Derin Analiz - AutoIT Compiled FTP Injector | Tehdit: ORTA

Dosya Kimligi

SHA2564cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
Boyut985,600 byte PE32 x86 Delphi+AutoIT, entropi 6.67, 8 section
DilAutoIT 3 compiled script (Borland Delphi PE sarici)

AutoIT Kimlik Dogrulama

AUTOIT: AutoIT 3 scripting dili ile yazilmis ve .exe olarak derlenenmis kotu amacli yazilim!
>>>AUTOIT NO CMDEXECUTE<<<  <- AutoIT /nocmdexecute derlemesi\navsupport@autoitscript.com  <- AutoIT manifest'ten\n\nAutoIT error mesajlari:\n  "Can not redeclare a constant"\n  "Can not initialize a variable with itself"\n  "Recursion level has been exceeded - AutoIt will quit"\n  Bunlar compiled AutoIT runtime icinden gelmektedir

FTP + HTTP Yetenekleri

FTP:\n  FtpOpenFileW / FtpGetFileSize\n  FTPSETPROXY    <- FTP proxy ayari\n\nHTTP:\n  InternetConnectW / HTTPSETUSERAGENT\n\nProcess Enjeksiyonu:\n  VirtualAllocEx / WriteProcessMemory <- bellek yaz\n\nProses Olusturma:\n  CreateProcessW / CreateProcessWithLogonW\n  CreateProcessAsUserW <- baska kullanici olarak process baslatma\n  LogonUserW / LoadUserProfileW <- kullanici kimligi dogrulama

Diger Yetenekler

WoW64 Manipulasyonu:\n  Wow64DisableWow64FsRedirection <- WoW64 dosya yonlendirmesi devre disi\n  Wow64RevertWow64FsRedirection  <- geri al\n\nToken Manipulasyonu:\n  AdjustTokenPrivileges / OpenProcessToken / DuplicateTokenEx\n  CheckTokenMembership / GetTokenInformation\n\nNetwork:\n  WNetCancelConnection2W <- ag baglantisi kapat\n  WSOCK32.dll

IOC

SHA2564cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
DilAutoIT 3 compiled (Delphi wrapper)
FTPFtpOpenFileW, FtpGetFileSize, FTPSETPROXY
EnjeksiyonVirtualAllocEx + WriteProcessMemory
TokenAdjustTokenPrivileges, DuplicateTokenEx

AutoITMalware — Malware Profile

AutoIT 3 scripting dili ile yazilmis ve Delphi wrapper ile .exe olarak derlenmis kotu amacli yazilim. FTP yukleme kapasitesi (FtpOpenFileW), process injection (VirtualAllocEx+WriteProcessMemory), kullanici kimlik dogrulama (LogonUserW), WoW64 bypass teknikleri.

Malware Type
Loader
Programming Language
AutoIT
C2 Protocol
custom
Target Systems
Kuresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — AutoITMalware
# SHA256 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
TypeValueNote
sha256 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
Tags
autoit3-compiled-malware-scriptautoit-nocmdexecute-compile-flagftpopenfilew-ftpgetfilesize-ftp-capabilityftpsetproxy-proxy-ftp-uploadvirtualalloc-writeprocessmemory-injectioncreateprocessasuserw-user-impersonationlogonuserw-credential-logonloaduserprofilew-user-contextwow64disable-wow64revert-64bit-bypassadjusttokenprivileges-duplikatetokenexwnetcancelconnection2w-network-sharehttpsetuseragent-http-capability