本帖最后由 UNknownOoo 于 2024-3-25 23:51 编辑
火绒(未开高级启发
扫描:特征 8x
- 扫描文件:11
- 发现风险:8
- 已处理风险:0
- 病毒详情:
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-02-AgentTesla-e626ed.vbs, 病毒名:HEUR:TrojanDownloader/VBS.NetLoader.e, 病毒ID:b1e6665d085b1c8d, 处理结果:暂不处理
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-10-LokiBot(GULoader)-a2e04a.exe >> [NSIS].nsi, 病毒名:Trojan/Injector.bge, 病毒ID:88af47f8315b0473, 处理结果:暂不处理
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-04-AgentTesla(PSEmbedd)-9d220f.exe, 病毒名:HEUR:TrojanDownloader/PS.NetLoader.e, 病毒ID:cbc712e426aec0fe, 处理结果:暂不处理
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-01-AgentTesla-1d7506.exe, 病毒名:TrojanSpy/MSIL.AgentTesla.mq, 病毒ID:d74520d1b2d3abdd, 处理结果:暂不处理
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-07-AgentTesla-471b96.exe, 病毒名:TrojanSpy/MSIL.AgentTesla.mq, 病毒ID:d74520d1b2d3abdd, 处理结果:暂不处理
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-05-AgentTesla-6237c5.exe, 病毒名:TrojanSpy/MSIL.AgentTesla.mq, 病毒ID:d74520d1b2d3abdd, 处理结果:暂不处理
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-06-AgentTesla-57e0e2.exe, 病毒名:TrojanSpy/MSIL.AgentTesla.mq, 病毒ID:d74520d1b2d3abdd, 处理结果:暂不处理
- 风险路径:C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-08-AgentTesla(AutoIt)-a244b9.exe, 病毒名:HVM:VirTool/Obfuscator.gen!A, 病毒ID:b27d4294cde6a1ec, 处理结果:暂不处理
复制代码
运行:TS-240325-03-AgentTesla(GULoader)-e30776.exe
- 防护项目:隐藏执行PowerShell
- 执行文件:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
- 执行命令行:"powershell" -windowstyle hidden "$Nonadmissions=Get-Content 'C:\Users\Serendipity\AppData\Roaming\enomaniac\Fiskeeksporter\Lavningerne.All';$Adfrdsnormens=$Nonadmissions.SubString(57855,3);.$Adfrdsnormens($Nonadmissions)"
- 操作结果:已允许
复制代码- 病毒名称:Trojan/Injector.AC
- 病毒路径:C:\Users\Serendipity\Desktop\TurtleSUSP-240325\TS-240325-03-AgentTesla(GULoader)-e30776.exe
- 操作结果:已处理
复制代码
TS-240325-09-BlankGrabber-4874df.exe - MISS
TS-240325-11-Remcos-e9482b.exe - 内存特征 2x
但是因为火绒奇怪的内存防护机制(内存检出风险不封锁进程 + 不处理系统进程)导致处理失败
- 病毒名称:Trojan/MSIL.Injector.np
- 病毒ID:2EC8D38D93924346
- 虚拟地址:0x0000000076AD0000
- 映像大小:816KB
- 是否完整映像:否
- 数据流哈希:c4851ab5
- 操作结果:已处理
- 进程ID:3100
- 操作进程:C:\Users\Serendipity\Desktop\TurtleSUSP-240325\TS-240325-11-Remcos-e9482b.exe
复制代码- 病毒名称:Backdoor/Remcos.k
- 病毒ID:CA6D276341E73D30
- 虚拟地址:0x0000000000400000
- 映像大小:508KB
- 是否完整映像:否
- 数据流哈希:e1ae34da
- 操作结果:已处理
- 进程ID:8120
- 操作进程:C:\Program Files (x86)\Windows Mail\wab.exe
- 操作进程命令行:"C:\Program Files (x86)\Windows Mail\wab.exe"
- 父进程ID:3100
- 父进程:C:\Users\Serendipity\Desktop\TurtleSUSP-240325\TS-240325-11-Remcos-e9482b.exe
复制代码- 病毒详情:
- 风险路径:mem://5532-0xe7ca712d-0x400000-C:\Windows\System32\cmd.exe, 病毒名:Backdoor/Remcos.k, 病毒ID:ca6d276341e73d30, 处理结果:处理成功,进程已结束
- 风险路径:mem://8120-0xed8caa6d-0x400000-C:\Program Files (x86)\Windows Mail\wab.exe, 病毒名:Backdoor/Remcos.k, 病毒ID:ca6d276341e73d30, 处理结果:处理失败,SFC进程未处理
复制代码
X-Sec
扫描:8x
- ---------------------
- 2024/03/25 22:55:27 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-01-AgentTesla-1d7506.exe -- [rame-rdm.msil2] Malware.Obfus/MSIL@AI.89
- 2024/03/25 22:55:27 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-02-AgentTesla-e626ed.vbs -- [rame-cloud] Trojan.SAgent/VBS!8.132D5
- 2024/03/25 22:55:29 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-05-AgentTesla-6237c5.exe -- [rame-rdm.msil2] Malware.Obfus/MSIL@AI.80
- 2024/03/25 22:55:29 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-06-AgentTesla-57e0e2.exe -- [rame-rdm.msil2] Malware.Obfus/MSIL@AI.90
- 2024/03/25 22:55:30 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-07-AgentTesla-471b96.exe -- [rame-rdm.msil2] Malware.Obfus/MSIL@AI.89
- 2024/03/25 22:55:31 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-09-BlankGrabber-4874df.exe -- [rame-classic] Spyware.Agent/PYC!1.EA8F
- 2024/03/25 22:55:32 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-10-LokiBot(GULoader)-a2e04a.exe -- [rame-cloud] Trojan.Injector/NSIS!8.1294D
- 2024/03/25 22:55:32 Threat Detected: C:\Users\UnknownOoo\Downloads\Compressed\TurtleSUSP-240325\TS-240325-11-Remcos-e9482b.exe -- [rame-cloud] Trojan.Fsysna!8.5F2
复制代码
|