银狐木马 2X

显示全部楼层 · 发表于 2024-8-21 22:34:15

本帖最后由 Loyisa 于 2024-8-21 22:39 编辑

Avira 扫描miss all

[2024-08-21 22:38:11.173] [info] [OndemandScan] [thread id: 6536] License date: 2024-08-01T00:00:00Z
[2024-08-21 22:38:11.246] [info] [OndemandScan] [thread id: 6536] OnDemand is running in full mode until expiration (2026-12-15T00:00:00Z)
[2024-08-21 22:38:11.261] [info] [OndemandScan] [thread id: 6536] Ondemand version: 1.0.2408.1628
[2024-08-21 22:38:11.262] [info] [OndemandScan] [thread id: 6536] Ondemand rdf version: 1.0.2408.1628
[2024-08-21 22:38:11.489] [info] [RealTimeProtection] [thread id: 6940] [Mitigation] Host file needed no mitigation.
[2024-08-21 22:38:11.642] [info] [OndemandScan] [thread id: 6536] Scan of paths {C:\Users\konsolas\Desktop\银狐木马 2X\c23bb995b83a2650d841cac3eb00b5e3;C:\Users\konsolas\Desktop\银狐木马 2X\d31ed537abf2f11a344e308692666e4e} started.
[2024-08-21 22:38:11.661] [info] [Core] [thread id: 1800] [CoreLoader] loading core sdk plugin C:\Program Files\Avira\Endpoint Protection SDK\coresdk\apcscanner2.dll
[2024-08-21 22:38:11.697] [info] [Core] [thread id: 1800] [CoreLoader] Plugin C:\Program Files\Avira\Endpoint Protection SDK\coresdk\apcscanner2.dll license status: enabled
[2024-08-21 22:38:11.712] [info] [Core] [thread id: 1800] [ProtectionCloud] [apcsdk] Cache file 'C:\Program Files\Avira\Endpoint Protection SDK\coresdk\temp-epp\avcp_apc2_cache.dat' was not found
[2024-08-21 22:38:11.712] [info] [Core] [thread id: 1800] [ProtectionCloud] [apcsdk] Setting the proxy server '' with the certificate path ''
[2024-08-21 22:38:12.436] [info] [BaseScan] [thread id: 1800] [ProtectionCloud] The file '\\?\C:\Users\konsolas\Desktop\银狐木马 2X\c23bb995b83a2650d841cac3eb00b5e3\swzx2024_setup.exe' was unknown in the Protection Cloud. SHA256: '0c4ade0e611add848e83b76bd67dc193f86bfbf69663373869dc17d0a59f0db8' Requestor: 'OnDemandScan' Flags: '{Upload needed}' Status: successful
[2024-08-21 22:38:12.592] [info] [BaseScan] [thread id: 1340] [ProtectionCloud] The file '\\?\C:\Users\konsolas\Desktop\银狐木马 2X\d31ed537abf2f11a344e308692666e4e\240821_setup.exe' was unknown in the Protection Cloud. SHA256: 'ef2553292d18848cd95617e5cf266fa1c206094146718052c4f3acbdd918c8b5' Requestor: 'OnDemandScan' Flags: '{Upload needed}' Status: successful
[2024-08-21 22:38:12.605] [info] [BaseScan] [thread id: 1800] [ProtectionCloud] The file '\\?\C:\Users\konsolas\Desktop\银狐木马 2X\c23bb995b83a2650d841cac3eb00b5e3\swzx2024_setup.exe' has been uploaded to the Protection Cloud and analyzed. SHA256: '0c4ade0e611add848e83b76bd67dc193f86bfbf69663373869dc17d0a59f0db8' Requestor: 'OnDemandScan' Flags: '' Status: successful
[2024-08-21 22:38:12.605] [info] [BaseScan] [thread id: 1800] [ProtectionCloud] The file '\\?\C:\Users\konsolas\Desktop\银狐木马 2X\c23bb995b83a2650d841cac3eb00b5e3\swzx2024_setup.exe' was scanned with the Protection Cloud. SHA256: '0c4ade0e611add848e83b76bd67dc193f86bfbf69663373869dc17d0a59f0db8' Requestor: 'OnDemandScan' Flags: '' Status: successful
[2024-08-21 22:38:12.809] [info] [BaseScan] [thread id: 1340] [ProtectionCloud] The file '\\?\C:\Users\konsolas\Desktop\银狐木马 2X\d31ed537abf2f11a344e308692666e4e\240821_setup.exe' has been uploaded to the Protection Cloud and analyzed. SHA256: 'ef2553292d18848cd95617e5cf266fa1c206094146718052c4f3acbdd918c8b5' Requestor: 'OnDemandScan' Flags: '' Status: successful
[2024-08-21 22:38:12.809] [info] [BaseScan] [thread id: 1340] [ProtectionCloud] The file '\\?\C:\Users\konsolas\Desktop\银狐木马 2X\d31ed537abf2f11a344e308692666e4e\240821_setup.exe' was scanned with the Protection Cloud. SHA256: 'ef2553292d18848cd95617e5cf266fa1c206094146718052c4f3acbdd918c8b5' Requestor: 'OnDemandScan' Flags: '' Status: successful
[2024-08-21 22:38:12.827] [info] [EndpointProtection] [thread id: 1340] [OnDemandSummary] Total amount of files to be scanned: 2
[2024-08-21 22:38:12.827] [info] [EndpointProtection] [thread id: 1340] [OnDemandSummary] Scanned files: 2
[2024-08-21 22:38:12.827] [info] [EndpointProtection] [thread id: 1340] [OnDemandSummary] Detected files: 0
[2024-08-21 22:38:12.827] [info] [EndpointProtection] [thread id: 1340] [OnDemandSummary] Scan end status: 2
[2024-08-21 22:38:12.828] [info] [OndemandScan] [thread id: 1340] Scan of paths {C:\Users\konsolas\Desktop\银狐木马 2X\c23bb995b83a2650d841cac3eb00b5e3;C:\Users\konsolas\Desktop\银狐木马 2X\d31ed537abf2f11a344e308692666e4e} finished in 1185 milliseconds.
[2024-08-21 22:38:12.828] [info] [OndemandScan] [thread id: 1340] Total amount of files to be scanned: 2. Scanned files: 2. Clean files: 2. Excluded files: 0. Detected files: 0. Repaired files: 0. Successful remediation: 0. Failed remediation: 0. Error scan files: 0

