今天二月二,把三哥的木马拉出来祭天

admin
admin
admin
102623
文章
87
评论
2024年3月13日17:02:28评论4 views字数 15584阅读51分56秒阅读模式

开头一张图,下面是正文

今天二月二,把三哥的木马拉出来祭天

去年三哥的木马没少在国内活跃,笔者烧电一个月,终于将去年从网上收集到的样本全灌到了数据库里面,下面列出变种和hash,随便使用不必感谢。

数据使用同源关联分析,可能略有误差。

Trojan-Spy.Win32.APT-Patchwork.kr

2180573e7b41f82366a7637f60963b3b4abe3fae79903395a65a95c8af3738eb47cc120cb27f219be6c915affde93c587aeda30a2824ab86717cd3f6f09f5adc16c11b381cff35283b879ec1a84f72e43ed5f354c9bb9257eab81245e6b6416af11960e2d9666908433b4e5908ee85c2c4820176eda9311ef0bcc378e001c54bbda1967f2491e5d792fa66e672951119644008189aefa56362b16aeb973382ef9678089aacaf3e147e50662c82c11d1976643813358b9198b6aed437eb7b5210674dd075718ac664940eefba9ff3dd1d1e9e8e724c000c9b9b6677a4d407538cfb569c75daa6c2f4f16d6f7dc2944951a53aff4075891c17ed9cdbdfcc124a1d3f411d306d4fc98fb71aa7383bb14d36c59edf29b81183976341c836ee20d6108e2b530482822dc3b88d789fdc59ff4415e45c24dbe6034024fcffe4c358556b65bfb874a47b3e4920e33ee380060e8fa404522912212c4c245c0ddf387adee61c0e707cec96ac90969a5f16d66d1c6f1b1ab4e0ddfdb9e97609e78ab26e53f6cd7f9cc5e7f4350a432fb8ac231c9c827417af55a9f3c61dbfef82f06a89e9d9416b170d4d72b29f39dfc08450e8b406f9a2bc7d3838b886be8269f5aa7eb0b69af86aea0df8e24bca698bbed816e507ed63183429ae909666fafe8b1fae63b47f48ebd87fda0840dc749a3064361b9cd0f1bea201b0d9fc788cbd086bccf750b888df619bf503a014f2358d0180076b1a1bc6e47d9dcbf6e3e7ce22d18b3628e8b68f541d7a992194b603c91c892cf19b6305ee30004c72076e10b81c0847fb69278cb9e663c73573d220455cd5f8cf894ec003921f19a1a1525a6e8102d75ae53b7073a592b01b35a10a6c76ff011f01a7af987d7b2f6f355e37c8580cb45a01cef8eeecbd5f9a4240d3e42c67c3c189239987f3675eb034a0fecebcb10ffbb0f01a43a4b16036c330f660f3e1a38a0a0bcd8beb77e67a28a325d8d2a00254e09cf62b3a987103279fd30160e662280c2cbfbe3c93b3502f9a60f5fa1188ad

