亲们，麻烦给鉴定下这个文件，外国人给我发的

85time

链接：https://share.weiyun.com/d8a0afcb71babb67455537801a1fc0fb （密码：Woa36b）
文字内容：（如图所示）

Dear Sir/Madam,

We have order request as per attached. Kindly provide your best competitive price with earliest delivery time.

Please advise weight details.

Thanks & Best Regards,

Casmiro Fernandes
Procurement Specialist, Assoc.

235/5 Moo 2 Lopburi-Ramate Road
Songkhla, 90100 Thailand
Office: +66 74 302 273
Mobile: +66 63 905 0473
VoIP: 88 607 2273

翻译内容：

亲爱的先生/女士，
我们有订单要求。请提供最优惠的价格和最早交货时间。
请告知重量细节。
谢谢问候，
卡斯米罗费尔南德斯
采购专员、副
235 / 5华富里有MoO 2路
宋卡，泰国90100
办公室：+ 66 74 302 273
移动电话：66 63 905 0473
网络电话：88 607 2273（附件见微云链接）

zst470396853

360


双击  卡巴PDM  kill

ewader

压缩包vt:4个杀软报毒
https://www.virustotal.com/#/fil ... 4828e9219/detection

解压后 趋势直接报毒了

Dolby123

EAM

2017/9/26 12:54:03
行为监控检测到 可疑行为 "CodeInjector" 来自于 "C:\Users\test001\Desktop\Products Orders - 1HJ1239201709.exe"

WCMS

VT 40/64 https://www.virustotal.com/#/fil ... 0a722bb8b/detection 哈勃未发现风险 https://habo.qq.com/file/showdetail?pk=ADAGYF1oB2cIPVs%2B基本信息

文件名称：	Products Orders - 1HJ1239201709.exe
MD5：	6df63a34e5182cdc8c7a7b44a83114bc
文件类型：	EXE
上传时间：	2017-09-26 12:54:10
出品公司：	N/A
版本：	N/A
壳或编译器信息：	COMPILER:Borland Delphi 6.0 - 7.0

关键行为

行为描述：	获取TickCount值
详情信息：	TickCount = 220877, SleepMilliseconds = 18. TickCount = 220893, SleepMilliseconds = 18. TickCount = 221656, SleepMilliseconds = 500. TickCount = 221671, SleepMilliseconds = 500. TickCount = 231390, SleepMilliseconds = 10000. TickCount = 222203, SleepMilliseconds = 500. TickCount = 232015, SleepMilliseconds = 10000. TickCount = 222828, SleepMilliseconds = 500. TickCount = 232640, SleepMilliseconds = 10000. TickCount = 232953, SleepMilliseconds = 10000. TickCount = 233265, SleepMilliseconds = 10000. TickCount = 233578, SleepMilliseconds = 10000. TickCount = 233890, SleepMilliseconds = 10000. TickCount = 234203, SleepMilliseconds = 10000. TickCount = 234515, SleepMilliseconds = 10000.
行为描述：	直接调用系统关键API
详情信息：	Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047937B Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047B813 Index = 0x000000CE, Name: NtResumeThread, Instruction Address = 0x0047741B
行为描述：	通过内存映射跨进程修改内存
详情信息：	TargetProcess = %temp%\****.exe
行为描述：	设置消息钩子
详情信息：	C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
行为描述：	设置线程上下文
详情信息：	C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe

进程行为

行为描述：	创建进程
详情信息：	[0x00000ad0]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
行为描述：	创建本地线程
详情信息：	TargetProcess: %temp%\****.exe, InheritedFromPID = 2628, ProcessID = 2768, ThreadID = 2776, StartAddress = 77DC845A, Parameter = 00000000 TargetProcess: %temp%\****.exe, InheritedFromPID = 2628, ProcessID = 2768, ThreadID = 2780, StartAddress = 00403BAB, Parameter = 00418728 TargetProcess: %temp%\****.exe, InheritedFromPID = 2628, ProcessID = 2768, ThreadID = 2784, StartAddress = 00403B8B, Parameter = 00418728 TargetProcess: %temp%\****.exe, InheritedFromPID = 2628, ProcessID = 2768, ThreadID = 2788, StartAddress = 00403BBA, Parameter = 00418728
行为描述：	通过内存映射跨进程修改内存
详情信息：	TargetProcess = %temp%\****.exe
行为描述：	枚举进程
详情信息：	N/A
行为描述：	设置线程上下文
详情信息：	C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe

