#telegram-cn #Fake #Telegram #金眼狗（APT-Q-27）(2022-07-06)

Jirehlov1234

https://jirehlov.lanzouv.com/iV1U107h5h9g

https://www.virustotal.com/gui/f ... 208e04c6d/detection

digitalocean的账号被干碎后换了contabo

new dl link
https://sin1[.contabostorage.com/8228849c45e24bdcbe1be0130ad33d92:down/tsetupx64.zip

上一集：https://bbs.kafan.cn/thread-2237879-1-1.html

LSPD

360

rogersg

Kaspersky
双击
PDM:HackTool.Win32.VBInject.a（第一次见唉）
PDM:Trojan.Win32.Generic
随后连本体一起全部回滚删除

1. Event: Malicious object detected
   
2. Application: Telegram Setup
   
3. User: NT AUTHORITY\SYSTEM
   
4. User type: System user
   
5. Component: System Watcher
   
6. Result description: Detected
   
7. Name: PDM:HackTool.Win32.VBInject.a
   
8. Threat level: High
   
9. Object type: Process
   
10. Object path: c:\users\admin\appdata\local\temp\is-8ka8u.tmp
    
11. Object name: tsetupx64.tmp
    
12. Reason: Databases
    
13. Databases release date: Today, 06/07/2022 19:15:00

复制代码

1. Event: Malicious object detected
   
2. Application: Telegram Setup
   
3. User: NT AUTHORITY\SYSTEM
   
4. User type: System user
   
5. Component: System Watcher
   
6. Result description: Detected
   
7. Type: Trojan
   
8. Name: PDM:Trojan.Win32.Generic
   
9. Threat level: High
   
10. Object type: Process
    
11. Object path: c:\users\admin\appdata\local\temp\is-8ka8u.tmp
    
12. Object name: tsetupx64.tmp
    
13. Reason: Databases
    
14. Databases release date: Today, 06/07/2022 19:15:00

复制代码

ESET
双击，内存扫描杀，然而还是一样的问题，不杀本体，不杀黑DLL，而且已经加载到启动项了，内存扫描无限循环报毒。

1. Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
   
2. 2022/7/6 22:56:27;Advanced memory scanner;file;Operating memory » dllhost.exe(4744);a variant of Win32/Spy.Delf.RAD trojan;contained infected files (after the next restart);;;21F9F7E3A5B7C04239B756A9EA34D9817DF74542;
   
3. 2022/7/6 22:56:27;Advanced memory scanner;file;Operating memory » dllhost.exe(4744);a variant of Win32/Spy.Delf.RAD trojan;contained infected files (after the next restart);DESKTOP-401M30K\Admin;;7BEF491BE76D0EA6126E5A79CD6F5D244A895B84;
   
4. 2022/7/6 22:56:31;Advanced memory scanner;file;Operating memory » dllhost.exe(4744);a variant of Win32/Spy.Delf.RAD trojan;contained infected files (after the next restart);;;3BA52DF4306422D87B8B33172BFB68840DED2544;
   

复制代码

aboringman

360（极限环境下【杀毒】：防护级别高，QVM监控开启）



双击桌面快捷方式



卫士没有任何拦截

anthonyqian

Avast

CrashRpt.dll - Win32:Evo-gen

swizzer

1. 2022-07-06 22:04:54|C:\Users\Lycoris\AppData\Local\Programs\Telegram Desktop\CrashRpt.dll|WIBD:HEUR.ShellCode.H00

复制代码

00006666

aboringman 发表于 2022-7-6 22:04
360（极限环境下【杀毒】：防护级别高，QVM监控开启）

二楼测试不是有拦截启动项来着

aboringman

00006666 发表于 2022-7-6 22:13
二楼测试不是有拦截启动项来着

因为杀毒监控先杀了dll，那个白程序跑不起来了。（也就是说在调用黑dll之前卫士没有任何拦截）

pal家族

感谢双击

卡巴目前拉黑
Event: Malicious object detected
Component: Intrusion Prevention
Result description: Detected
Type: Trojan
Name: UDS:Trojan-PSW.MSIL.Reline
Threat level: High
Object path: E:\virus
Object name: 123.exe
Reason: Cloud Protection
MD5: 7637CFA825E8436E97EE83263BC7FBF7

谁谁谁

腾管16，miss