Trojan.Win32.HangOver.oN

f408cac30bc73ac20dbded6c4f519d403705d2b2b5f6a7725837559b14029a98239bc16abb4aecbf6a1c1dac9a3f81e6634e4c640c4d7845a88faa5e0838ec0ef52208fa1d6b8ff5a6577b22ea8f6082ffc2c9969b6a3b27ff96b926e9a6c18a21aef1e6f22205edf261a08932728ab04c86c1669a943c1e41af898342ecf831ea1d779a230cc17fed73e200d8350d37cd295ec65a67afda0f6e8558848b7623078d12eb9fc2b1665c0cc3001448b69beae1693c74091a064052ea3d3b349615e095d5c7fc6486dd114e710cb7e197caea9bfc25fc5bdc0b1b96f7b2af64f1aceeef49fdb64a03a0c932973f117f9056047a1bb36e1de5f57e4a6f4d43ebf72b6ca0e753c48da6414cbc83799282905a9ef3677054efe5ffc30fbbbfe2f833d934b834d70bfde92f095a9c529b1dcc48649eb3db4159411ee6ec0d849274a82537448f390f10eccf5745a6204947203ad581a1362f1699ae9df1d1d39f96f5e225536cdacdcc7867d4feb1fbf7e5e172f60537aded8afbe9632997fe5c8fe0bc4f9ada2c24a1d98769d51341f853751ffb51ae46656da60410faca2cce4cb9a20fbc01c38608d1b5849bf47492148588e97c3bb9aeffc0559914b2d919cbff14c147843560520bde0bb4c713084fff1f32c0785edd5c9840f55a8d40e53ed3d90bbe6cab66d76bab4b44874dc3995d8f01adea2d3707a343f5a6d149565c7ec59473eeaa0e125c3ea0b4965e1c04f17ce92f739fe39e22002fe3a824084dd95be37f2c408cb9e96caf10639e2fe5e34730a920f8c9b52aa8c68501f502e128eb331db34e5f49ac1e318dda2d01633b435494d74fa04f15f63e9352e85a3d46ff

Trojan.Win32.HangOver.yh

3abeb0a42bb14f9e6f54e664c2e2db703705d2b2b5f6a7725837559b14029a98ca784b6fa1c2a100f6354adc93598e42239bc16abb4aecbf6a1c1dac9a3f81e6994c26013a352f808b86e95ab8e3fcce0acdfd9ef4ed3e3f3d9d011aa5e7cd03b48c2e42514ae1395e28fc94f6c8a6f1cd295ec65a67afda0f6e8558848b7623153ac7591b9326ee63cd36180d39665e931bbc925f3547aabedb4449d4cbcbd856dbe80fe392d0f7e06875f9b9f0be8bcc0d2f297271314301a519f440f61f57dbff20daa468ad32faef998011abd8978d3290b7d1010d05ad6261b670d0b3d39ef3677054efe5ffc30fbbbfe2f833d99f8e4b19167b5429eb0740b99dd0846fc7e1d94a8a99caf71dbcdae62da25be4cc0d483ea30ddabe8ba03a570065b7b7a1f8595d6d191dcbed3d257301869ce9adc4f82d1f4eedeb1ca33cd8edf776b02c96c9eabb7a0adf8d361e144a40ffe01be309eb99298c128b97649dcc7c9ad60f6e7efe4630bf314fd5d895f55bcd08c814e35d26848f910dd5106b886b9401ad6da049f4c66b317892f13769749addaddcd1e1f20c237ccf3fa5cf7528ce33a269fe48f5fa8841d6fe028ba8ab20625b29cf4e7c19e91a63740e63ed488eed

Trojan-Spy.Win32.APT-Patchwork.nK

7aeda30a2824ab86717cd3f6f09f5adc16c11b381cff35283b879ec1a84f72e43ed5f354c9bb9257eab81245e6b6416af11960e2d9666908433b4e5908ee85c2c4820176eda9311ef0bcc378e001c54bbda1967f2491e5d792fa66e672951119644008189aefa56362b16aeb973382ef9678089aacaf3e147e50662c82c11d1976643813358b9198b6aed437eb7b5210674dd075718ac664940eefba9ff3dd1d1e9e8e724c000c9b9b6677a4d407538cfb569c75daa6c2f4f16d6f7dc2944951a53aff4075891c17ed9cdbdfcc124a1dc59edf29b81183976341c836ee20d6108e2b530482822dc3b88d789fdc59ff4415e45c24dbe6034024fcffe4c358556b65bfb874a47b3e4920e33ee380060e8fa404522912212c4c245c0ddf387adee61c0e707cec96ac90969a5f16d66d1c6f1b1ab4e0ddfdb9e97609e78ab26e53f6cd7f9cc5e7f4350a432fb8ac231c9c827417af55a9f3c61dbfef82f06a89e9d936b3f39e7a11636adb29fe36bea875c4416b170d4d72b29f39dfc08450e8b406f9a2bc7d3838b886be8269f5aa7eb0b69af86aea0df8e24bca698bbed816e507ed63183429ae909666fafe8b1fae63b47f48ebd87fda0840dc749a3064361b9cd0f1bea201b0d9fc788cbd086bccf750b888df619bf503a014f2358d0180076b1a1bc6e47d9dcbf6e3e7ce22d18b3628e8b68f541d7a992194b603c91c892cf19b6305ee30004c72076e10b81c0847fb69278cb9e663c73573d220455cd5f8cf894ec003921f19a1a1525a6e8102d75ae53b7073a592b01b35a10a6c76ff011ff429ce3e75beaa66a28ff8210e744aea01a7af987d7b2f6f355e37c8580cb45a01cef8eeecbd5f9a4240d3e42c67c3c189239987f3675eb034a0fecebcb10ffbb0f01a43a4b16036c330f660f3e1a38a0a0bcd8beb77e67a28a325d8d2a0025443be51e537ca7e78c83e51e3583b4984e09cf62b3a987103279fd30160e662280c2cbfbe3c93b3502f9a60f5fa1188adbd021f6cf7196db93e2f60821753c209

