#Backdoor(2022-8-2)

rogersg

From Telegram Channel : @zh_CNAQ
VT初扫3/70
https://www.virustotal.com/gui/f ... c5f6d29135bb39e50b2

Tom179090

双击阻止
事件: 检测到恶意对象
应用程序: COM Surrogate
用户: \
用户类型: 发起者
组件: 系统监控
结果说明: 检测到
类型: 木马
名称: PDM:Exploit.Win32.Generic
威胁级别: 高
对象类型: 进程
对象路径: C:\Windows\SysWOW64
对象名称: dllhost.exe
原因: 行为分析
数据库发布日期: 今天，2022/8/2 5:42:00
MD5: AE1936CE9A4B92E69493470B1009AD5A

LovelyTim

Malwarebytes kill
Malware.Sandbox.1

火绒 miss

pal家族

我想问下 fake telegram都是金眼狗的东西吗？

123456aaaafsdeg

miss

LeeHS

crowdstrike 双击殺

Jirehlov1234

pal家族 发表于 2022-8-2 03:28
我想问下 fake telegram都是金眼狗的东西吗？

金眼狗是qi'anxin发明的叫法https://ti.qianxin.com/blog/articles/operation-dragon-breath-(apt-q-27)-dimensionality-reduction-blow-to-the-gambling-industry/

样本区看见的faketg大部分都是这个（类）组织相关的

欧阳宣

gdata

1. 0        0        0        G DATA INTERNET SECURITY has prevented malicious software from running on your system.
   
2. 0        0        0        The malicious program was identified by BEAST (Behavior Monitoring) as: Generic.C063FA77
   
3. 0        0        0       
   
4. 128        0        0        The following processes were therefore terminated by G DATA for security reasons:
   
5. 64        0        0        C:\ProgramData\ravmond.exe
   
6. 64        0        0        C:\Windows\SysWOW64\svchost.exe (PID 14076)
   
7. 64        0        0        C:\Windows\SysWOW64\dllhost.exe (PID 12160)
   
8. 0        0        0       
   
9. 128        0        0        The following programs responsible were moved to Quarantine by G DATA:
   
10. 64        0        0        C:\Windows\Temp\128030296.bak
    
11. 64        0        0        C:\Windows\Temp\128030265.bak
    
12. 64        0        0        C:\Windows\rscom.dll.dat
    
13. 64        0        0        C:\Windows\rscom.dll
    
14. 64        0        0        C:\Windows\Temp\ĬèÏ·Ö×é.key
    
15. 0        0        0       
    
16. 0        0        0        Further information:
    
17. 0        0        0        Ref: a99477a1-553e-4258-bbf7-417f806595f6

复制代码

pal家族

Jirehlov1234 发表于 2022-8-2 12:14
金眼狗是qi'anxin发明的叫法https://ti.qianxin.com/blog/articles/operation-dragon-breath-(apt-q-27)- ...

Hello,

New malicious software was found in the attached file. Its detection will be included in the next update.
HEUR:Backdoor.Win32.Gulpix.gen
Thank you for your help.

Best regards, Maxim Starodubov, Malware analyst, Kaspersky Lab
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com
https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

__________________________________________

From: 724281640@qq.com
Received: 8/2/2022 3:30:36 AM (UTC)
Sent: 8/2/2022 3:30:19 AM (UTC)
To: newvirus@kaspersky.com
Subject: 回复：RE: 回复：RE: 回复：RE: 回复：RE: 回复：RE: Re:RE: Re:RE: Re:RE: Re:RE: Re:RE: Kaspersky false negative and false positive files [KL-1571859]

hello
here is a fake telegram installer, it is possible to be goldeneyedog APT releated backdoor malware.
after installation it will release a white exe to load malicious dll and script.

Solomondemeter

eset miss