银狐&XAgent木马2X

ジ蓅暒划过づ

• VT首发7个报毒VirusTotal - File - 3a2663799a5e4b75fd2c1b2d89e7954f191e7582a688a4009d0f1855a3f06a60
• VT首发7个报毒VirusTotal - File - dc596e2da82be2fcac5ab431621f8504b8b747e3a01eb9161a396889bf21d510
• 样本：MM21.zip - 蓝奏云
  

guess就是我

avast都清掉了

LSPLDD

eset双击2X
卡巴还在等。。。

Nocria

XAgent木马.msi



银狐.msi

心醉咖啡

火绒

truetime

TES MISS
火绒 KILL
X-SEC KILL

1094947421

chx818

elastic在msi执行完安装后之后会拦截一些东西，但不知道有没有防住，两个文件都是如此


基于Grok2的Attack Discovery：

Summary
Two high-risk Memory Threat Prevention Alert: Shellcode Injection incidents detected on

desktop-c2asff2
involving
uc.exe
and user

chx818
.

Details
On

desktop-c2asff2
, a Windows machine running version 21H2, two high-risk alerts were triggered at
2025-03-25T11:26:35.835Z
and
2025-03-25T11:25:35.076Z
respectively. Both alerts were related to a Memory Threat Prevention Alert: Shellcode Injection detected by Elastic Defend. The process involved was
uc.exe
from
C:\Program Files (x86)\Mancyag\Google AI Browser v1.4.1\uc.exe
, which is signed by Shanghai Yiyi Digital Technology Co., Ltd and considered trusted. The parent process was
msiexec.exe
from
C:\Windows\SysWOW64\msiexec.exe
, indicating that the malicious activity might have been initiated through a software installation or update mechanism. The user involved in both incidents was

chx818
on the domain
DESKTOP-C2ASFF2
.

Initial Compromise: The attack likely began with the exploitation of a vulnerability in a software installation process, possibly through a malicious update or installation package. The use of msiexec.exe suggests an attempt to install or execute something under the guise of a legitimate Windows process.
Shellcode Injection: The uc.exe process, part of the Google AI Browser, was used to inject shellcode into memory. This technique is often used to evade detection and execute malicious code directly in memory, bypassing traditional file-based security measures.
Persistence and Escalation: The medium integrity level of the process suggests that the attacker might be attempting to escalate privileges or ensure persistence on the system.
Attribution: While no direct attribution to a known threat group can be made from the available data, the use of shellcode injection and trusted software manipulation is a common tactic among advanced persistent threat (APT) groups.

吃瓜群众第123位

FSP KILL ALL

biue

腾讯电脑管家 2X