每日甜点包

显示全部楼层 · 发表于 2020-5-21 13:44:00

来源：Anyrun
数量：应该是5个
质量：Just so so~ 有能全过的，也有能全杀的
口味：#Exploit 为主可能会有 #Stealer

样本链接：https://send.firefox.com/downloa ... mDYodcJ-qwsf0OzA_3w

密码：infected

显示全部楼层 · 发表于 2020-5-21 13:46:38

AVG报11项清空

显示全部楼层 · 发表于 2020-5-21 13:47:05

本帖最后由 Nocria 于 2020-5-21 14:06 编辑

IKARUS - 3/5

[21.05.2020 14:02:07] On-demand scan started: "user_defined"
[21.05.2020 14:02:08] Found, 0.188s, SigName: "Trojan.Win32.NjRat", SigId: 299887328, Type: "VIRUS", File: "C:\Users\promi\Desktop\1 vps\1 vps\2.bin"
[21.05.2020 14:02:08] Found, 0.15s, SigName: "Exploit.CVE-2017-11882", SigId: 3283595, Type: "VIRUS", File: "C:\Users\promi\Desktop\1 vps\1 vps\RFQ.xlsx"
[21.05.2020 14:02:08] Found, 0.00s, SigName: "Trojan.MSIL.Agent", SigId: 3692053, Type: "VIRUS", File: "C:\Users\promi\Desktop\1 vps\1 vps\TESTE.bin"
[21.05.2020 14:02:08] On-demand scan FINISHED: "user_defined"
[21.05.2020 14:02:08] ----------------------------------------------------
[21.05.2020 14:02:08] Directories scanned: 2
[21.05.2020 14:02:08] Files scanned: 5
[21.05.2020 14:02:08] Virus found: 3
[21.05.2020 14:02:08] ----------------------------------------------------

复制代码

G DATA emptied.

显示全部楼层 · 发表于 2020-5-21 13:49:56

Bitdefender 清空
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>2.bin=>(RAR Sfx o)=>calc.exe Trojan.GenericKD.33753002 Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>2.bin=>(RAR Sfx o)=>[Comment] Trojan.Uztuby.15 Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>2.bin=>(RAR Sfx o)=>calculator.exe Gen:Variant.Zusy.93645 Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>2.bin=>(RAR Sfx o)=>99.exe Trojan.GenericKD.33739367 Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>RFQ.xlsx=>xl/embeddings/oleObject1.bin Exploit.CVE-2017-11882.Gen Deleted
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>2.bin=>(RAR Sfx o)=>calc.vbs=>(unicode) VBS.Worm.Dunihi.2.Gen Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>ASD0493564QE.xlsx=>(Encrypted Package)=>xl/embeddings/oleObject1.bin Exploit.CVE-2017-11882.Gen Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps/ASD0493564QE.xlsx Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps/Costco New Order Ref52120.xlsx Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps=>Costco New Order Ref52120.xlsx=>(Encrypted Package)=>xl/embeddings/oleObject1.bin Exploit.CVE-2017-11882.Gen Moved to Quarantine
C:\Users\ljsjo\Downloads\1 vps.zip=>1 vps/TESTE.bin Gen:Variant.Ransom.Samas.9 Deleted

显示全部楼层 · 发表于 2020-5-21 14:07:59

卡巴清空

21.05.2020 14.05.35 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\ASD0493564QE.xlsx//encrypted//xl/embeddings/oleObject1.bin//exploit 文件: E:\sample\1 vps\ASD0493564QE.xlsx//encrypted//xl/embeddings/oleObject1.bin//exploit 对象名称: HEUR:Exploit.MSOffice.Generic 对象类型: 木马程序时间: 2020/5/21 14:05
21.05.2020 14.05.35 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\ASD0493564QE.xlsx 文件: E:\sample\1 vps\ASD0493564QE.xlsx 时间: 2020/5/21 14:05
21.05.2020 14.05.34 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\Costco New Order Ref52120.xlsx 文件: E:\sample\1 vps\Costco New Order Ref52120.xlsx 时间: 2020/5/21 14:05
21.05.2020 14.05.34 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\Costco New Order Ref52120.xlsx//encrypted//xl/embeddings/oleObject1.bin//exploit 文件: E:\sample\1 vps\Costco New Order Ref52120.xlsx//encrypted//xl/embeddings/oleObject1.bin//exploit 对象名称: HEUR:Exploit.MSOffice.Generic 对象类型: 木马程序时间: 2020/5/21 14:05
21.05.2020 14.05.34 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\RFQ.xlsx 文件: E:\sample\1 vps\RFQ.xlsx 对象名称: UDS:DangerousObject.Multi.Generic 时间: 2020/5/21 14:05
21.05.2020 14.05.34 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\RFQ.xlsx//xl/embeddings/oleObject1.bin//exploit 文件: E:\sample\1 vps\RFQ.xlsx//xl/embeddings/oleObject1.bin//exploit 对象名称: HEUR:Exploit.MSOffice.Generic 对象类型: 木马程序时间: 2020/5/21 14:05
21.05.2020 14.05.33 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\2.bin 文件: E:\sample\1 vps\2.bin 对象名称: UDS:DangerousObject.Multi.Generic 时间: 2020/5/21 14:05
21.05.2020 14.05.33 检测到的对象 ( 文件 ) 已删除 E:\sample\1 vps\TESTE.bin 文件: E:\sample\1 vps\TESTE.bin 对象名称: HEUR:Backdoor.MSIL.Crysan.gen 对象类型: 木马程序时间: 2020/5/21 14:05

