{"id":"20260603-2248a71f-PE-Sora-SU","title":"PE-Sora-SU — Sora (.su TLD → 苏联关联)","md5":"46839a55602af9fb5ef1479e13ae1337","sha256":"2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2","family":"Sora (.su TLD → 苏联关联)","verdict":"malicious","lang":"Python","file_format":"PE32+","published_at":"2026-06-02T16:00:00.000Z","summary":"本样本是 Nuitka OneFile 模式编译的 Python 恶意代码，伪装为 OpenAI Sora AI 视频生成器。.rdata 段熵值达到理论最大值 8.00，载荷为 69.7 MB 的 zstd 压缩 Python 环境（标准库 + Pillow + 恶意代码）。代码签名证书为自签名 (CN: MicroFemboychik)，嵌入真实的 Sectigo 时间戳 CA 链以伪装合法性。QEMU 沙箱执行成功 — GUI 窗口弹出，iptables DROP 成功阻断 C2 外连（零数据包）。解压后 69.7 MB 载荷中未发现明文 C2 地址。⚠️ .su TLD / 苏联 标签来自威胁情报关联推断, 非二进制直接提取 — 详见 §3b C2 架构分析。","url":"https://zseceye.com/report/20260603-2248a71f-PE-Sora-SU","json_url":"https://zseceye.com/report/20260603-2248a71f-PE-Sora-SU.json","html_url":"https://zseceye.com/report/20260603-2248a71f-PE-Sora-SU","hash_urls":{"md5":"https://zseceye.com/hash/46839a55602af9fb5ef1479e13ae1337","sha256":"https://zseceye.com/hash/2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2"},"search_urls":{"md5":"https://zseceye.com/?q=46839a55602af9fb5ef1479e13ae1337","sha256":"https://zseceye.com/?q=2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2"},"sample_download_url":"https://zseceye.com/report/20260603-2248a71f-PE-Sora-SU/sample","sample_filename":"2248a71f.zip","iocs":[{"type":"ip","value":"192.168.122.0","description":"Referenced IP"},{"type":"ip","value":"192.168.122.1","description":"Referenced IP"},{"type":"md5","value":"46839a55602af9fb5ef1479e13ae1337","description":"Sample MD5"},{"type":"sha256","value":"2248a71fc8e91ca64eeb2c31f9104d237269dcccb4ed78f140e859eabae1cee2","description":"Sample SHA256"},{"type":"—","value":"无","description":"—"}],"ips":["192.168.122.0","192.168.122.1"]}