【03.29】#VirusPackage 9x

dongwenqi

191196846 发表于 2018-3-29 21:07
上报试试

ESET

已经上报了

230f4

bitdefender
(7).exe Trojan.GenericKD.30493380
(8).exe Gen:Suspicious.Cloud.1.gu0@aOrMNIei
(9).exe Gen:Suspicious.Cloud.1.gC0@aaWFMHoi
(1).exe Trojan.GenericKD.30487375
(2).exe Trojan.GenericKD.30485709
URL剩余

http://briandswings.com/98yuhGF??xhHeMKfxdT=xhHeMKfxdT

月影天心

ELOHIM 发表于 2018-3-29 20:54
9个文件，8杀，剩下两个，多出来那个是什么啊？

我这儿WD还剩下2、3、4、6，怎么会杀掉8个？

欧阳宣

avira

链接拦截3x，其余右键全部检测
样本包解压后剩余45679，其他右键全部检测

1. 03/29/2018,10-46-13        [INFO]        FP reports status 'NO False Positive' for file 'e:\virus\virus9x 0329\(4).exe'
   
2. 03/29/2018,10-46-13        [INFO]        The file 'e:\virus\virus9x 0329\(4).exe' was scanned with the Protection Cloud. SHA256 = 64376EE88C462E518EFD8804AA5B35C445110944578F1F5C6291538C2FC812B0
   
3. 03/29/2018,10-46-13        [INFO]        e:\virus\virus9x 0329\(4).exe
   
4. 03/29/2018,10-46-13        [INFO]        [DETECTION] file contains 'TR/Dropper.MSIL.64376e'
   
5. 03/29/2018,10-46-13        [INFO]        FP reports status 'NO False Positive' for file 'e:\virus\virus9x 0329\(5).exe'
   
6. 03/29/2018,10-46-13        [INFO]        The file 'e:\virus\virus9x 0329\(5).exe' was scanned with the Protection Cloud. SHA256 = 5C16A23DCB92BD9DFA23315AA65F3FF3B29EDDF1D7B595158E9CC495EADA9F48
   
7. 03/29/2018,10-46-13        [INFO]        e:\virus\virus9x 0329\(5).exe
   
8. 03/29/2018,10-46-13        [INFO]        [DETECTION] file contains 'TR/AD.Sagonaire.5c16a2'
   
9. 03/29/2018,10-46-14        [INFO]        FP reports status 'NO False Positive' for file 'e:\virus\virus9x 0329\(6).exe'
   
10. 03/29/2018,10-46-14        [INFO]        The file 'e:\virus\virus9x 0329\(6).exe' was scanned with the Protection Cloud. SHA256 = 7A4101178ACCEC8DC269942DDC5F7048B2C1A925FBD2AFE15CD1CB21AD9D6B81
    
11. 03/29/2018,10-46-14        [INFO]        AUC reports URL: http://briandswings.com/98yuhgf??xhhemkfxdt=xhhemkfxdt as 'Safe'.
    
12. 03/29/2018,10-46-14        [INFO]        e:\virus\virus9x 0329\(6).exe
    
13. 03/29/2018,10-46-14        [INFO]        [DETECTION] file contains 'TR/Spy.Nutrino.A'
    
14. 03/29/2018,10-46-14        [INFO]        FP reports status 'NO False Positive' for file 'e:\virus\virus9x 0329\(7).exe'
    
15. 03/29/2018,10-46-14        [INFO]        The file 'e:\virus\virus9x 0329\(7).exe' was scanned with the Protection Cloud. SHA256 = 5630E54E14F2A42FEAC50F07C4D00D6FB567F24B1C45B263AC6FE95F5B04802B
    
16. 03/29/2018,10-46-14        [INFO]        e:\virus\virus9x 0329\(7).exe
    
17. 03/29/2018,10-46-14        [INFO]        [DETECTION] file contains 'TR/AD.Emotet.B'
    
18. 03/29/2018,10-46-15        [INFO]        FP reports status 'NO False Positive' for file 'e:\virus\virus9x 0329\(9).exe'
    
19. 03/29/2018,10-46-15        [INFO]        The file 'e:\virus\virus9x 0329\(9).exe' was scanned with the Protection Cloud. SHA256 = 03CB2275A13861C5882CBD4E39C5B6234B5048FA65CE11EEB82278377A65DF43
    
20. 03/29/2018,10-46-15        [INFO]        e:\virus\virus9x 0329\(9).exe
    
21. 03/29/2018,10-46-15        [INFO]        [DETECTION] file contains 'HEUR/APC'
    
22. 
    