Malware.Win32.APT-Patchwork.zm

9cc0d13fe3f0196d63e11f35480a1f01c82fdd5dd36fcc1560d987b588371f8e8da3f87aeb1463fb5b513ecbd71e908c08f7ead1513bb921c9cdee334a370866b19ef8ab9beb6cd1ff5da7f96c84930924f22d1391377249f21bfec81c3ea031c0a53e093be2c2cc2ed6145da8aa123f49e8bb0025b8e149c4cdf658ff6a65357f11ec3504cb4564ffadfae4807a1dcc43b020e78d7e361deff5aee8572a8e22fc72fd37515ae66e0e01538b200532c041f83c83a9ae8d5558d2823cb00b4842af8979c31b5656ebfe82a68b2581256e3dfcaf660bc44ef3858ecb8685ec4f4dd69ebd83636d9110d1e5c15c587531ec77bed210299f6d834c35e676ef557b950e11b640253554595acdb7bfbf786b3164f19c5776baaea96e1bfb0a0671afbd9ef3dac0b10b3a9f30e3833aac9c09c8ad9c7c4bc74455eb5fd858019fb9aa8c7edab76693800fd1617ba23c7a6aad880f47459581f6cd0e1766f1f436922ea58e634f6981ad0aeea9d8365162d2cefef0e4ca2583c95856370b4d779b27e25534d534435579279a80a9caebd08bfedf8eac188d2818dd22b857b9cffac50c126d692826793356a4083f3fc1b9d1cf166bc80227468c9eb692d2438774a292c0c4f1247cc0b5ed8adb94a51030eb473a749c7b656eb765ed2c3e118a809c1a8311faa5da47a1f27de963e72631aaddd21785f20ad4883fee549f0aec5d20aaca06b399d8bb5c5aeb4a04eda934ee819f022894817bc575b94e1919eb1890f873b02a522948cbf1e3c7efe874b47530a63a89f05c09425f03fe74b2242b119cceb7e63d3294ec10994b9a31237f23cb80561f4c6e84f4921a84c75fd849172e158172e9dcb3b0673cd673780f1024d07f5be0033c7838602fd014ffc90fc5af3d395e93a669414952f1c0bc6ecc4d6a9a0c0eb91f318da38e6684bd5250f68378413d6930e304cf248568049a3382018a8f9b63d93cd11598aecd3a3602547e8f31f024443a4e9767292404de20c5fe1f48847d66f9fb659edc7666ec3ca707da3c6819d61255f4f8f6f0adc6ddcd06cfbac7765a22eac877cac2b72a6e9e991e5b95e0949fe2a7bb62e1cefae40e7de5

