Statik Analiz — FTP Injector Loader | Tehdit: ORTA
Dosya Kimligi
| SHA256 | 00f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98 |
|---|---|
| Boyut | 1,462,026 byte (PE32 GUI x86, 6 sections) |
| Entropi | 6.785 (normal, gizlenilmemis) |
VirtualAllocEx + WriteProcessMemory: Process Injection
VirtualAllocEx\nWriteProcessMemory\n\n-- VirtualAllocEx: hedef proses bellegi ayir\n-- WriteProcessMemory: ayrilmis belleye payload yaz\n-- Klasik DLL/shellcode injection: hedef prosese kod enjekte et\n-- AdjustTokenPrivileges: enjeksiyon icin yuksek yetki al
FTP + HTTP Ag Kapasitesi
FtpOpenFileW\nFtpGetFileSize\nInternetOpenW\nInternetConnectW\nHttpSendRequestW\nInternetOpenUrlW\n\n-- FtpOpenFileW: FTP sunucusundan dosya ac/indir\n-- FtpGetFileSize: indirilecek dosya boyutunu kontrol et\n-- HttpSendRequest: HTTP POST/GET ile C2 iletisimi\n-- Cift kanal: FTP (payload indir) + HTTP (komut al)
XOR Sifreleme + Kripto Hash
CryptAcquireContextA\nCryptCreateHash\n-XOr]\nBITXOR\n\n-- CryptAcquireContextA: Windows kriptografi saglayicisi baslat\n-- CryptCreateHash: payload veya anahtar icin hash hesapla\n-- -XOr] / BITXOR: XOR ile string/config sifreleme\n-- AdjustTokenPrivileges: yuksek ayricalik alma
IOC
| SHA256 | 00f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98 |
|---|---|
| Injection | VirtualAllocEx + WriteProcessMemory |
| FTP | FtpOpenFileW, FtpGetFileSize |
| HTTP | InternetOpenW, HttpSendRequestW, InternetConnectW |
| Crypto | CryptAcquireContextA, CryptCreateHash, XOR |
FTPInjectorLoader — Malware Profile
Generic FTP+HTTP dual-channel loader/injector PE32 x86. VirtualAllocEx + WriteProcessMemory for process injection. FtpOpenFileW + FtpGetFileSize for FTP payload download. HttpSendRequest for HTTP C2. CryptAcquireContextA + CryptCreateHash + XOR for payload encryption. AdjustTokenPrivileges for privilege escalation. No cleartext C2 IOCs (encrypted).
Malware Type
Loader
Programming Language
C/C++
C2 Protocol
FTP/HTTP
Target Systems
Kuresel
Capabilities & Behavior
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
IOC List (1 indicators)
IOC — FTPInjectorLoader
# SHA256
00f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98
| Type | Value | Note |
|---|---|---|
| sha256 | 00f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98 |