trickbot （18.04.19）

显示全部楼层 · 发表于 2018-4-19 23:20:43

efficientmarketing.com.au/1.bin
paranaimpact.com/1.bin

复制代码

infected

https://www.virustotal.com/en/fi ... /analysis/#analysis

显示全部楼层 · 发表于 2018-4-19 23:44:11

本帖最后由 761773275 于 2018-4-20 00:02 编辑

AVG主防杀!!!!

大蜘蛛主防杀!!!!

费尔V8主防杀!!!!

https://s.threatbook.cn/report/win7_sp1_enx86_office2013/fecddb7f3fa478be4687ca542c0ecf232ec35a0c2418c8bfe4875686ec373c1e/

行为签名
恶意签名（6）
全部收起

缓冲区中发现一个PE文件

buffer "Buffer with sha1: c93b8863d20a179a16521c2a274087df721497d7"
通过注册表键来检测是否安装了常见反病毒软件

registry "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths"
检测是否有调试器运行

Time & API
Arguments
Status
Return

2018-04-20 23:58:45
IsDebuggerPresent
00

2018-04-20 23:59:06
IsDebuggerPresent
00
关闭Windows安全特性

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\vbccsb\AppData\Roaming\DiskMonitor\
修改其他进程的内存数据

Time & API
Arguments
Status
Return

2018-04-20 23:59:00
WriteProcessMemory
buffer :
base_address :0x00400000
process_identifier :2520
process_handle :0x00000074
11

2018-04-20 23:59:00
WriteProcessMemory
buffer :@
base_address :0x7ffd7008
process_identifier :2520
process_handle :0x00000074
11

2018-04-20 23:59:20
WriteProcessMemory
buffer :
base_address :0x00400000
process_identifier :2672
process_handle :0x00000074
11

2018-04-20 23:59:20
WriteProcessMemory
buffer :@
base_address :0x7ffdf008
process_identifier :2672
process_handle :0x00000074
11
启动一个进程并注入代码，该程序可能正在脱壳

Time & API
Arguments
Status
Return

2018-04-20 23:59:00
CreateProcessInternalW
thread_identifier :2524
thread_handle :0x00000070
process_identifier :2520
current_directory :
filepath :
track :1
command_line :"C:\Users\vbccsb\AppData\Local\Temp\1.exe"
filepath_r :
stack_pivoted :0
creation_flags :4
inherit_handles :0
process_handle :0x00000074
11

2018-04-20 23:59:00
NtGetContextThread
thread_handle :0x00000070
10

2018-04-20 23:59:00
NtUnmapViewOfSection
base_address :0x00400000
region_size :4096
process_identifier :2520
process_handle :0x00000074
10

2018-04-20 23:59:00
NtAllocateVirtualMemory
process_identifier :2520
region_size :155648
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :64
base_address :0x00400000
allocation_type :12288
process_handle :0x00000074
10

2018-04-20 23:59:00
WriteProcessMemory
buffer :
base_address :0x00400000
process_identifier :2520
process_handle :0x00000074
11

2018-04-20 23:59:00
WriteProcessMemory
buffer :@
base_address :0x7ffd7008
process_identifier :2520
process_handle :0x00000074
11

2018-04-20 23:59:00
NtSetContextThread
registers :{"eip":0,"esp":0,"edi":0,"eax":4198400,"ebp":0,"edx":0,"ebx":2147315712,"esi":0,"ecx":0}
thread_handle :0x00000070
process_identifier :2520
10

2018-04-20 23:59:02
NtResumeThread
thread_handle :0x00000070
suspend_count :1
process_identifier :2520
10

2018-04-20 23:59:04
CreateProcessInternalW
thread_identifier :2624
thread_handle :0x00000094
process_identifier :2620
current_directory :C:\Users\vbccsb\AppData\Roaming\DiskMonitor
filepath :
track :1
command_line :C:\Users\vbccsb\AppData\Roaming\DiskMonitor\1.exe
filepath_r :
stack_pivoted :0
creation_flags :0
inherit_handles :0
process_handle :0x00000098
11

