灰鸽子

www-tekeze

SEP，杀两个exe 。

www-tekeze

www-tekeze 发表于 2019-12-22 21:25
总共135个文件，火绒均不报，智量报MOMO29.exe为释放器。
安徽潍坊那个灰鸽子？不是毒哎。。。有空双击 ...

恢复昨晚虚拟机快照，智量Miss All，双击MOMO29.exe，几个动作后主防杀！

大体明白了，MOMO29是个自解压包，没数签会静默安装灰鸽子，但安装后的目录System Sll没问题，主要文件都带灰鸽子的有效数签。。。但这个自解压包 (私人制作的?) 是否还加得有其他的料不清楚。

请官人给说说，是不是静默安装后用来抓肉鸡的。。   @智量官方   但网管可以用来批量安装、全自动安装哦。

PS：自解压后得到的安装包略小，字节大小只有12,904KB，带灰鸽子有效数签，也有正常的安装界面。

2221000789

瑞星MISS

www-tekeze

这个帖怎么没人顶，样本质量不高。。    @傻猪猪米走鸡

残缺的神

我得有10年没听见灰鸽子了   哈哈  

81893

360ts杀momo29

智量官方

www-tekeze 发表于 2019-12-22 22:40
恢复昨晚虚拟机快照，智量Miss All，双击MOMO29.exe，几个动作后主防杀！

大体明白了，MOMO29是 ...

您好 该远程控制工具被利用 并且这些行为不被用户感知

巷入菲菲

都很强大

傻猪猪米走鸡

www-tekeze 发表于 2019-12-23 14:11
这个帖怎么没人顶，样本质量不高。。    @傻猪猪米走鸡

Scan Log
Version of detection engine: 20556P (20191223)
Date: 2019/12/23  Time: 18:16:04
Scanned disks, folders and files: C:\Users\Galaxy\Desktop\MOMO29;C:\Users\Galaxy\Desktop\System Sll
C:\Users\Galaxy\Desktop\MOMO29\MOMO29.EXE » CAB » update.exe » WINRARSFX » _82708.exe - a variant of Win32/RiskWare.Huigezi.A application - deleted
C:\Users\Galaxy\Desktop\System Sll\AopSdk.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\AudioEngineCore.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\CSkin.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\DomainJump\DomainJumpDLL.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\DomainJump\drivers\sys7.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\DomainJump\drivers\sys764.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\DomainJump\drivers\sys8.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\DomainJump\drivers\sys864.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\ESBasic.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\ESFramework.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\GetSignInfo.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\H264Codec.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\HzzInstaller.exe - a variant of Win32/RiskWare.Huigezi.B application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\AvFlt32.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\AvFlt64.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\AvFltSdk32.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\AvFltSdk64.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\IMHKCore32.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\IMHKCore64.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\IMHKSDK32.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\IMHKSDK64.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK\PlugMessage.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\IMHKSDK.NET.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\InstallSvr.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\Jorben.Json.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\NetworkMonitor.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\Newtonsoft.Json.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\OMCS.Boost.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\checkFirewall.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\client.core.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\comUpdate.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\comUpdate.exe.dlnubx - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\ctlexe\drivers\win7_amd64\tmctldrv.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\ctlexe\drivers\win7_x86\tmctldrv.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\ctlexe\tmctlcom.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\drivers\win7_amd64\ptprc.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\drivers\win7_x86\ptprc.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\dxbase.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fdmodlue.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fmtm\ctldll.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fmtm\pipmd.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fmtm\start.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fmtm\x64\fmtModule.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fmtm\x64\fmtm.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fmtm\x86\fmtModule.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\fmtm\x86\fmtm.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\hgzDriver.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\hgzDriver64.sys - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\hzbdptmd.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\hzbdptmd64.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\hzzInit.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\hzzSrvInit.exe - a variant of Win32/RiskWare.Huigezi.B application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\keyboard\sysoft.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\mailmon.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\mskbit.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\mskbitex.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\msvcm90.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\msvcp100.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\msvcp90.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\msvcr100.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\msvcr90.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\netrcd\GetDBCache_x64.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\netrcd\GetEseDbInfo.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\netrcd\histrcd.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\netrcd\libesedb.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\netrcd\msvcr100.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\netrcd\sqlite3.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\ptprocctl.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\shomectl.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\shomefilectl.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\sll.Win10.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\sll.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\sllsrv.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\start.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\startDLP.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\stopfp.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\swresample-0bp1.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\uninstall.Win10.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\uninstall.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\x64\glbdll.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\x64\nvsc.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\x86\glbdll.dll - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\x86\nvsc.exe - a variant of Win32/RiskWare.Huigezi.A application - cleaned by deleting [1]
C:\Users\Galaxy\Desktop\System Sll\ygport.exe - a variant of Win32/RiskWare.Huigezi.B application - cleaned by deleting [1]
Number of scanned objects: 138
Number of detections: 95
Number of cleaned objects: 95
Time of completion: 18:17:00  Total scanning time: 56 sec (00:00:56)

Notes:
[1] Object has been deleted as it only contained the virus body.


来喽兄dei~

djrain369148752

有什么企图？