#XRED #Synaptics xred蠕虫

神龟Turmi

样本:https://share.weiyun.com/IHfqjtAw
没有解压密码,请小心食用

valkyrie:https://valkyrie.comodo.com/get_ ... 2a82b7d631ac6ec4995
ioc:https://s.tencent.com/research/report/880.html

讲个有趣的小故事,
这个样本来自于某模拟飞行论坛,去掉蠕虫的壳子之后是个导航数据.
可能因为经常使用破解插件,大多数人都无视了安全软件的报毒,于是...
5天之后我拿到这个样本时,VT还是处女扫...

k2132

智量  火绒

BFAX

ESET

可能因为经常使用破解插件,大多数人都无视了安全软件的报毒

好家伙希望这些个电脑没事
这波啊，叫贪小便宜吃大亏

温馨小屋

卡巴

Event: Malicious object detected
User: DESKTOP
User type: Active user
Component: Virus Scan
Result: Detected
Result description: Detected
Type: Trojan
Name: Backdoor.Win32.DarkKomet.hqxy
Precision: Exactly
Threat level: High
Object type: File
Object name: qw787_2102v2.exe
Object path: Z:\qw787_2102v2
MD5: 979F958D3A5F08EFC058FE85F58BAC6E
Reason: Databases
Databases release date: Today, 3/5/2021 2:16:00 PM

温馨小屋

Filename: qw787_2102v2.exe
Threat name: Backdoor.GraybirdFull Path: C:\Users\NortonLTSC\AppData\Local\Temp\vmware-NortonLTSC\VMwareDnD\887bccae\qw787_2102v2.exe

____________________________

____________________________


On computers as of 
2021/3/5 at 17:49:12

Last Used 
2021/3/5 at 17:51:14

Startup Item 
No

Launched 
No

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.


____________________________


qw787_2102v2.exe Threat name: Backdoor.Graybird
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.


____________________________


Source: External Media

Source File:
qw787_2102v2.exe

____________________________

File Actions

File: C:\Users\NortonLTSC\AppData\Local\Temp\vmware-NortonLTSC\VMwareDnD\887bccae\ qw787_2102v2.exe Removed
File: C:\Users\NortonLTSC\AppData\Local\virtualstore\Windows\SysWOW64\ Installed.dat Restart Required
File: C:\Windows\SysWOW64\ Installed.dat Restart Required
____________________________

Registry Actions

Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->AntiVirusDisableNotify:0 Repaired
Registry change: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->UpdatesDisableNotify:0 Repaired
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ ->ShowSuperHidden:1 Repaired
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ ->ShowSuperHidden:1 Repaired
Registry change: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\ ->Start:2 Repaired
Registry change: HKEY_USERS\S-1-5-21-1723510940-3803559535-1434331253-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ ->ShowSuperHidden:1 Repaired
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\New Windows\ ->PopupMgr:yes Repaired
Registry change: HKEY_USERS\S-1-5-21-1723510940-3803559535-1434331253-1000\Software\Microsoft\Internet Explorer\New Windows\ ->PopupMgr:yes Repaired
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\New Windows\ ->PopupMgr:yes Repaired
____________________________


File Thumbprint - SHA:
5cf16b5f456f7a7142b719af75bcbbde7249e596e89b8fe7ccabb4ef7782fce9
File Thumbprint - MD5:
979f958d3a5f08efc058fe85f58bac6e

空伐Void

温馨小屋 发表于 2021-3-5 17:52
Filename: qw787_2102v2.exe
Threat name: Backdoor.GraybirdFull Path: C:%users\NortonLTSC\AppData\Loc ...

这是丢到了虚拟机跑了一遍？

温馨小屋

空伐Void 发表于 2021-3-5 18:05
这是丢到了虚拟机跑了一遍？

我实机没装诺顿，而且我并没有双击这个病毒，以上清除内容都是诺顿自己脑补的。诺顿经常这么干，习惯了。

心心相印

火绒、智量都清空了

决定式～定义

温馨小屋 发表于 2021-3-5 18:08
我实机没装诺顿，而且我并没有双击这个病毒，以上清除内容都是诺顿自己脑补的。诺顿经常这么干，习惯了。

诺顿对于有些病毒扫描出来之后，好像会丢到自己的虚拟机里面运行看它有什么反应，有时候还会触发sonar，然鹅这一切都是在只扫描不运行的情况下的，真是神奇。

henry217

温馨小屋 发表于 2021-3-5 18:08
我实机没装诺顿，而且我并没有双击这个病毒，以上清除内容都是诺顿自己脑补的。诺顿经常这么干，习惯了。

诺顿可能是行为分析一下，然后把该滚的滚一遍