详细内容或原文请订阅后点击阅览

BBTok 针对巴西:使用 dnlib 和 PowerShell 对 .NET 加载程序进行反混淆

2024年9月26日 10:00 33 Comments
X Twitter Instagram Mail

我们分解了针对巴西的威胁 BBTok 的完整感染链,并演示了如何使用 PowerShell、Python 和 dnlib 对加载程序 DLL 进行反混淆。

来源:G DATA _恶意软件

[F1] DANFE10103128566164.ISO 09027FA9653BDF2B4A291071F7E8A72F14D1BA51BA51BA5D0912ED1887708708F9EDDDDDDDDDDDDD6A084FE

[F1] DANFE10103128566164.ISO

[F2] Danfe10103124952781.ISO 2FF420E3D01893868A50162DF57E8463D1746D3965B76025B76025ED8888DB9BBB133388AF

[F2] danfe10103124952781.iso

[F3] DANFE10103122718132.ISO 5E5A58BFABD96F0C78C1E12FA262625ABA9C84AAA3BD4C9BBBBBB9999D079D079D6CCBB6CCB6CCB6CCB650

[F3] DANFE10103122718132.ISO

[F4] DANFE10103121443891.ISO DC03070D50FDDD31C89491D139ADFB211DAF171D03E9E6D88AAC4AAC43EAC43E7FF4FF4FF444E4E4E4E4FEF

[F4] DANFE10103121443891.ISO

[F5] DANFE10103128566164.PDF.LNK DDF84FDC080BD55F55F6F2B409E596B6B6F7A040C40C4B14B4B4B4B4B4B4B4B4B965B3F709A09A0F7F7F7F7F7F7F7F7F7F7F7F7FAA02

[F5] Danfe10103128566164.pdf.lnk

[F6] DANFE10103128566164.EXE-合法MSBUILD B60EB62F6C24D4A495A495A0DAB95CC49624AC5099A2CC2C21F8BD01010101A410401AB8CC3

[F6] DANFE10103128566144.EXE-合法的MSBUILD

[F7] DANFE10103128566164.XML 7566131CE0ECBA1710C1A75552491120751B58D6D5555F867E61A1A88888888E56B8E5606AFC3

[F7] DANFE10103128566164.XML

[F8] DANFE10103128566164.PDF-诱饵文档AC044DD9AE8F18D928CF39D245E2474930FAFAFFAF8E83C6E3C6E3C6E3AD524966ECAB11F510

[F8] DANFE10103128566164.PDF-诱饵文档

[F9] Danfe10103128566144.zip 276A1E9F62E21C675FDAD9C7BF0A489560CBD959AC617839AEB9AAEB9AA0B9A0BC3CD41366

[F9] DANFE10103128566164.zip

[F10] DANFE10103128566164.DLL -TRAMMY.DLL 24FAC4FAC4EF193014E34FC30F7A4B7CCCC0B1232AB02F164F164F1058888AABE06EFBACC3 [F10] Danfe10103128566164.dll -trammy.dll [F11] DANFE10103128566144.EXE.CONFIG-寄存器AppDomainManager 8E7F0A51D7593CF76576B7676767AB03ED331D822C09F6812012012015550DBD6843853CE7 [F11] DANFE10103128566164.EXE.CONFIG-寄存器AppDomainManager [f12] filea.tat -Zip Archive 7559C440245AEECA28E67B7F13D198BA8BA8ADD343E8D48D48DF92B7116A337C98B763 [F12] filea.tat -zip Archive [F13] .NET DLL [F7] A3AFED0DABEFDE9BB8F8F905AB24FC2F554AA77E3A94B055CFFC20C20C20C201E15

[F10] Danfe10103128566164.dll -trammy.dll

[F11] DANFE10103128566144.EXE.CONFIG-寄存器AppDomainManager 8E7F0A51D7593CF76576B7676767AB03ED331D822C09F6812012012015550DBD6843853CE7

[F11] DANFE10103128566164.EXE.CONFIG-寄存器AppDomainManager

[f12] filea.tat -Zip Archive 7559C440245AEECA28E67B7F13D198BA8BA8ADD343E8D48D48DF92B7116A337C98B763

[F12] filea.tat -zip Archive

[F13] .NET DLL [F7] A3AFED0DABEFDE9BB8F8F905AB24FC2F554AA77E3A94B055CFFC20C20C20C201E15

[F13] .NET DLL [F7]

[F14] Fake Explorer.exe -Delphi有效载荷35DB2B34412AD7A1644A8EE82925A888369BC58F6EFFC11D8EC6D55F81650D897E

[F14] Fake Explorer.exe -Delphi有效载荷 [F15] searchlndexer.exe -ccproxy [f16] wke.dll [F17] Web.exe[F17] Web.exe
dll exe ISO 寄存器 EXE zip 文档 F11 F7 DLL 诱饵 DANFE10103128566164 有效载荷 合法的 CONFIG