TrojanSpy.Python.CYBERVOLK.THLOIBD
2025年2月18日
:
Generic.PY.STEALER.B.BE167CE5 (BITDEFENDER)
平台:
Windows
总体风险等级:
潜在破坏:
潜在分布:
感染次数:
信息暴露:
恶意软件类型:
Trojan Spy
有破坏性?:
没有
加密?:
没有
In the Wild:
是的
概要
感染途徑: 从互联网下载、由其他恶意软件释放
该木马间谍程序通过两种途径进入系统:一是被其他恶意软件作为文件释放到系统中,二是用户访问恶意网站时在不知情的情况下下载的文件。
技术详细信息
文件大小: 65,691 bytes
报告日期: PY
内存驻留: 没有
初始樣本接收日期: 2024年12月7日
Payload: 收集系统信息, 连接URL/IP地址,窃取信息、终止进程
Arrival Details
该木马间谍程序通过两种途径进入系统:一是被其他恶意软件作为文件释放到系统中,二是用户访问恶意网站时在不知情的情况下下载的文件。
进程终止
该间谍木马会终止在受感染系统内存中发现的以下进程:
- http toolkit.exe
- httpdebuggerui.exe
- wireshark.exe
- fiddler.exe
- charles.exe
- regedit.exe
- cmd.exe
- taskmgr.exe
- vboxservice.exe
- df5serv.exe
- processhacker.exe
- vboxtray.exe
- vmtoolsd.exe
- vmwaretray.exe
- ida64.exe
- ollydbg.exe
- pestudio.exe
- vmwareuser
- vgauthservice.exe
- vmacthlp.exe
- x96dbg.exe
- vmsrvc.exe
- x32dbg.exe
- vmusrvc.exe
- prl_cc.exe
- prl_tools.exe
- qemu-ga.exe
- joeboxcontrol.exe
- ksdumperclient.exe
- ksdumper.exe
- joeboxserver.exe
- xenservice.exe
Information Theft
该木马间谍程序会收集以下数据:
- System info
- Username
- PC Name
- OS version
- IP Address
- MAC Address
- HWID
- CPU
- GPU
- RAM
- Roblox Information
- Browser Cookies
- Passwords
- Files
- Zips
其他信息
该间谍木马会连接以下URL以获取受感染系统的IP地址:
- https://{BLOCKED}ip.com
- 若返回的IP地址为以下任意一项,则会自行终止:
- None
- {BLOCKED}.{BLOCKED}.{BLOCKED}.71
- {BLOCKED}.{BLOCKED}.{BLOCKED}.50
- {BLOCKED}.{BLOCKED}.{BLOCKED}.173
- {BLOCKED}.{BLOCKED}.{BLOCKED}.169
- {BLOCKED}.{BLOCKED}.{BLOCKED}.12
- {BLOCKED}.{BLOCKED}.{BLOCKED}.160
- {BLOCKED}.{BLOCKED}.{BLOCKED}.160
- {BLOCKED}.{BLOCKED}.{BLOCKED}.222
- {BLOCKED}.{BLOCKED}.{BLOCKED}.116
- {BLOCKED}.{BLOCKED}.{BLOCKED}.68
- {BLOCKED}.{BLOCKED}.{BLOCKED}.199
- {BLOCKED}.{BLOCKED}.{BLOCKED}.33
- {BLOCKED}.{BLOCKED}.{BLOCKED}.90
- {BLOCKED}.{BLOCKED}.{BLOCKED}.174
- {BLOCKED}.{BLOCKED}.{BLOCKED}.90
- {BLOCKED}.{BLOCKED}.{BLOCKED}.169
- {BLOCKED}.{BLOCKED}.{BLOCKED}.114
- {BLOCKED}.{BLOCKED}.{BLOCKED}.151
- {BLOCKED}.{BLOCKED}.{BLOCKED}.59
