样本测试 6X

显示全部楼层 · 发表于 5 小时前

火绒6.0，实际隔离4个。

显示全部楼层 · 发表于 5 小时前

北京地铁运营公司-基于自主定位和自主感知的信号备用系统研究项目举报函.exe

复制代码

检测到高危ip地址:
suspicious_request:
GET https://49.233.11.247/api/xxx
suspicious_features:
Connection to IP address

检测到不合理脚本:
Subsystem:
Windows command line
http2clienthttp2serverarchive/tartls10servercrypto/x509archive/zipClassHESIODkernel32.dll

ChrromSorMXi.exe

复制代码

针对杀毒软件的检测：
wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '360TRAY.EXE'

wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HIPSLOG.EXE'

wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QQPCRTP.EXE'

wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HIPSDAEMON.EXE'

wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'QQPCTRAY.EXE'

wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HIPSTRAY.EXE'

wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HIPSMAIN.EXE'

wmi:
SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'HUORONG.EXE'

添加文件到杀软白名单的iusb3mon远控恶意脚本：
pid:
1688

command_line:
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Administrator\AppData\Local\AppData\iusb3mon.exe' -Force"

显示全部楼层 · 发表于 4 小时前

红伞杀5个
瑞星杀4个
华为杀3个
SEP 杀4个

显示全部楼层 · 发表于 1 小时前

LingGao 发表于 2025-12-22 00:51
Microsoft Defender

ChrromSorMXi.exe - Trojan:Win32/Wacatac.H!ml

Microsoft 研究员分析结果：

todesk_yuanlcheng_x64.2.0.exe - Trojan:Win32/Malgent!MSR
rhfeghfwertnp.exe - Trojan:Win32/Malgent!MSR
hook.exe - 干净 Clean
fv47j.exe - Trojan:Win32/Malgent!MSR

显示全部楼层 · 发表于 24 分钟前

SESC静态检测清空

显示全部楼层 · 发表于 19 分钟前

LingGao 发表于 2025-12-22 15:00
Microsoft 研究员分析结果：

todesk_yuanlcheng_x64.2.0.exe - Trojan:Win32/Malgent!MSR

这已经到微软分析师的极限了吗，虽然这样本外层是有VMP加壳，内层的代码执行部分好像有VM虚拟化混淆、异常控制流混淆、不透明谓词混淆等等

不过嘛，提取了一下内层的内存转储，银狐的全局配置信息字符串还是能看到

虽然C2是127.0.0.1:6666 127.0.0.1:8888 127.0.0.1:80，看着像测试样本

让这“研究员”混蛋

[病毒样本] 样本测试 6X

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源