Trojan.Win32.HangOver.Ny

2c338e8c3e5f28707739e05f7fb28ef91487d1dc13314bf0431792b37ec67e2d21aef1e6f22205edf261a08932728ab0931bbc925f3547aabedb4449d4cbcbd87e74334c1495a3f6e195ce590c7d42e5892cc671440a3abc394ce0d79fc30c6d649eb3db4159411ee6ec0d849274a8257fd31bf24537a50a0057dbd4781d26512c96c9eabb7a0adf8d361e144a40ffe024874938f44d34af71c91c011a5ebc451ce331f0d11dc20a776759a60fb5b3f5761acc13816a6840bb5f52fb43df45b1ce75da2bc60d9113c61638036f2255b8

Malware.Win32.APT-Patchwork.vd

0e3282467dd99f3ceeb911cb1e8aaf5f0f0e3dc18b12c7f8b1b03c73c842212c4a06163a8e7b8eeae835ca87c1ab6784a5a0f3fb7453f5de7150f941d3acc8a0d6d8c27add8df8850869652376ceb766d51344e18dea14c8f54a6b718e99451464d6b372a14f64ac74db32929de8c84ceeee92081dbd7dabd05db3714f0987b6b2394178d1a0a13a7d38e2d38c353d0e209692f3cd81ec0cd0dc4fa6b5be0f6bf2bd203dcfd80954b48d88255ccb22a22fea0759ac49e2b9dbf6416b0cab2d9de9b311ef3530aa32e09ac335c9988d6428959167d0d01d5a2cf0dfacebdbf421c9e01b48800dfe10dec2bd985c36c05e64787490bc1dd6ece556722133a0bdb93837ab0ffa02dd7fa49d97a15d95c5874791790c6fafb6253c41eb6bfe614ecec0b5003b311cb14b9aac4ea33c5a5eaaa60808be831f8c2eea0f1ee489db0564bd6b05d51e4abafbc991bac5a70488e0fe47d23a2f9099a0e14e19ef767af8d91b5d36f0d2da1fde3eb2b5fcbdc2494808a3776a2c40e569f645a62fdd2fcac313fa45919341257b226f66e08da81cb451b1477e5cf2a14901392082d40bd70c6d7a3c843e92abd9f22f707202c63949118716061197ebcdae25d330aef9726755aebca342d894a713c841752308186107defd4bda646b1fb058c3abd2e1128efd96fd010babd89d75f2ebdf04ac7297199a180d3b5ef78a5fb79b0613be8dcec487aa1c2ea83fca899d8afe4de9a6fd

Trojan.Win32.HangOver.wX

8e42b9586f95d5cfe9f3fca435cb46a2a8caf03b50c424e9639580cdcc28507b9e60d7b0154949ebca8edd579db439493a0f8a86c7a13714c3fdd5e86dfb3df596c0f2e8bd66759ea74fecc8843a8981

Trojan-Spy.Win32.APT-Bitter.rM

ab1e44c1c094a914739adbe027d1c3ffaa85374020dae10c11b6b6022495bc366a4fd2cc3b585959d821f33aeb57d52cca1e610418c6fa7437e29d37d2477028da1dfcafc961abbd4e6d6fa22c02ce16

Malware.Win32.APT-Patchwork.zf

e3cf3b1d2a695b9b5046692a607c8b3009947ba52932d10d3c859511a6d31e8fe37f420f2c1d7ad862a6643585fd7ebfd67418ddd0df67b3f77581ebde2df269cff2e20f9ec8e4cda4957ec3136bb9f9cf33eff89f54c07e98e43c4c90813e080f98b7d1e113e5194d62bc8f20720a6b0b38f87841ed347cc2a5ffa510a1c8f64d348c8a88dd1ef4c135bc8a1c117ed03fc11cd60c9e2bb29efe560e485abab98487320cec6a5bbc669b5a57cf0e9be6e992dfc3dedcf5e66b661dbc26fe932c300dbb020f1c0d19c5edfe718316a081

Trojan.Win32.Bahamut.LO

4f9ef6f18e4c641621f4581a5989284cb1d3ca3d6f4a743c3dd292c59afdb5e86c2a682f495d13d44a40c8568074a8f552f09063a9771a4952611945c8db081a