复制代码

显示全部楼层 · 发表于 2020-5-21 14:19:38

ESET
Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
2020/5/21 14:14:00;Real-time file system protection;file;C:\Users\Galaxy\Downloads\1 vps\1 vps\RFQ.xlsx;probably a variant of Win32/Exploit.CVE-2017-11882.C trojan;cleaned by deleting;DESKTOP-NV3EN59\Galaxy;Event occurred on a new file created by the application: C:\Program Files\Bandizip\Bandizip.exe (45DB9445A28E458404D6BEC38399ABE9631CB54C).;795A4BD846A4D0941C7DC5F582E6E01897D1BC6F;
2020/5/21 14:14:03;Real-time file system protection;file;C:\Users\Galaxy\Downloads\1 vps\1 vps\TESTE.bin;a variant of MSIL/Agent.CFQ trojan;cleaned by deleting;DESKTOP-NV3EN59\Galaxy;Event occurred on a new file created by the application: C:\Program Files\Bandizip\Bandizip.exe (45DB9445A28E458404D6BEC38399ABE9631CB54C).;8617D054868A777CE6579936DAB7B919816E969C;2020/5/20 2:08:49
2020/5/21 14:14:10;Real-time file system protection;file;C:\Users\Galaxy\Downloads\1 vps\1 vps\2.bin;multiple threats;cleaned by deleting;DESKTOP-NV3EN59\Galaxy;Event occurred on a new file created by the application: C:\Program Files\Bandizip\Bandizip.exe (45DB9445A28E458404D6BEC38399ABE9631CB54C).;C28BB395E035D8CC738BB7A88A24408B29178528;

Log
Scan Log
Version of detection engine: 21362P (20200521)
Date: 2020/5/21 Time: 14:14:24
Scanned disks, folders and files: C:\Users\Galaxy\Downloads\1 vps\1 vps\Costco New Order Ref52120.xlsx;C:\Users\Galaxy\Downloads\1 vps\1 vps\ASD0493564QE.xlsx
C:\Users\Galaxy\Downloads\1 vps\1 vps\ASD0493564QE.xlsx » OFFICECRYPTOGRAPHY » ASD0493564QE.xlsx » ZIP » xl/embeddings/oleObject1.bin - probably a variant of Win32/Exploit.CVE-2017-11882.C trojan - deleted
C:\Users\Galaxy\Downloads\1 vps\1 vps\Costco New Order Ref52120.xlsx » OFFICECRYPTOGRAPHY » Costco New Order Ref52120.xlsx » ZIP » xl/embeddings/oleObject1.bin - probably a variant of Win32/Exploit.CVE-2017-11882.C trojan - deleted
Number of scanned objects: 48
Number of detections: 2
Number of cleaned objects: 2
Time of completion: 14:14:25 Total scanning time: 1 sec (00:00:01)

显示全部楼层 · 发表于 2020-5-21 15:27:11

应该被人扫过了，毒霸

扫描时间：[2020-05-21 15:25:55]
扫描用时：[00:00:10]
扫描类型：自定义查杀
扫描文件总数：19
扫描速度：1文件/秒
发现威胁：4个
清除威胁：4个
=============================================
[2020-05-21 15:26:12]
威胁：e:\浏览器下载\1 vps\2.bin
类型：win32.troj.undef.(kcloud)
处理方式：删除
[2020-05-21 15:26:12]
威胁：e:\浏览器下载\1 vps\asd0493564qe.xlsx
类型：win32.scriptc.undef.a.(kcloud)
处理方式：修复
[2020-05-21 15:26:12]
威胁：e:\浏览器下载\1 vps\costco new order ref52120.xlsx
类型：win32.scriptc.undef.a.(kcloud)
处理方式：修复
[2020-05-21 15:26:12]
威胁：e:\浏览器下载\1 vps\teste.bin
类型：win32.hack.undef.(kcloud)
处理方式：删除

复制代码

显示全部楼层 · 发表于 2020-5-21 16:16:30

SEP 3/5 留ASD0493564QE 和 Costco New Order Ref52120

文件名风险操作风险类型
oleObject1.bin Exp.CVE-2017-11882!g3 已隔离压缩的文件; 启发式病毒
RFQ.xlsx Exp.CVE-2017-11882!g3 已隔离压缩的文件; 启发式病毒
2.bin Trojan.Gen.MBT 已通过删除清除病毒
RFQ.xlsx Exp.CVE-2017-11882!g2 已清除启发式病毒
TESTE.bin Heur.AdvML.C 已通过删除清除启发式病毒
TESTE.bin Trojan.Gen.MBT 已清除病毒

复制代码

显示全部楼层 · 发表于 2020-5-21 16:19:21

本帖最后由 PINCER 于 2020-5-21 19:45 编辑

居然没有人测火绒

我挺想看看火绒的入库效率的

火绒
20200520 16：26 毒库
scan miss all

Update：经上报，已可以查杀（火绒团队的服务态度是真的赞

回复也很快）

显示全部楼层 · 发表于 2020-5-21 16:46:45

微软扫描剩下这个：Costco New Order Ref52120.xlsx。

[病毒样本] 每日甜点包

评分

本帖子中包含更多资源

本帖子中包含更多资源