2018-04-20 23:59:20
CreateProcessInternalW
thread_identifier :2676
thread_handle :0x00000070
process_identifier :2672
current_directory :
filepath :
track :1
command_line :C:\Users\vbccsb\AppData\Roaming\DiskMonitor\1.exe
filepath_r :
stack_pivoted :0
creation_flags :4
inherit_handles :0
process_handle :0x00000074
11

2018-04-20 23:59:20
NtGetContextThread
thread_handle :0x00000070
10

2018-04-20 23:59:20
NtUnmapViewOfSection
base_address :0x00400000
region_size :4096
process_identifier :2672
process_handle :0x00000074
10

2018-04-20 23:59:20
NtAllocateVirtualMemory
process_identifier :2672
region_size :155648
stack_dep_bypass :0
stack_pivoted :0
heap_dep_bypass :0
protection :64
base_address :0x00400000
allocation_type :12288
process_handle :0x00000074
10

2018-04-20 23:59:20
WriteProcessMemory
buffer :
base_address :0x00400000
process_identifier :2672
process_handle :0x00000074
11

2018-04-20 23:59:20
WriteProcessMemory
buffer :@
base_address :0x7ffdf008
process_identifier :2672
process_handle :0x00000074
11

2018-04-20 23:59:20
NtSetContextThread
registers :{"eip":0,"esp":0,"edi":0,"eax":4198400,"ebp":0,"edx":0,"ebx":2147348480,"esi":0,"ecx":0}
thread_handle :0x00000070
process_identifier :2672
10

2018-04-20 23:59:21
NtResumeThread
thread_handle :0x00000070
suspend_count :1
process_identifier :2672
10

显示全部楼层 · 发表于 2018-4-20 00:05:39

文件名: 1.exe
威胁名称: WS.Reputation.1完整路径: c:\users\桑德尔\desktop\1\1.exe

____________________________

____________________________

在电脑上 
2018/4/20 ( 0:03:28 )

上次使用时间 
2018/4/20 ( 0:05:28 )

启动项 
否

已启动 
否

威胁类型: 智能网络威胁。很多迹象表明此文件不可信任，不安全

____________________________

1.exe 威胁名称: WS.Reputation.1
定位

极少用户信任的文件
Norton 社区中有不到 5 名用户使用了此文件。

极新的文件
该文件已在不到 1 周前发行。

中
此文件具有中等程度风险。

____________________________

https://att.kafan.cn/forum.php?mo ... jM0ODd8MjEyMDgzOQ==
已下载文件从 att.kafan.cn
来源: 外部介质

1.exe

____________________________

文件操作

文件: c:\users\桑德尔\desktop\1\ 1.exe 已删除
____________________________

文件指纹 - SHA:
fecddb7f3fa478be4687ca542c0ecf232ec35a0c2418c8bfe4875686ec373c1e
文件指纹 - MD5:
73582cd6bd542a34fa36a6a8c768307c

显示全部楼层 · 发表于 2018-4-20 00:31:50

SCEP : Trojan:Win32/Cloxer.D!cl

显示全部楼层 · 发表于 2018-4-20 01:13:30

SEP双击声纳杀

显示全部楼层 · 发表于 2018-4-20 01:42:51

Malwarebytes

File: 1
Spyware.TrickBot, E:\VIRUS\1\1.EXE, No Action By User, [6225], [512666],1.0.4796

显示全部楼层 · 发表于 2018-4-20 08:45:01

KIS Trojan.Win32.Yakes.wfwl

显示全部楼层 · 发表于 2018-4-20 09:32:46

WD OFFLINE MISS

显示全部楼层 · 发表于 2018-4-20 21:07:49

WD

Trojan:Win32/Cloxer.D!cl

显示全部楼层 · 发表于 2018-4-20 21:37:49

[病毒样本] trickbot （18.04.19）

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源