- {BLOCKED}.{BLOCKED}.{BLOCKED}.234
- {BLOCKED}.{BLOCKED}.{BLOCKED}.162
- {BLOCKED}.{BLOCKED}.{BLOCKED}.220
- {BLOCKED}.{BLOCKED}.{BLOCKED}.173
- {BLOCKED}.{BLOCKED}.{BLOCKED}.91
- {BLOCKED}.{BLOCKED}.{BLOCKED}.241
- {BLOCKED}.{BLOCKED}.{BLOCKED}.92
- {BLOCKED}.{BLOCKED}.{BLOCKED}.50
- {BLOCKED}.{BLOCKED}.{BLOCKED}.91
- BLOCKED}.{BLOCKED}.{BLOCKED}.209
- BLOCKED}.{BLOCKED}.{BLOCKED}.103
- {BLOCKED}.{BLOCKED}.{BLOCKED}.203
- {BLOCKED}.{BLOCKED}.{BLOCKED}.105
- {BLOCKED}.{BLOCKED}.{BLOCKED}.100
- {BLOCKED}.{BLOCKED}.{BLOCKED}.144
- {BLOCKED}.{BLOCKED}.{BLOCKED}.130
- {BLOCKED}.{BLOCKED}.{BLOCKED}.143
- {BLOCKED}.{BLOCKED}.{BLOCKED}.241
- {BLOCKED}.{BLOCKED}.{BLOCKED}.25
- {BLOCKED}.{BLOCKED}.{BLOCKED}.70
- BLOCKED}.{BLOCKED}.{BLOCKED}.113
- {BLOCKED}.{BLOCKED}.{BLOCKED}.45
- {BLOCKED}.{BLOCKED}.{BLOCKED}.24
- {BLOCKED}.{BLOCKED}.{BLOCKED}.62
- {BLOCKED}.{BLOCKED}.{BLOCKED}.238
- {BLOCKED}.{BLOCKED}.{BLOCKED}.13
- {BLOCKED}.{BLOCKED}.{BLOCKED}.97
- {BLOCKED}.{BLOCKED}.{BLOCKED}.170
- {BLOCKED}.{BLOCKED}.{BLOCKED}.46
- {BLOCKED}.{BLOCKED}.{BLOCKED}.227
- {BLOCKED}.{BLOCKED}.{BLOCKED}.23
- {BLOCKED}.{BLOCKED}.{BLOCKED}.74
- {BLOCKED}.{BLOCKED}.{BLOCKED}.12
- {BLOCKED}.{BLOCKED}.{BLOCKED}.213
- {BLOCKED}.{BLOCKED}.{BLOCKED}.228
- {BLOCKED}.{BLOCKED}.{BLOCKED}.167
- {BLOCKED}.{BLOCKED}.{BLOCKED}.201
- {BLOCKED}.{BLOCKED}.{BLOCKED}.58
- {BLOCKED}.{BLOCKED}.{BLOCKED}.27
- {BLOCKED}.{BLOCKED}.{BLOCKED}.3
- BLOCKED}.{BLOCKED}.{BLOCKED}.107
- {BLOCKED}.{BLOCKED}.{BLOCKED}.22
- {BLOCKED}.{BLOCKED}.{BLOCKED}.152
- 若返回的IP地址为以下任意一项,则会自行终止:
它会执行以下操作:
- It terminates itself if the system's MAC address is any of the following:
- 00:03:47:63:8b:de
- 00:0c:29:05:d8:6e
- 00:0c:29:2c:c1:21
- 00:0c:29:52:52:50
- 00:0d:3a:d2:4f:1f
- 00:15:5d:00:00:1d
- 00:15:5d:00:00:a4
- 00:15:5d:00:00:b3
- 00:15:5d:00:00:c3
- 00:15:5d:00:00:f3
- 00:15:5d:00:01:81
- 00:15:5d:00:02:26
- 00:15:5d:00:05:8d
- 00:15:5d:00:05:d5
- 00:15:5d:00:06:43
- 00:15:5d:00:07:34
- 00:15:5d:00:1a:b9
