高质量WHQL Rootkit样本和释放器一枚，VT 0 报毒

显示全部楼层 · 发表于 2023-5-27 22:57:36

AEht 发表于 2023-5-27 20:42
你觉得是ATC厉害还是卡巴的PDM厉害，还是诺顿厉害？

PDM

显示全部楼层 · 发表于 2023-5-27 23:36:05

hansyu 发表于 2023-5-27 21:08
R108没有被针对，因为进程名字和R51不一样，写这个驱动的人用的旧名字。杀掉的是那个假steam，驱动和驱动 ...

这个驱动不知道为啥连McaFee最新的企业版进程也针对，注册了之后威胁防护服务直接报未响应。

不过企业版其他功能，包括主防，倒都是正常的

显示全部楼层 · 发表于 2023-5-27 23:36:47

761773275 发表于 2023-5-27 22:57
PDM

我觉得还是ATC好一点，虽然回滚可能比不过PDM但PDM那敏感性着实有点低

显示全部楼层 · 发表于 2023-5-27 23:41:29

AEht 发表于 2023-5-27 19:20
卡巴斯基过静态，动态直接结束卡巴进程！！！！！

exe目前已被云拉黑UDS:Trojan.Win64.Agent.a

显示全部楼层 · 发表于 2023-5-27 23:48:37

本帖最后由 pal家族于 2023-5-28 00:15 编辑

Hello,

New malicious software was found in the attached file. Its detection will be included in the next update.
Trojan.Win64.Agent.qwihsu

AccPtFlt.sys - is clean

Best regards, Denis Sitchikhin, Malware Analyst
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com
https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

sys鉴定为白
尴尬尴尬

各位朋友
如果你想借此羞辱我本人或卡巴斯基或Denis Sitchikhin
请千万不要不给本人加人妻！

显示全部楼层 · 发表于 2023-5-28 00:01:12

本帖最后由 hansyu 于 2023-5-28 00:02 编辑

记录微笑发表于 2023-5-27 23:36
这个驱动不知道为啥连McaFee最新的企业版进程也针对，注册了之后威胁防护服务直接报未响应。

...

因为楼主展示的可识别字符串里关于咖啡的只有一个mcshield.exe，这个文件名至少我用过的咖啡从02年一直到现在，用了二十年。

企业版的主防模块进程和实时扫描进程是分开的，文件名也不一样，所以不受影响。

显示全部楼层 · 发表于 2023-5-28 00:19:02

pal家族发表于 2023-5-27 23:48
Hello,

New malicious software was found in the attached file. Its detection will be included in t ...

目前就是在等谁先入库。各家大多处于观望状态。

以下是微软的回复：

To help with further analysis. Could you please help us in provide us the below mention information regarding file

- Exact scenario present at customer end
- Source of the file and any dependency related to the file.
- Any other details which will be helpful in analysis.
At this time detection will remain in place.

More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here: https://www.microsoft.com/en-us/ ... evaluation-criteria
Thank you for contacting Microsoft.

微软目前决定暂时不添加检测，等待更多信息

显示全部楼层 · 发表于 2023-5-28 07:03:44

飞塔第一次回复；

The sample will be detected as follows:
MD5:b4b84decc017efa8cb3e191d864d6f1e - W64/Agent.7642!tr
The signature will be included in the next regular update.

For MD5:814704a0b9ab78d030b188534da5be8c, we have verified based on our initial quick analysis that it did not perform malware like behavior.

要求二次分析后：

The sample you submitted will be detected as follows:
<AccPtFlt.sys> with MD5: 814704a0b9ab78d030b188534da5be8c - <W64/KillAV.be8c!tr>

显示全部楼层 · 发表于 2023-5-28 08:06:51

anthonyqian 发表于 2023-5-27 14:48
ESET missed，已上报

ESET 入库：

显示全部楼层 · 发表于 2023-5-28 09:01:43

ANY.LNK 发表于 2023-5-28 00:19
目前就是在等谁先入库。各家大多处于观望状态。

以下是微软的回复：

Hello,

We rechecked the file. New malicious software was found in the attached file. Its detection will be included in the next update.
Thank you for your help.

814704a0b9ab78d030b188534da5be8c - Rootkit.Win32.Agent.enjh

Best regards, Kirill, Malware Analyst Team Lead
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com
https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

[原创分析] 高质量WHQL Rootkit样本和释放器一枚，VT 0 报毒

本帖子中包含更多资源