Detection ratio: 4 / 55 Angler Exploit Kit Website 21 加密勒索挂马

显示全部楼层 · 发表于 2016-2-22 08:41:46

本帖最后由墨家小子于 2016-2-22 08:45 编辑

SHA256: 0499b277dd09ecda7b079b25fae34bfb24a496b9f3e7bb9632ca74d25b2f2a8a
File name: F052.tmp.exe
Detection ratio: 4 / 55
Analysis date: 2016-02-22 00:37:06 UTC ( 0 minutes ago )
https://www.virustotal.com/en/file/0499b277dd09ecda7b079b25fae34bfb24a496b9f3e7bb9632ca74d25b2f2a8a/analysis/1456101426/

AhnLab-V3 Trojan/Win32.Teslacrypt 20160221
Qihoo-360 HEUR/QVM07.1.Malware.Gen 20160222
Rising PE:Trojan.Ransom-Tesla!1.A322 [F] 20160221
Tencent Win32.Trojan.Bp-ransomware.Ejqz 20160222

IPS拦截：
2016/2/22 8:35:31,高,阻止了 localhost 的入侵企图,已阻止,不需要操作,Web Attack: Angler Exploit Kit Website 21,不需要操作,不需要操作,"localhost (127.0.0.1, XXXX)",quickminded.korconnection.com/civis/search.php?keywords=7u7h&fid0=71j16229ge7l83922402m94,"localhost (127.0.0.1, 7XX7)",localhost (127.0.0.1),"TCP, socks",

显示全部楼层 · 发表于 2016-2-22 08:51:04

BD扫描miss，ATC杀

显示全部楼层 · 发表于 2016-2-22 09:23:05

卡巴杀

22.02.2016 09.18.46;恶意程序已删除;C:\Users\Administrator\Downloads\F052.tmp.exe;C:\Users\Administrator\Downloads\F052.tmp.exe;UDS:DangerousPattern.Multi.Generic;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\F052.tmp.exe
22.02.2016 09.18.44;已阻止应用程序启动;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\F052.tmp.exe;02/22/2016 09:18:44
22.02.2016 09.18.44;应用程序已添加至组不信任组;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\downloads\F052.tmp.exe;02/22/2016 09:18:44
22.02.2016 09.18.44;检测到恶意程序;C:\Users\Administrator\Downloads\F052.tmp.exe;C:\Users\Administrator\Downloads\F052.tmp.exe;UDS:DangerousPattern.Multi.Generic;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\F052.tmp.exe
22.02.2016 09.18.43;已阻止应用程序启动;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\F052.tmp.exe;02/22/2016 09:18:43
22.02.2016 09.18.43;应用程序已添加至组不信任组;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\downloads\F052.tmp.exe;02/22/2016 09:18:43
22.02.2016 09.18.11;恶意程序已删除;C:\Users\Administrator\Downloads\615D.tmp.exe;C:\Users\Administrator\Downloads\615D.tmp.exe;UDS:DangerousPattern.Multi.Generic;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\615D.tmp.exe
22.02.2016 09.18.08;已阻止应用程序启动;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\615D.tmp.exe;02/22/2016 09:18:08
22.02.2016 09.18.08;应用程序已添加至组不信任组;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\downloads\615D.tmp.exe;02/22/2016 09:18:08
22.02.2016 09.18.07;检测到恶意程序;C:\Users\Administrator\Downloads\615D.tmp.exe;C:\Users\Administrator\Downloads\615D.tmp.exe;UDS:DangerousPattern.Multi.Generic;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\615D.tmp.exe
22.02.2016 09.18.07;已阻止应用程序启动;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\Downloads\615D.tmp.exe;02/22/2016 09:18:07
22.02.2016 09.18.07;应用程序已添加至组不信任组;Dottiness Lynching Gatherer;Dottiness Lynching Gatherer;C:\Users\Administrator\downloads\615D.tmp.exe;02/22/2016 09:18:07

