Derin Analiz - CurlHelper DLL (Cin Baglantili) | Tehdit: ORTA

Dosya Kimligi

SHA2565129d1d27201db762096d7798fc330e673a6cf1a6e562e57283758265edc9f6b
Boyut647,680 byte PE32 DLL x86, entropi 6.74, imagebase: suspicious
Dahili AdDll6.dll (tespit edilememesi icin anlamsiz isim)
TimestampFuture time (gelecek zaman - sahte)

libcurl Gomulu HTTP DLL

CURLHELPER: libcurl 8.18.0 gomiilmis ozel DLL. Benzersiz User-Agent ile C2 iletisimi!
User-Agent: CurlHelper/1.0 (Windows)   <- benzersiz UA imzasi!\nCLIENT libcurl 8.18.0                   <- libcurl surum bilgisi\nauth=Bearer %s                          <- Bearer token kimlik dogrulama\n\nDahili DLL export isimleri:\n  ??0TbcString@@QAE@ABV0@@Z   <- C++ TbcString sinifi\n  ??0TbcString@@QAE@PB_W@Z    <- TbcString constructors\n  ??1TbcString@@QAE@XZ        <- TbcString destructor

Cin Gelistirici Baglantisi

Test URL'leri (gelistirme eseri):\n  https://img-blog.csdnimg.cn/20240101000001.png  <- CSDN Cin blog resmi!\n  https://www.baidu.com                           <- Cin arama motoru\n  http://httpbin.org/headers\n  http://httpbin.org/post                         <- HTTP test endpoint\n\nCSDN = China Software Developer Network (Cin yazilim gelistirici ag)\n20240101000001.png = 2024-01-01 tarihli gorsel (konum isaretleyici?)

Kriptografik Yetenekler

CALG_RC4     <- RC4 sifresi\nCALG_AES_128 <- AES-128 sifresi\nCALG_RSA_SIGN / CALG_RSA_KEYX <- RSA imza ve anahtar degisimi\n\nBearer token kimlik dogrulama + AES-128/RC4 sifreli C2\n  => Modern API C2 iletisimi imzasi

IOC

SHA2565129d1d27201db762096d7798fc330e673a6cf1a6e562e57283758265edc9f6b
Dahili AdDll6.dll (TbcString C++ sinifi)
User-AgentCurlHelper/1.0 (Windows)
libcurl8.18.0 gomulu
AuthBearer token (Authorization header)
CryptoRC4 + AES-128 + RSA
Cin Baglantisicsdnimg.cn + baidu.com gelistirici test URL

CurlHelperDLL — Malware Profile

libcurl 8.18.0 gomulu benzersiz C2 iletisim DLLsi. User-Agent: CurlHelper/1.0 (Windows). Bearer token kimlik dogrulama. TbcString C++ sinifi. Cin gelistirici ortami imzalari (CSDN, Baidu). RC4+AES-128+RSA sifrelemesi. future timestamp.

Malware Type
Backdoor
Programming Language
C++
C2 Protocol
HTTP/HTTPS
Target Systems
Kuresel

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — CurlHelperDLL
# SHA256 5129d1d27201db762096d7798fc330e673a6cf1a6e562e57283758265edc9f6b
TypeValueNote
sha256 5129d1d27201db762096d7798fc330e673a6cf1a6e562e57283758265edc9f6b
Tags
libcurl-8-18-0-embedded-dllcurlhelper-1-0-windows-unique-user-agentbearer-token-authorization-c2-authtbcstring-cpp-class-custom-stringdll6-dll-nondescript-namecsdn-csdnimg-cn-chinese-developer-platformbaidu-com-chinese-search-test-urlcalg-rc4-calg-aes-128-cryptohttpbin-org-development-test-endpointfuture-timestamp-fake-compile-timeimagebase-suspicious-dll-anomalybearer-aes128-rc4-modern-c2-pattern