复制代码

显示全部楼层 · 发表于 2024-8-21 22:47:54

Loyisa 发表于 2024-8-21 22:32
这变异的也太快了

注入explorer->explorer注入dllhost->Windows\Temp下释放payload

都这样了PDM还不斩杀实在是出乎意料

显示全部楼层 · 发表于 2024-8-21 22:49:05

swizzer 发表于 2024-8-21 22:47
注入explorer->explorer注入dllhost->Windows\Temp下释放payload

都这样了PDM还不斩杀实在是出 ...

测蒙了，这几天双击一个PDM都没出来过

显示全部楼层 · 发表于 2024-8-21 22:49:18

swizzer 发表于 2024-8-21 22:47
注入explorer->explorer注入dllhost->Windows\Temp下释放payload

都这样了PDM还不斩杀实在是出 ...

这两三天的银狐差不多都是这样，也没什么变异，不过样本数量确实多（

显示全部楼层 · 发表于 2024-8-21 22:49:56

Loyisa 发表于 2024-8-21 22:49
测蒙了，这几天双击一个PDM都没出来过

这两三天的银狐，行为差不多都是一样的

显示全部楼层 · 发表于 2024-8-21 22:52:56

00006666 发表于 2024-8-21 22:49
这两三天的银狐，行为差不多都是一样的

主防还是没有动作令人感叹

显示全部楼层 · 发表于 2024-8-21 22:55:04

金山毒霸依然全漏

显示全部楼层 · 发表于 2024-8-21 23:12:49

00006666 发表于 2024-8-21 22:49
这两三天的银狐差不多都是这样，也没什么变异，不过样本数量确实多（

但是PDM的拦截并不稳定。而且注入explorer的手法也不太一样，有些是直接修改内存，有些会走Direct Syscall注入，还有些是重复加载ntdll后拆钩注入（

显示全部楼层 · 发表于 2024-8-21 23:48:08

Symantec

显示全部楼层 · 发表于 2024-8-22 07:16:46

swizzer 发表于 2024-8-21 23:12
但是PDM的拦截并不稳定。而且注入explorer的手法也不太一样，有些是直接修改内存，有些会走Direct Syscal ...

都是银狐老套路了，他们家的样本这几个月都在用这些绕EDR技术

[病毒样本] 银狐木马 2X

评分

本帖子中包含更多资源

浏览过的版块