显示全部楼层 · 发表于 2016-2-22 09:26:25

GD Behavior Monitor干掉

然后又弹出这个窗口，感觉那是干掉了衍生物

[mw_shl_code=css,true]AVA 25.5612
GD 25.6402

*** Process ***

Process: 2568
File name: f052.tmp.exe
Path: c:\users\administrator\desktop\special files\f052.tmp.exe

Publisher: Unknown publisher
Creation date: 02/22/16 01:21:55
Modification date: 02/22/16 00:26:18

Started by: f052.tmp.exe
Publisher: Unknown publisher

*** Actions ***

The program file is misleadingly named to deceive the user (e.g. 'Image.jpg.exe')
The program is trying to create a startup item to launch a program automatically at system startup.
The program was modified in memory.
The program has created or manipulated an executable file.
The program can be used to execute any program code.
The program created a copy of itself.
A suspicious location is referenced in startup.

*** Quarantine ***

The following files were moved into quarantine:
C:\Users\Administrator\Desktop\Special files\F052.tmp.exe
c:\sandbox\administrator\suspected\drive\c\windows\sxdkumcqdtcn.exe
c:\users\administrator\desktop\special files\f052.tmp.exe

The following registry entries were deleted:

\registry\user\sandbox_administrator_suspected\machine\software\microsoft\windows\currentversion\policies\system || enablelinkedconnections
\registry\user\sandbox_administrator_suspected\user\current\software\microsoft\windows\currentversion\run || hksfmrurhlol

YGLxe3LPwHKyYmJystBycnJyYmLgcrIrJ+dykg1ncoJiYnKCcCgnJycnJganQicpdHJCJwi3cpJycnKCgC4nKyYmJwu5YvF7cvyQLScL6XKSYmJykqAsJycmJicHnHKCcnJycsAqJ6ctJiYnpw38cnJycmJi0CgnJyYmJwftcnJiYnJy8CgnJyYmJwfPcnJycmJicKdysnDIcnJiYnJycLqS4VdjtsKS4VdjtnKS4VdjtrJw23JycnJiYnD8coJiYnKCcI5ycttwnnJyKCeHYmKAlnKSAAA
Rules version: 5.0.83
OS: Windows 10.0 Service Pack 0.0 Build: 10240 - Workstation 32bit OS
dll version: 55982

"C:\Users\Administrator\Desktop\Special files\F052.tmp.exe"
MD5: 26C790987FDF568794C2779DBBC674B4
"C:\Users\Administrator\Desktop\Special files\F052.tmp.exe"
MD5: 26C790987FDF568794C2779DBBC674B4
[/mw_shl_code]

显示全部楼层 · 发表于 2016-2-22 09:43:50

百度

显示全部楼层 · 发表于 2016-2-22 10:08:23

共和时代发表于 2016-2-22 09:43
百度

扫描不杀吗？

显示全部楼层 · 发表于 2016-2-22 10:11:17

nick20010117 发表于 2016-2-22 10:08
扫描不杀吗？

没扫直接双击了

显示全部楼层 · 发表于 2016-2-22 10:20:18

Norton

显示全部楼层 · 发表于 2016-2-22 10:32:35

毒霸

显示全部楼层 · 发表于 2016-2-22 12:01:21

可疑文件： F052.tmp.exe

风险：高
路径： C:\Users\Administrator\Desktop\F052.tmp\F052.tmp.exe

详细信息
• F052.tmp.exe 程序试图修改 Windows System 目录。此文件 C:\WINDOWS\MAUBCVGRWXUR.EXE 由该进程 created。
• F052.tmp.exe 程序试图随机复制 C:\WINDOWS\MAUBCVGRWXUR.EXE。

修改的文件
• C:\Users\Administrator\Desktop\F052.tmp\F052.tmp.exe
• C:\WINDOWS\MAUBCVGRWXUR.EXE (created)

[可疑文件] Detection ratio: 4 / 55 Angler Exploit Kit Website 21 加密勒索挂马

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块