat吧

显示全部楼层 · 发表于 2017-8-8 19:35:50

WD

Trojan : MSIL/Upadter.A

显示全部楼层 · 发表于 2017-8-8 19:43:06

双击趋势秒

[病毒样本] Netwire RAT: Facebook Password recovery.exe

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源