几个疑似木马的文件-360报毒

火绒用户

貌似有一个是BAT
有VBS脚本

川建国代理人

智量清空除了txt的所有文件网站服务器爆破工具 密码123：

Discuz高速水帖器（一秒百次）：

Discuz水帖器

欧阳宣

BEST
Trojan.GenericKD.43060675

a233

ESET全都不报

火绒用户

行为签名
查看 MITRE ATT&CK™ 矩阵（技术）检测结果
高危行为（2）
全部收起

系统敏感操作

试着去创建或修改系统证书

ATT&CK ID:T1130(在 MITRE ATT&CK™ 矩阵中的显示)
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A5807E3AF3D13CD50543F07E06193B38CF11239A\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\54D4B1F9710D36D742826C8F0BB290F1705265FC\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A5807E3AF3D13CD50543F07E06193B38CF11239A\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AA3CFBFCBE04A2746D14E88970A561C694A3D91E\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\1D3198CC261B592E4D5B9E488849269A937B07F6\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54D4B1F9710D36D742826C8F0BB290F1705265FC\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA3CFBFCBE04A2746D14E88970A561C694A3D91E\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A5807E3AF3D13CD50543F07E06193B38CF11239A\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\AA3CFBFCBE04A2746D14E88970A561C694A3D91E\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\54D4B1F9710D36D742826C8F0BB290F1705265FC\Blob

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1D3198CC261B592E4D5B9E488849269A937B07F6\Blob







将函数插入到线程的APC队列中，常用于线程注入

可疑行为（8）
全部收起

反检测技术

检测系统内存大小，可能通过内存大小来判断是否运行在虚拟机中

检查适配器地址，可用于检测虚拟网络接口

Time & API

Arguments

Status

Return

2020-08-04 22:01:39

GetAdaptersAddresses

flags :1158

family :0

10

反逆向工程

尝试拖慢分析任务的进度

网站服务器爆破工具.exe
tried to sleep 922337203805 seconds, actually delayed analysis time by 0 seconds







检测自身是否正在被调试

Time & API

Arguments

Status

Return

2020-08-04 22:01:36

IsDebuggerPresent

00

2020-08-04 22:01:36

IsDebuggerPresent

00





创建PAGE_GUARD属性的内存页，通常用于反逆向和反调试

Time & API

Arguments

Status

Return

2020-08-04 22:01:36

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x0019d000

10

2020-08-04 22:01:36

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x0019d000

10

2020-08-04 22:01:36

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x0172d000

10

2020-08-04 22:01:36

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x015ed000

10

2020-08-04 22:01:39

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x03ded000

10

2020-08-04 22:01:41

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x0494d000

10

2020-08-04 22:01:41

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x04dcd000

10

2020-08-04 22:01:42

NtAllocateVirtualMemory

process_identifier :3532

region_size :8192

stack_dep_bypass :0

stack_pivoted :0

heap_dep_bypass :0

protection :260

process_handle :0xffffffff

allocation_type :4096

base_address :0x04f0d000

10

网络相关

开启端口并监听，常用于后门程序

Time & API

Arguments

Status

Return

2020-08-04 22:01:39

bind

ip_address :127.0.0.1

socket :644

port :0

10

2020-08-04 22:01:39

listen

socket :644

backlog :2147483647

10

2020-08-04 22:01:39

accept

ip_address :127.0.0.1

socket :644

port :0

04294967295





开启端口并监听

Time & API

Arguments

Status

Return

2020-08-04 22:01:39

bind

ip_address :127.0.0.1

socket :644

port :0

10

2020-08-04 22:01:39

listen

socket :644

backlog :2147483647

10

系统敏感操作

检查系统上的唯一标识符是否具有可疑的权限

Time & API

Arguments

Status

Return

2020-08-04 22:01:39

LookupPrivilegeValueW

system_name :

privilege_name :SeDebugPrivilege

11

2020-08-04 22:01:39

LookupPrivilegeValueW

system_name :

privilege_name :SeDebugPrivilege

11








低危行为（2）
全部展开

系统环境探测

获取系统信息

读取计算机名称

















情报判定系统

威胁情报订阅（0）URL 判别系统（0）异常流量检测系统（0）狩猎系统（0）DGA 域名识别系统（0）

基本信息
样本名称
e2a1ece4f6f8fa9e46ea46653d922e8cf376a986806d9698164b0bd7d3f2e58d-1596603667

样本类型
Zip archive data, at least v5.1 to extract

样本大小
33063

MD5
db7d390e4ca75ea1e782e3fb8f00c804

SHA1
d25ee6d8d523bf5688f7ef7585841ce322c0d736

SHA256
e2a1ece4f6f8fa9e46ea46653d922e8cf376a986806d9698164b0bd7d3f2e58d

SSDeep
768:kmrovZBfXgVrReXTCVZ0PcU0M98FLY4mYUE7iI+x3hKN9X:kmAHe0yOb99CLY4ff2Zwf



以上为微步云沙箱检测报告

川建国代理人

火绒用户 发表于 2020-8-5 13:13
行为签名
查看 MITRE ATT&CK™ 矩阵（技术）检测结果
高危行为（2）

这个排版有点。。。。

QWEASDZXCRFV

火绒kill3

火绒用户

QWEASDZXCRFV 发表于 2020-8-5 13:19
火绒kill3

没杀完

OVS

卡巴 扫描  kill   exe

anthonyqian

诺顿只杀exe （Heur.AdvML.C)