传奇私-Fu WHQL RootKit 2X

显示全部楼层 · 发表于 2023-10-19 21:06:25

此处@ANY.LNK

显示全部楼层 · 发表于 2023-10-19 21:08:43

金山毒霸扫描miss

显示全部楼层 · 发表于 2023-10-19 22:15:01

WD扫描+运行miss

开启HVCI后，驱动成功加载，但无法启动。关闭后启动成功

显示全部楼层 · 发表于 2023-10-19 22:38:19

显示全部楼层 · 发表于 2023-10-20 10:13:22

喀反发表于 2023-10-19 22:15
WD扫描+运行miss

开启内核隔离无法加载VMP驱动。所以现在木马驱动有回到不加VMP得趋势，只不过增加了些加解密执行。

显示全部楼层 · 发表于 2023-10-20 11:30:46

小A扫描miss，驱动加载工具换了好多个，都被系统拦截，没法加载这两驱动

显示全部楼层 · 发表于 2023-10-20 11:35:35

crowdstrike miss

显示全部楼层 · 发表于 2023-10-20 12:22:59

905e8666887fdf2df2f3f6c5d675e7d6f815aff4d816488871206a6f83114af9 - Rootkit.Win32.Agent.gslf
a92ac0d0c26c3a4908e362d533fd7266fd7259ce35555502d9210a373a9a8876 - Rootkit.Win32.Agent.gsle
Thank you for your help.

显示全部楼层 · 发表于 2023-10-21 07:58:48

本帖最后由 wwwab 于 2023-10-21 10:40 编辑

Dear Wwwab,

Thank you for your submission.
The detection for this threat will be included in the next update of detection engine, expected version: 28105.

Regards,

ESET Malware Response Team

Dear Customer,

Thank you for submitting your sample to Fortinet. Based on our initial analysis, the samples contain malicious code and will be detected as following detection:

MD5:d44b35dfe68c13834969267e81d5e0a2 W64/Rootkit.AGENT!tr
MD5:e03fe7dd058139f6ae8e12333a6a1c59 W64/Rootkit.AGENT!tr

显示全部楼层 · 发表于 2023-10-21 10:42:02

117054487 发表于 2023-10-20 12:22
905e8666887fdf2df2f3f6c5d675e7d6f815aff4d816488871206a6f83114af9 - Rootkit.Win32.Agent.gslf
a92ac0d ...

卡巴斯基表示检测需要下个星期才能发布

Hello,

Detection for such samples require more testing than usual, so it should be published next week. We'll notify you when it will be published.

[病毒样本] 传奇私-Fu WHQL RootKit 2X

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源