Malware.Win32.APT-Bitter.d

8d42c01180be7588a2a68ad96dd0cf852f24b6ffca6c456895d21b2cfe2d761ee29e4d0bb7200f34b55e8e417d7187a55fb3f028542a2e61313d64d8e8f87c01227c0d4cfad228b0421f3c04bfed9a283001b45beae1eb4e40d312db0a09df9825689fc7581840e851c3140aa8c3ac8bf9aeac76f92f8b2ddc253b3f53248c1d

Trojan-Spy.Win32.APT-Bitter.nd

c3930d827ce30acfd408719df434142d47ba3f4b507b89c6e15904108fbb4a4256c0287f062fa598debc17f6b54dbd408469818911776b1e4c17d32ab5f146f7d58e6f93bd1eb81eacc965d53070924671e1cfb5e5a515cea2c3537b78325abf

其他HangOver

8233f0fe1d708b71cf60a099264a45cab049b9f383c59925ad34e44ee384f1412729de09c88071bb71b55be98801e2c01be309eb99298c128b97649dcc7c9ad61c528591d28efbd485927a053bc8646377373d579ac6479adf7140340abeb66701adea2d3707a343f5a6d149565c7ec5

其他donot

4e9586b4a05076fbfc7d9bc2e3d5b35f6fa44990b3328de8479e2cf8fd419f8043a909814aa5467cb45f8e59ed2fd3b020c581284cccadd8b6193c2e1c84a9001e606b8a3c288f988152456af206ff72d5166aa339e25f3f7f9d1d7a186650bcd4d0fc82312c60b6084ccab7245530a95557b32672ee9ad6be20395d447a3e52c231254ced08ca556bf35e587469628fcd97a53fc8071e00625b4d9bc4ef5c4a

