#RTF.Macro.virus.sample# （2020-8-7）

显示全部楼层 · 发表于 2020-8-7 15:18:33

https://app.any.run/tasks/092ac3bd-dea6-4a39-85fa-8b4fe2d85ce2/ 搬运
https://any.run/report/73e2caa408d07e0108e48b2636910a8894434b6f052b80a142eadc2b8e4390fe/092ac3bd-dea6-4a39-85fa-8b4fe2d85ce2 文本资源策划

蓝奏云：https://www.lanzoux.com/imzgzfdoeri

IOC:

Main object- "Details-08072020-Y92639.rtf"
sha256 73e2caa408d07e0108e48b2636910a8894434b6f052b80a142eadc2b8e4390fe
sha1 38d7fe7b67c4744b1ea129902da7c0c4f6079c5b
md5 4861579583bcb0f4d404f666c248ef77
Dropped executable file
sha256 C:\Users\admin\AppData\Local\ExplorerFrame\FirewallControlPanel.exe a075e0bd7a368eca389880829c42b3e9922519e6a5a6a634fa4f1cc4cec6bf72
DNS requests
domain webstack.com.au
Connections
ip 198.74.50.152
ip 82.76.111.249
ip 116.125.120.88
HTTP/HTTPS requests
url http://webstack.com.au/wp-includes/U890802/
url http://82.76.111.249:443/u1AgH1TI/lr87XX8aDGuybXk50ZA/vov8qxGyq/
url http://116.125.120.88:443/kifP5GaZI13sDY/lvFrhGV6fcTsdRge6W/n9N4HUll/

复制代码

TEXT ERPORT:

General Info
File name
Details-08072020-Y92639.rtf
Full analysis https://app.any.run/tasks/092ac3bd-dea6-4a39-85fa-8b4fe2d85ce2
Verdict Malicious activity
Threats:
Emotet
Emotet is one of the most dangerous trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
Malware Trends Tracker
More details
Analysis date 8/7/2020, 09:08:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags: macros macros-on-open emotet-doc emotet generated-doc loader trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Et., Author: Thomas Rousseau, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Aug 6 23:18:00 2020, Last Saved Time/Date: Thu Aug 6 23:18:00 2020, Number of Pages: 1, Number of Words: 5, Number of Characters: 29, Security: 0
MD5
4861579583BCB0F4D404F666C248EF77
SHA1
38D7FE7B67C4744B1EA129902DA7C0C4F6079C5B
SHA256
73E2CAA408D07E0108E48B2636910A8894434B6F052B80A142EADC2B8E4390FE
SSDEEP
3072:Z4PRXCUQUVPZM4BKIAMQGALSZLJUHWNYWPU/QK:MDRV1M4BNQGISTJUHWNYWPU/QK

复制代码

显示全部楼层 · 发表于 2020-8-7 15:21:28

Avast
SNH:Script [Dropper]

显示全部楼层 · 发表于 2020-8-7 15:36:25

显示全部楼层 · 发表于 2020-8-7 15:40:53

显示全部楼层 · 发表于 2020-8-7 15:43:38

显示全部楼层 · 发表于 2020-8-7 15:54:36

本帖最后由 henry217 于 2020-8-7 16:02 编辑

卡巴 2021kill智量依然miss

显示全部楼层 · 发表于 2020-8-7 16:16:56

诺顿

文件名: Details-08072020-Y92639.rtf
威胁名称: W97M.Downloader

显示全部楼层 · 发表于 2020-8-7 17:18:32

ESET KILL
时间;扫描程序;对象类型;对象;检测;操作;用户;信息;哈希;此处首次所见
2020/8/7 17:18:14;文件系统实时防护;文件;C:\Users\ASUS\AppData\Local\Temp\BNZ.5f2d1c5393f4b5\Details-08072020-Y92639.rtf;VBA/TrojanDownloader.Agent.UAA 特洛伊木马的变种;通过删除清除;DESKTOP-MHBQUVD\ASUS;在应用程序新建的文件上发生事件: C:\Program Files\Bandizip\Bandizip.exe (103F35C2A271F39642571BC73D10C3EEB1D91B39).;38D7FE7B67C4744B1EA129902DA7C0C4F6079C5B;2020/8/7 15:15:16

显示全部楼层 · 发表于 2020-8-7 18:01:57

卡巴 kill 提个建议蓝奏地址加个超链接

显示全部楼层 · 发表于 2020-8-7 18:04:40

OVS 发表于 2020-8-7 18:01
卡巴 kill 提个建议蓝奏地址加个超链接

好的呢，下次整改

[病毒样本] #RTF.Macro.virus.sample# （2020-8-7）

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源