文件行为

行为描述：	创建文件
详情信息：	C:\Documents and Settings\Administrator\Application Data\remcos\logs.dat
行为描述：	修改文件内容
详情信息：	C:\Documents and Settings\Administrator\Application Data\remcos\logs.dat ---> Offset = -1 C:\Documents and Settings\Administrator\Application Data\remcos\logs.dat ---> Offset = 0
行为描述：	查找文件
详情信息：	FileName = C:\Documents and Settings\Administrator\Local Settings\Temp FileName = C:\Documents and Settings\Administrator\Local Settings\%temp% FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe

网络行为

行为描述：	建立到一个指定的套接字连接
详情信息：	IP: **.10.124.**:65531, SOCKET = 0x000000ec

注册表行为

行为描述：	修改注册表
详情信息：	\REGISTRY\USER\S-*\Software\MY World-XPTCIT\EXEpath

其他行为

行为描述：	创建互斥体
详情信息：	CTF.LBES.MutexDefaultS-* CTF.Compart.MutexDefaultS-* CTF.Asm.MutexDefaultS-* CTF.Layouts.MutexDefaultS-* CTF.TMD.MutexDefaultS-* CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* MY World-XPTCIT
行为描述：	创建事件对象
详情信息：	EventName = DINPUTWINMM
行为描述：	直接调用系统关键API
详情信息：	Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047937B Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047B813 Index = 0x000000CE, Name: NtResumeThread, Instruction Address = 0x0047741B
行为描述：	获取TickCount值
详情信息：	TickCount = 220877, SleepMilliseconds = 18. TickCount = 220893, SleepMilliseconds = 18. TickCount = 221656, SleepMilliseconds = 500. TickCount = 221671, SleepMilliseconds = 500. TickCount = 231390, SleepMilliseconds = 10000. TickCount = 222203, SleepMilliseconds = 500. TickCount = 232015, SleepMilliseconds = 10000. TickCount = 222828, SleepMilliseconds = 500. TickCount = 232640, SleepMilliseconds = 10000. TickCount = 232953, SleepMilliseconds = 10000. TickCount = 233265, SleepMilliseconds = 10000. TickCount = 233578, SleepMilliseconds = 10000. TickCount = 233890, SleepMilliseconds = 10000. TickCount = 234203, SleepMilliseconds = 10000. TickCount = 234515, SleepMilliseconds = 10000.
行为描述：	获取光标位置
详情信息：	CursorPos = (80,18468), SleepMilliseconds = 162. CursorPos = (6373,26501), SleepMilliseconds = 162. CursorPos = (19208,15725), SleepMilliseconds = 162. CursorPos = (11517,29359), SleepMilliseconds = 162. CursorPos = (27001,24465), SleepMilliseconds = 162. CursorPos = (5744,28146), SleepMilliseconds = 162.
行为描述：	打开事件
详情信息：	HookSwitchHookEnabledEvent \SECURITY\LSA_AUTHENTICATION_INITIALIZED
行为描述：	调用Sleep函数
详情信息：	[1]: MilliSeconds = 18. [2]: MilliSeconds = 162. [3]: MilliSeconds = 18. [4]: MilliSeconds = 162. [5]: MilliSeconds = 18. [6]: MilliSeconds = 162. [7]: MilliSeconds = 18. [8]: MilliSeconds = 162. [9]: MilliSeconds = 18. [10]: MilliSeconds = 162. [1]: MilliSeconds = 10000. [2]: MilliSeconds = 500. [3]: MilliSeconds = 10000. [4]: MilliSeconds = 500. [5]: MilliSeconds = 500.
行为描述：	打开互斥体
详情信息：	ShimCacheMutex DBWinMutex Remcos_Mutex_Inj

进程树

• [url=]****.exe (PID: 0x00000a44)[/url]
  
  • [url=]****.exe (PID: 0x00000ad0)[/url]
    
    
  
  

和泉纱雾

卡巴


PDM拦截

自动回复

入库

pal家族

Thank you for contacting Kaspersky Lab

The files have been scanned in automatic mode.

The attached files contain malicious code. The information about the code will be added to the antivirus databases:
Products Orders - 1HJ1239201709.exe - Backdoor.Win32.Agent.tgbo

We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result, you will be notified via email.

This is an automatically generated message. Please do not reply to it.

Anti-Virus Lab, Kaspersky Lab HQ

WCMS

和泉纱雾 发表于 2017-9-26 12:58
卡巴

这个PDM报法是云拉黑还是主防特征？

zst470396853

WCMS 发表于 2017-9-26 13:04
这个PDM报法是云拉黑还是主防特征？

应该是  主防

心醉咖啡

管家扫描miss