剩余基本都是单一数据

3452b13832585c2cf9dcb5fdb4ac3fc3 2 Malware.Win32.APT-Bitter.b
498de056b0b7abe54664fee0b556d110 4 Trojan.Win32.HangOver.nk
498de056b0b7abe54664fee0b556d110 6 Trojan.Win32.HangOver.UB
8a2fe62b8f2e88d1c2483f3667b1d6e0 4 Trojan.Win32.HangOver.nk
8a2fe62b8f2e88d1c2483f3667b1d6e0 6 Trojan.Win32.HangOver.UB
8deb21a2325a9c9b0e188fa32b918ee0 4 Trojan.Win32.HangOver.2y
8deb21a2325a9c9b0e188fa32b918ee0 6 Trojan.Win32.HangOver.2y
25a16b0fca9acd71450e02a341064c8d 4 Trojan-Spy.Win32.APT-Bitter.vC
25a16b0fca9acd71450e02a341064c8d 6 Trojan-Spy.Win32.APT-Bitter.vC
46ef2c0db107b794516dc2b2622e44ad 2 Malware.Win32.APT-Bitter.b
fae370b6b9c28699d2a1abf61ca8ad9f 6 Trojan-Spy.Win32.APT-Bitter.Db
fae370b6b9c28699d2a1abf61ca8ad9f 7 Trojan-Spy.Win32.APT-Bitter.Db
fae370b6b9c28699d2a1abf61ca8ad9f 8 Trojan-Spy.Win32.APT-Bitter.Db
0e3282467dd99f3ceeb911cb1e8aaf5f 6 Trojan-Spy.Win32.APT-Patchwork.FX
0f0e3dc18b12c7f8b1b03c73c842212c 6 Trojan-Spy.Win32.APT-Patchwork.FX
f3bbb20cd518d2a8269924ce65748c1a 4 Trojan-Downloader.Win32.HangOver.ft
f3bbb20cd518d2a8269924ce65748c1a 6 Trojan-Downloader.Win32.HangOver.MR
4abe3fae79903395a65a95c8af3738eb 6 Trojan-Spy.Win32.APT-Patchwork.FX
4a06163a8e7b8eeae835ca87c1ab6784 6 Trojan-Spy.Win32.APT-Patchwork.FX
5dbafaefa3e6c9e9fe82d79a4daa6cb6 2 Malware.Win32.APT-Bitter.e
becaadab0eff510a938313c131dbc1ba 6 Trojan-Spy.Win32.APT-Patchwork.nd
4870de0cad3c841327990fd9b7513328 6 Trojan-Spy.Win32.APT-Patchwork.nd
ae3efd0de76e7b82752f520a5778a9b1 4 Trojan-Spy.Win32.APT-Patchwork.Mk
ae3efd0de76e7b82752f520a5778a9b1 6 Trojan-Spy.Win32.APT-Patchwork.Mk
4d61fdee289f19d768d218f491ae04ee 2 Malware.Win32.APT-Bitter.b
4d61fdee289f19d768d218f491ae04ee 10 APT_ArtraDownloader2_Aug19_1
39f637b48a50a2b25ed318346ecd17d0 6 Trojan.Win32.Cryptagent.yB
39f637b48a50a2b25ed318346ecd17d0 7 Trojan.Win32.Cryptagent.yB
532345089619a1881176588a587d3cf1 6 Trojan-Spy.Win32.APT-Bitter.wg
bd054c4f43808ef37352f36129bf0c3d 6 Trojan-Spy.Win32.APT-Bitter.wg
06a7eccd74a6aa5aa12755cd48829f90 6 Trojan-Spy.Win32.APT-Bitter.wg
17ca049d206a0273e267ba9490cbf243 4 Trojan.Win32.Confucius.k0
736ab06b46a01781a7af4f4a44ea57da 4 Trojan-Spy.Win32.APT-Patchwork.kQ
fa6ed1ba9789fa14b64195fd3cee06b3 6 Trojan-Spy.Win32.APT-Patchwork.YR
ce788e585db4d417b92d8bdb345468e5 4 Trojan.Win32.Confucius.Fb
ce788e585db4d417b92d8bdb345468e5 6 Trojan.Win32.Confucius.Fb
8dda6f85f06b5952beaabbfea9e28cdd 2 Malware.Win32.APT-Bitter.g
1c2a3aa370660b3ac2bf0f41c342373b 2 Malware.Win32.APT-Bitter.e
c3f5add704f2c540f3dd345f853e2d84 2 Malware.Win32.APT-Bitter.g
f9781e07f25215a815045941b2d27624 6 Trojan-Spy.Win32.APT-Patchwork.Lp
c856ea7c61787e140350281edd9a8d03 4 Trojan-Downloader.Win32.HangOver.ft
c856ea7c61787e140350281edd9a8d03 6 Trojan-Downloader.Win32.HangOver.MR
e51c94e0c018f17bab48711592df4274 6 Trojan-Spy.Win32.APT-Patchwork.aw
ff9d14b83f358a7a5be77af45a10d5a2 6 Trojan.MSIL.Sidewinder.hh
06ba10a49c8cea32a51f0bbe8f5073f1 4 Trojan-Downloader.Win32.HangOver.ft
06ba10a49c8cea32a51f0bbe8f5073f1 6 Trojan-Downloader.Win32.HangOver.MR
52f09063a9771a4952611945c8db081a 4 Trojan.Win32.Bahamut.Bl
549fed3d2dd640155697def39f7ab819 6 Trojan-Spy.Win32.APT-Patchwork.kQ
b1d3ca3d6f4a743c3dd292c59afdb5e8 4 Trojan.Win32.Bahamut.Bl
7ac57d10a3e4a46576368ee883edae46 6 Trojan-Spy.Win32.APT-Bitter.kt
a39aa2ecbbb50c97727503e23ce7b8c6 2 Malware.Win32.APT-Bitter.n
a39aa2ecbbb50c97727503e23ce7b8c6 10 Bitter_b
6e4b4eb701f3410ebfb5925db32b25dc 4 Trojan-Spy.Win32.APT-Bitter.bk
6e4b4eb701f3410ebfb5925db32b25dc 6 Trojan-Spy.Win32.APT-Bitter.bk
6e4b4eb701f3410ebfb5925db32b25dc 7 Trojan-Spy.Win32.APT-Bitter.bk
986f8e182124956f0062bc9720ede7a9 6 Trojan-Spy.Win32.APT-Bitter.pW
fd37560c80f934919f8f4592708045f3 4 Trojan-Spy.Win32.APT-Bitter.kt
fd37560c80f934919f8f4592708045f3 6 Trojan-Spy.Win32.APT-Bitter.kt
fd37560c80f934919f8f4592708045f3 7 Trojan-Spy.Win32.APT-Bitter.kt
6a374c356b9dc65c63e83750c5eb30ff 2 Malware.Win32.APT-Bitter.b
c65ec525f6c7738e75404ef734fef4d4 6 Trojan-Spy.Win32.APT-Bitter.fJ
52deef43b9a1e88d9cf305aa9cdf5204 4 Trojan-Spy.Win32.APT-Patchwork.aw
52deef43b9a1e88d9cf305aa9cdf5204 6 Trojan-Spy.Win32.APT-Patchwork.aw
35639088a2406aa9e22fa8c03e989983 4 Trojan-Spy.Win32.APT-Bitter.fJ
35639088a2406aa9e22fa8c03e989983 6 Trojan-Spy.Win32.APT-Bitter.fJ
35639088a2406aa9e22fa8c03e989983 7 Trojan-Spy.Win32.APT-Bitter.fJ
16f560b7bdb02ba106d60874a7db7200 4 Trojan-Spy.Win32.APT-Patchwork.aw
5bb083f686c1d9aba9cd6334a997c20e 4 Trojan-Spy.Win32.APT-HangOver.kt
eecee405c8c2536778131ba44dfb3987 4 Trojan-Spy.Win32.APT-Patchwork.Bn
eecee405c8c2536778131ba44dfb3987 6 Trojan-Spy.Win32.APT-Patchwork.Bn
4264d0854441c68c2fc8de85a3df26d0 6 Trojan.Win32.Cryptagent.e0
4264d0854441c68c2fc8de85a3df26d0 7 Trojan.Win32.Cryptagent.e0
38e91adac9a33b3ebb6a0fc54c4f893b 6 Trojan.Win32.HangOver.cM

