halloware病毒

1401549491

文件太大了，超过沙箱限制，请各位有虚拟机的大神代替我试一试
，破坏力还是很强的
火绒已报毒
蓝奏 这是附带的TXT文本 https://www.lanzous.com/i3jcire
        本体   https://www.lanzous.com/i3jcj0d
        

X
1

BE_HC

FortiSandbox
这个行为多的有点可怕。。。

1401549491

BE_HC 发表于 2019-3-24 16:27
sandbox

wtf?，行为这么多吗？我还以为只是单纯的恶搞程序

a233

火绒Kill(入库)智量Kill 极宝Kill

zh7000047

wd kill

BE_HC

1401549491 发表于 2019-3-24 16:32
wtf?，行为这么多吗？我还以为只是单纯的恶搞程序

各种操作一应俱全

Please wait while halloware infecting your computer

Date	Operation	Detail	Rating
2019-3-24 08:36:56	This file spawned process(es)	FilePath: %SYSTEMROOT%\System32\shutdown.exe; Company: Microsoft Corporation; TargetPid: 3656; CmdLine: "C:\Windows\System32\shutdown.exe" -r -t 00; Version: 6.1.7600.16385 (win7_rtm.090713-1255); FileSize: 30720; Signer: Microsoft Windows; Icon: backup\7d3c7514cc9d0c828524db9622db215a.ico;	Low Risk
2019-3-24 08:36:48	This file modified files	FilePath: %SYSTEMROOT%\System32\LogonUI.exe;	High Risk
2019-3-24 08:36:45	This file spawned process(es)	FilePath: %SYSTEMROOT%\System32\cmd.exe; Company: Microsoft Corporation; TargetPid: 2692; CmdLine: "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat" ; Version: 6.1.7600.16385 (win7_rtm.090713-1255); FileSize: 301568; Signer: Microsoft Windows; Icon: backup\025ba5ef2cd0a38da0897cfcc8d21451.ico;	High Risk
2019-3-24 08:36:44	This file spawned process(es)	FilePath: %SYSTEMROOT%\System32\wscript.exe; Company: Microsoft Corporation; TargetPid: 2804; CmdLine: "C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator; Version: 5.8.7600.16385; FileSize: 141824; Signer: Microsoft Windows; Icon: backup\0799cf41d3ae7b80f4757af9734c570d.ico;	High Risk
2019-3-24 08:36:42	This file spawned process(es)	FilePath: %SYSTEMROOT%\System32\cmd.exe; Company: Microsoft Corporation; TargetPid: 2568; CmdLine: "C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\ADMINI~1\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\ADMINI~1\AppData\Local\Temp\waitdude.vbs"; Version: 6.1.7600.16385 (win7_rtm.090713-1255); FileSize: 301568; Signer: Microsoft Windows; Icon: backup\025ba5ef2cd0a38da0897cfcc8d21451.ico;	Medium Risk
2019-3-24 08:36:42	This file modified files	FilePath: %PROGRAMFILES%\Halloware\takeact.vbs;	Medium Risk
2019-3-24 08:36:42	This file modified files	FilePath: %PROGRAMFILES%\Halloware\iQShell.vbs;	Medium Risk
2019-3-24 08:36:38	This file modified files	FilePath: %PROGRAMFILES%\Halloware\fakelogon.vbs;	Medium Risk
2019-3-24 08:36:38	This file modified files	FilePath: %PROGRAMFILES%\Halloware\data\fakelogon.exe;	High Risk
2019-3-24 08:36:36	This file spawned process(es)	FilePath: %SYSTEMROOT%\System32\wscript.exe; Company: Microsoft Corporation; TargetPid: 2544; CmdLine: "C:\Windows\system32\wscript.exe" C:\Users\Administrator\AppData\Local\Temp\C1F8.tmp\C1F9.vbs ; Version: 5.8.7600.16385; FileSize: 141824; Signer: Microsoft Windows; Icon: backup\0799cf41d3ae7b80f4757af9734c570d.ico;	High Risk
2019-3-24 08:36:36	This file modified files	FilePath: %TEMP%\C1F8.tmp\fileler\takeact.vbs;	Medium Risk
2019-3-24 08:36:36	This file modified files	FilePath: %TEMP%\C1F8.tmp\fileler\iQShell.vbs;	Medium Risk
2019-3-24 08:36:34	This file modified files	FilePath: %TEMP%\C1F8.tmp\fileler\fakelogon.vbs;	Medium Risk
2019-3-24 08:36:34	This file modified files	FilePath: %TEMP%\C1F8.tmp\fileler\data\fakelogon.exe;	High Risk
2019-3-24 08:36:34	This file modified files	FilePath: %TEMP%\C1F8.tmp\C1F9.vbs;	Medium Risk

杀软小白鼠

Panda Dome扫描MISS
双击，虚拟机直接崩了……重启启动不了了

SOPHOS Home Premium：
下载直接杀……

a233

Avast Kill

KEVINZHANG

腾讯哈勃
https://habo.qq.com/file/showdetail?pk=ADcGZl1sB28IO1s9U2A%3D
然而我不是高级账户。。。。。。

温馨小屋

BD扫描报Trojan.Agent.CYZW