Derin Analiz - AutoIT Compiled FTP Injector | Tehdit: ORTA
Dosya Kimligi
| SHA256 | 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b |
|---|---|
| Boyut | 985,600 byte PE32 x86 Delphi+AutoIT, entropi 6.67, 8 section |
| Dil | AutoIT 3 compiled script (Borland Delphi PE sarici) |
AutoIT Kimlik Dogrulama
AUTOIT: AutoIT 3 scripting dili ile yazilmis ve .exe olarak derlenenmis kotu amacli yazilim!
>>>AUTOIT NO CMDEXECUTE<<< <- AutoIT /nocmdexecute derlemesi\navsupport@autoitscript.com <- AutoIT manifest'ten\n\nAutoIT error mesajlari:\n "Can not redeclare a constant"\n "Can not initialize a variable with itself"\n "Recursion level has been exceeded - AutoIt will quit"\n Bunlar compiled AutoIT runtime icinden gelmektedir
FTP + HTTP Yetenekleri
FTP:\n FtpOpenFileW / FtpGetFileSize\n FTPSETPROXY <- FTP proxy ayari\n\nHTTP:\n InternetConnectW / HTTPSETUSERAGENT\n\nProcess Enjeksiyonu:\n VirtualAllocEx / WriteProcessMemory <- bellek yaz\n\nProses Olusturma:\n CreateProcessW / CreateProcessWithLogonW\n CreateProcessAsUserW <- baska kullanici olarak process baslatma\n LogonUserW / LoadUserProfileW <- kullanici kimligi dogrulama
Diger Yetenekler
WoW64 Manipulasyonu:\n Wow64DisableWow64FsRedirection <- WoW64 dosya yonlendirmesi devre disi\n Wow64RevertWow64FsRedirection <- geri al\n\nToken Manipulasyonu:\n AdjustTokenPrivileges / OpenProcessToken / DuplicateTokenEx\n CheckTokenMembership / GetTokenInformation\n\nNetwork:\n WNetCancelConnection2W <- ag baglantisi kapat\n WSOCK32.dll
IOC
| SHA256 | 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b |
|---|---|
| Dil | AutoIT 3 compiled (Delphi wrapper) |
| FTP | FtpOpenFileW, FtpGetFileSize, FTPSETPROXY |
| Enjeksiyon | VirtualAllocEx + WriteProcessMemory |
| Token | AdjustTokenPrivileges, DuplicateTokenEx |
AutoITMalware — Malware Profile
AutoIT 3 scripting dili ile yazilmis ve Delphi wrapper ile .exe olarak derlenmis kotu amacli yazilim. FTP yukleme kapasitesi (FtpOpenFileW), process injection (VirtualAllocEx+WriteProcessMemory), kullanici kimlik dogrulama (LogonUserW), WoW64 bypass teknikleri.
Malware Type
Loader
Programming Language
AutoIT
C2 Protocol
custom
Target Systems
Kuresel
Capabilities & Behavior
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
IOC List (1 indicators)
IOC — AutoITMalware
# SHA256
4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
| Type | Value | Note |
|---|---|---|
| sha256 | 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b |