Derin Analiz - CoolProject .NET Loader | Tehdit: YUKSEK

Dosya Kimligi

SHA2562eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
Boyut929,280 byte (907 KB) PE32+ GUI x64 .NET
Entropi6.87 (normal)
DOS StubSupheli (non-standard)
TLSFound (anti-analiz)

Gelistirici PDB Yollari

GELISTIRICI: Takma ad: "virtual", proje adi: "cool project lol"!
D:\Users\virtual\Desktop\Malware\projects\cool project lol\Source\stub\loader\obj\Release\net48\Loader.pdb\nD:\Users\virtual\Desktop\Malware\projects\cool project lol\Source\stub\loader_bootstrap\obj\Release\net48\LoaderBootstrap.pdb

Loader Teknikleri

"[*] Injected benign GUI resourceMZ"\n  -> Kotu amacli PE'ye yaniltici bir grafik kaynak enjekte eder\n  -> AV/EDR kaynak analizi atlama teknigidir\n\n"Bootstrap" string\n  -> LoaderBootstrap.pdb ile eslesiyor (iki asamali yukleyici)\n\nSystem.IO.MemoryMappedFiles\n  -> Bellek haritalama ile shellcode/PE yukleme\n\nSystem.Security.Cryptography\n  -> Yukun (payload) sifrelenmis sekilde gizlenmesi

Mimari

2eac9624, iki asamali bir .NET yukleyicidir (Loader + Bootstrap). Birinci asama (LoaderBootstrap), hedef surecu hazirlar ve sifresiz calistirmak icin ortami kurar. Ikinci asama (Loader), bellege haritalanmis alanda gercek yuku (muhtemelen RAT veya miner) calistirir. "Injected benign GUI resourceMZ" teknigi, sahte bir grafik kaynak eklenerek statik AV tarama atlatma saglar.

IOC

SHA2562eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
Gelistiricivirtual (D:\Users\virtual\)
Projecool project lol
TeknikInjected benign GUI resourceMZ (AV atlama)
MimariLoader + Bootstrap iki asamali .NET
PayloadMemoryMappedFiles + AES sifreli yukleyici

CoolProjectLoader — Malware Profile

virtual takma adli gelistirici tarafindan uretilen iki asamali .NET yukleyici. PDB yolu: D:\Users\virtual\Desktop\Malware\projects\cool project lol. Birinci asama LoaderBootstrap, ikinci asama Loader. Kotu amacli PE'ye sahte GUI kaynak enjekte eder (Injected benign GUI resourceMZ) AV taramasi atlama icin. System.IO.MemoryMappedFiles ile bellek haritalama yapar.

Malware Type
Loader
Programming Language
C#/.NET
C2 Protocol
custom
Target Systems
Kuresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — CoolProjectLoader
# SHA256 2eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
TypeValueNote
sha256 2eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
Tags
cool-project-lol-malware-loadervirtual-developer-desktop-malware-projectsinjected-benign-gui-resource-av-bypassloaderbootstrap-two-stage-dotnetsystem-io-memorymappedfiles-shellcode-loadsystem-security-cryptography-payloadsuspicious-dos-stub-tls-anti-analysisnet48-release-x64-loader-stubtwo-stage-loader-bootstrap-architectureav-evasion-fake-gui-resource-injection