#DarkGate (2023-09-25)

swizzer

Baby小尧

ESET miss all，样本已上传。但是后续双击测试直接拦截网址链接

117054487

BEST 流量扫描已检测到威胁。已拒绝访问网页。94.228.169.143:2351/vjikfjxb 包含类型为 云病毒 的恶意软件

卡巴
HEUR:Trojan.VBS.SAgent.gen*4

心醉咖啡

金山毒霸扫描miss

hhhq316

蜘蛛
实时，扫描Miss
双击拦截可疑代码

装甲未被击穿

A 实时保护 清空

dght432

GreatMOLA

Norton 执行，IPS静默拦截，样本无法运行。

1. 类别： Norton Community Watch
   
2. 日期和时间,风险,活动,状态,推荐的操作,更新日期,提交者,说明,提交详细信息
   
3. 2023/9/26 9:25:49,信息,IPS 检测统计提交,已提交,不需要操作,2023/9/26 9:25:50,Norton 360,IPS 检测统计提交,"Signature ID: 12030  <br>Local or Remote Attacker: 2  <br>Remote Port: 2351  <br>Local Port: 50388  <br>Protocol: 6  <br>Signature Set Version: 20230922.064  <br>Application Name: \DEVICE\HARDDISKVOLUME7\WINDOWS\SYSTEM32\WSCRIPT.EXE  <br>Offending URL: http://94.228.169.143:2351/vjikfjxb  <br>Date Detected: Tue, 26 Sep 2023 01:25:49 GMT  <br>Application File Checksum: CD3C1773CEF2611325FA884926090538  <br>Application File Information: 5.812.10240.16384  <br>Network Data: 434D50520014000078DAED91DF4EC23014C6CF02121145138289775CE24D910D8CE8D5C20A238175765DD4AB060C26C32918A7313E9FCF652CDD20447C03CFAF694E9AF39D3F5FEA395DBB0825A8408AB1114BEA7E13809C7A15D4DD51EF5DA5144CD84319084EED9164BD5E40C5D7E1AAAE0E7915F270008340FA9CDDDEC930A04E9A2C64C963E0F43AA481905DE609EA0939A45E5FB8A96A5F4D0328C3D15AE53A5CBA2C109D1631CD0BD23CEF9066CB02C3DDEAB752AAC6A127B41BC3CC54D56D95CFB8681497224B0FADA8B31651DBA17FCDBD34AD76138CAAAEE8C0C9EF0AE5974BBBAF6C8DE69F511C8F1B2D7256ABDFCF9F16E3249AC4D3ABDA4DF46C993AB849B22059E4D397B7E96B42DAA76094B2A5CBEBEE232A5CE6EC694B5CCFDEB4946697BF32F0FABEDA198C9C162D7F77250AF9A0F13E8B1E1F661F1340100441100441100441100441FE013F6B7C6480  <br>Sub-signature ID: 65539  <br>Signature Properties: 29714  <br>Referer URL:   <br>Application File SHA256: 7478B567C9EC9A1E1061F9C6DB2993FCDC2EC4E8FB5CA6DA80FA307B54116E69  <br>Application File CreateTime: 0  <br>IPSSubmissionID: 61b70cb6-f018-11ee-bc41-806e6f6e6963  <br>Application File Reputation: 0  <br>Application File Prevalence: 0  <br>Forwarded For:   <br>Process ancestors: C:\Program Files\Sandboxie-Plus\Start.exe|C:\Program Files\Sandboxie-Plus\SbieSvc.exe|C:\Windows\System32\services.exe|C:\Windows\System32\wininit.exe|C:\Windows\System32\smss.exe  <br>Signature Response: 2  <br>Remote Address: 94.228.169.143  <br>Message Disposition: 1  <br>  <br>OS-Country:86  <br>OS-Language:Chinese (Simplified)  <br>Processor:Intel64 Family 6 Model 154 Stepping 3  <br>System:Windows 10 build 22631   <br>Platform-GUID:7AED9607-4327-4FC2-A26B-57C191E5EAE1  <br>Telem-ID:8DB3996B-FF8E-432E-BD29-B5938CB4F77C  <br>HWID:9ED9E76C-0C69-A8D0-E74B-A574D2F49C81  <br>Hostname-MD5:C4B83ED3DC5E103A8B80FB8676C20896  <br>DateSubmitted:Tue, 26 Sep 2023 01:25:49 GMT  <br>Product:Norton Security 22.23.8.4"
   
4. 
   
5. 
   

复制代码

天马行空的生涯

1、获取本地进程列表，作为请求头发送给服务器。2、使用curl获取autoit3脚本解释器和autoit3脚本，执行autoit3脚本
3、autoit3脚本已经失效，下载不到了。

初心．杰

趋势、诺顿 扫描miss    双击测试被虚拟机外面的Avast拦截了