23. 3/29/2018,10:42:16 [INFO] FP reports status 'NO False Positive' for file 'E:\virus\Virus9x 0329\(8).exe'
    
24. 3/29/2018,10:42:16 [DETECTION] Is the TR/Crypt.Xpack.ryydf Trojan!
    
25.   E:\virus\Virus9x 0329\(8).exe
    
26. 3/29/2018,10:42:16 [INFO] FP reports status 'NO False Positive' for file 'E:\virus\Virus9x 0329\(3).exe'
    
27. 3/29/2018,10:42:16 [DETECTION] Is the TR/Dropper.VB.updpm Trojan!
    
28.   E:\virus\Virus9x 0329\(3).exe
    
29.       [INFO] The file will be copied to quarantine!
    
30. 3/29/2018,10:42:16 [INFO] FP reports status 'NO False Positive' for file 'E:\virus\Virus9x 0329\(1).exe'
    
31. 3/29/2018,10:42:16 [DETECTION] Is the TR/AD.Ursnif.sgcmf Trojan!
    
32.   E:\virus\Virus9x 0329\(1).exe
    
33. 3/29/2018,10:42:16 [INFO] FP reports status 'NO False Positive' for file 'E:\virus\Virus9x 0329\(2).exe'
    
34. 3/29/2018,10:42:16 [DETECTION] Is the TR/RedCap.ulxil Trojan!
    
35. 
    
36. 3/29/2018,10:39:30 [DETECTION] Malware found.
    
37.          URL: http://paowoeqkwenksdqwd.com/NOIT/testv.php?l=eneken7.class
    
38.          Is the TR/AD.Ursnif.sgcmf Trojan
    
39.          Executed action: Blocked file
    
40. 3/29/2018,10:39:38 [DETECTION] [18508085] The URL (http://78.128.92.109/order.exe) was detected as Malware(c). It was blocked
    
41. 3/29/2018,10:39:49 [DETECTION] [18508094] The URL (http://www.speeltuingeenhoven.nl/gs0CKwR/) was detected as Malware(c). It was blocked

复制代码

chengleok

ELOHIM 发表于 2018-3-29 20:54
9个文件，8杀，剩下两个，多出来那个是什么啊？

可能是我表达错了，我的意思是剩下文件名为2的文件

Jerry.Lin

月影天心 发表于 2018-3-29 22:47
我这儿WD还剩下2、3、4、6，怎么会杀掉8个？

我这边WD还剩下3,4,6

（2）PUA:Win32/Creprote
（5）Trojan:Win32/Cloxer.D!cl  
（7）Trojan:Win32/Woreflint.A!cl
（9）Trojan:Win32/Fuerboos.A!cl
（1）（8）Trojan:Win32/Tiggre!plock

@驭龙 WD的云有参与文件监控吗？我发现我解压后没有云杀（有本地），右键扫描后就有云杀了。
@ELOHIM

月影天心

191196846 发表于 2018-3-29 23:14
我这边WD还剩下3,4,6

（2）PUA:Win32/Creprote

监控有云杀的
好奇怪，我这边第2个，WD无论是监控还是扫描，都不报
看你的报毒名，PUA，是不是你改过WD组策略了？

WCMS

SEP 9/9

Jerry.Lin

月影天心 发表于 2018-3-29 23:20
监控有云杀的
好奇怪，我这边第2个，WD无论是监控还是扫描，都不报
看你的报毒名，PUA，是不是你改过WD ...

是的呢……

我的WD要右键扫描才有云杀……好烦

月影天心

191196846 发表于 2018-3-29 23:24
是的呢……

我的WD要右键扫描才有云杀……好烦

我这边PUA WD很少报。。。
凑合着用吧，马上RS4要来了，WD 4.14要登场了，变化很大，到时候再看看