- 00:15:5d:00:1c:9a
- 00:15:5d:13:66:ca
- 00:15:5d:13:6d:0c
- 00:15:5d:1e:01:c8
- 00:15:5d:23:4c:a3
- 00:15:5d:23:4c:ad
- 00:15:5d:b6:e0:cc
- 00:1b:21:13:15:20
- 00:1b:21:13:21:26
- 00:1b:21:13:26:44
- 00:1b:21:13:32:20
- 00:1b:21:13:32:51
- 00:1b:21:13:33:55
- 00:23:cd:ff:94:f0
- 00:25:90:36:65:0c
- 00:25:90:36:65:38
- 00:25:90:36:f0:3b
- 00:25:90:65:39:e4
- 00:50:56:97:a1:f8
- 00:50:56:97:ec:f2
- 00:50:56:97:f6:c8
- 00:50:56:a0:06:8d
- 00:50:56:a0:38:06
- 00:50:56:a0:39:18
- 00:50:56:a0:45:03
- 00:50:56:a0:59:10
- 00:50:56:a0:61:aa
- 00:50:56:a0:6d:86
- 00:50:56:a0:84:88
- 00:50:56:a0:af:75
- 00:50:56:a0:cd:a8
- 00:50:56:a0:d0:fa
- 00:50:56:a0:d7:38
- 00:50:56:a0:dd:00
- 00:50:56:ae:5d:ea
- 00:50:56:ae:6f:54
- 00:50:56:ae:b2:b0
- 00:50:56:ae:e5:d5
- 00:50:56:b3:05:b4
- 00:50:56:b3:09:9e
- 00:50:56:b3:14:59
- 00:50:56:b3:21:29
- 00:50:56:b3:38:68
- 00:50:56:b3:38:88
- 00:50:56:b3:3b:a6
- 00:50:56:b3:42:33
- 00:50:56:b3:4c:bf
- 00:50:56:b3:50:de
- 00:50:56:b3:91:c8
- 00:50:56:b3:94:cb
- 00:50:56:b3:9e:9e
- 00:50:56:b3:a9:36
- 00:50:56:b3:d0:a7
- 00:50:56:b3:dd:03
- 00:50:56:b3:ea:ee
- 00:50:56:b3:ee:e1
- 00:50:56:b3:f6:57
- 00:50:56:b3:fa:23
- 00:e0:4c:42:c7:cb
- 00:e0:4c:44:76:54
- 00:e0:4c:46:cf:01
- 00:e0:4c:4b:4a:40
- 00:e0:4c:56:42:97
- 00:e0:4c:7b:7b:86
- 00:e0:4c:94:1f:20
- 00:e0:4c:b3:5a:2a
- 00:e0:4c:b8:7a:58
- 00:e0:4c:cb:62:08
- 00:e0:4c:d6:86:77
- 06:75:91:59:3e:02
- 08:00:27:3a:28:73
- 08:00:27:45:13:10
- 12:1b:9e:3c:a6:2c
- 12:8a:5c:2a:65:d1
- 12:f8:87:ab:13:ec
- 16:ef:22:04:af:76
- 1a:6c:62:60:3b:f4
- 1c:99:57:1c:ad:e4
- 1e:6c:34:93:68:64
- 2e:62:e8:47:14:49
- 2e:b8:24:4d:f7:de
- 32:11:4d:d0:4a:9e
- 3c:ec:ef:43:fe:de
- 3c:ec:ef:44:00:d0
- 3c:ec:ef:44:01:0c
- 3c:ec:ef:44:01:aa
- 3e:1c:a1:40:b7:5f
- 3e:53:81:b7:01:13
- 3e:c1:fd:f1:bf:71
- 42:01:0a:8a:00:22
- 42:01:0a:8a:00:33
- 42:01:0a:8e:00:22
- 42:01:0a:96:00:22
- 42:01:0a:96:00:33
- 42:85:07:f4:83:d0
- 4e:79:c0:d9:af:c3
- 4e:81:81:8e:22:4e
- 52:54:00:3b:78:24
- 52:54:00:8b:a6:08