=================我是分割线=================

顺手分享一个最新捡到的

编译时间比较新,是个下载器,在win10上运行,貌似低于win10的系统没有curl命令,解密域名拼接下载链接下载执行pdf与木马exe

今天二月二,把三哥的木马拉出来祭天

今天二月二,把三哥的木马拉出来祭天

今天二月二,把三哥的木马拉出来祭天

被下载的木马exe看编译路径貌似是个新家伙,看VT是这月8号上传的,现在还是这样

今天二月二,把三哥的木马拉出来祭天

今天二月二,把三哥的木马拉出来祭天

由于还得需要搭建分析环境,就不分析了,具体可参见VT结果

今天二月二,把三哥的木马拉出来祭天

今天二月二,把三哥的木马拉出来祭天

Yara

rule APT_SideWinder_C{    meta:        description = "SideWinder GROUP"        author = "virk"        thread_level = 10        in_the_wild = true    strings:        $a = {8B 55 F4 8B 45 F0 01 D0 8B 4D F4 8B 55 08 01 CA 0F B6 12 83 EA 03 88 10 83 45 F4 01 8B 55 F4 8B 45 08 01 D0 0F B6 00 84 C0 75 D5}        $b = {C7 44 24 1C 00 00 00 00 C7 44 24 18 00 00 00 00 C7 44 24 14 00 00 00 08 C7 44 24 10 00 00 00 00 C7 44 24 0C 00 00 00 00 C7 44 24 08 00 00 00 00}        $c = {04 0C 34 73 88 ?? ?? ?? 8B ?? ?? ?? 04 0D 34 41}    condition:        (uint16(0) == 0x5A4D) and (($a and $b) or $c)}

原文始发于微信公众号(锐眼安全实验室):今天二月二,把三哥的木马拉出来祭天

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年3月13日17:02:28
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   今天二月二,把三哥的木马拉出来祭天https://cn-sec.com/archives/2565567.html

发表评论

匿名网友 填写信息