- 52:54:00:a0:41:92
- 52:54:00:ab:de:59
- 52:54:00:b3:e4:71
- 56:b0:6f:ca:0a:e7
- 56:e8:92:2e:76:0d
- 5a:e2:a6:a4:44:db
- 5e:86:e4:3d:0d:f6
- 60:02:92:3d:f1:69
- 60:02:92:66:10:79
- 7e:05:a3:62:9c:4d
- 90:48:9a:9d:d5:24
- 92:4c:a8:23:fc:2e
- 94:de:80:de:1a:35
- 96:2b:e9:43:96:76
- a6:24:aa:ae:e6:12
- ac:1f:6b:d0:48:fe
- ac:1f:6b:d0:49:86
- ac:1f:6b:d0:4d:98
- ac:1f:6b:d0:4d:e4
- b4:2e:99:c3:08:3c
- b4:a9:5a:b1:c6:fd
- b6:ed:9d:27:f4:fa
- be:00:e5:c5:0c:e5
- c2:ee:af:fd:29:21
- c8:9f:1d:b6:58:e4
- ca:4d:4b:ca:18:cc
- d4:81:d7:87:05:ab
- d4:81:d7:ed:25:54
- d6:03:e4:ab:77:8e
- ea:02:75:3c:90:9f
- ea:f6:f1:a2:33:76
- f6:a5:41:31:b2:78
- 它使用Discord Webhooks将收集的信息发送至攻击者的Discord服务器:
- https://{BLOCKED}d.com/api/webhooks/1287237539026964521/jdWLVmK-5mdL02JxBSiAhz6RS1MLDeaPn4DscYKq1s-g4j5EjnJVEqHlbYcZqL-F0kq1
若在受感染系统中发现以下任意计算机名,则会自行终止:
- Admin
- BEE7370C-8C0C-4
- DESKTOP-NAKFFMT
- WIN-5E07COS9ALR
- B30F0242-1C6A-4
- DESKTOP-VRSQLAG
- Q9IATRKPRH
- XC64ZB
- DESKTOP-D019GDM
- DESKTOP-WI8CLET
- SERVER1
- LISA-PC
- JOHN-PC
- DESKTOP-B0T93D6
- DESKTOP-1PYKP29
- DESKTOP-1Y2433R
- WILEYPC
- WORK
- 6C4E733F-C2D9-4
- RALPHS-PC
- DESKTOP-WG3MYJS
- DESKTOP-7XC6GEZ
- DESKTOP-5OV9S0O
- QarZhrdBpj
- ORELEEPC
- ARCHIBALDPC
- JULIA-PC
- d1bnJkfVlH
- WDAGUtilityAccount
- Abby
- patex
- RDhJ0CNFevzX
- kEecfMwgj
- Frank
- 8Nl0ColNQ5bq
- Lisa
- John
- george
- PxmdUOpVyx
- 8VizSM
- w0fjuOVmCcP5A
- lmVwjj9b
- PqONjHVwexsS
- 3u2v9m8
- Julia
- HEUeRzl
- fred
- server
- BvJChRPnsxn
- Harry Johnson
- SqgFOf3G
- Lucas
- mike
- PateX
- h7dk1xPr
- Louise
- User01
- test
- RGzcBUyrznReg
- OgJb6GqgK0O
解决方案
最小扫描引擎: 9.800
First VSAPI Pattern File: 19.766.04
VSAPI 第一样式发布日期: 2024年12月9日
VSAPI OPR样式版本: 19.767.00
VSAPI OPR样式发布日期: 2024年12月10日
Step 1
在进行任何扫描之前,Windows 7、Windows 8、Windows 8.1 和 Windows 10 用户必须先执行以下操作: 禁用 系统还原 以便对电脑进行全面扫描。
Step 2
使用您的亚信安全产品扫描电脑,删除被检测为以下名称的文件 TrojanSpy.Python.CYBERVOLK.THLOIBD. 若亚信安全产品已将检测到的文件清除、删除或隔离,则无需再执行任何额外步骤;您也可选择直接删除隔离区中的文件。更多信息请访问以下亚信安全支持页面: