Derin Analiz - AutoIT Compiled FTP Injector | Tehdit: ORTA

Dosya Kimligi

SHA2564cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
Boyut985,600 byte PE32 x86 Delphi+AutoIT, entropi 6.67, 8 section
DilAutoIT 3 compiled script (Borland Delphi PE sarici)

AutoIT Kimlik Dogrulama

AUTOIT: AutoIT 3 scripting dili ile yazilmis ve .exe olarak derlenenmis kotu amacli yazilim!
>>>AUTOIT NO CMDEXECUTE<<<  <- AutoIT /nocmdexecute derlemesi\navsupport@autoitscript.com  <- AutoIT manifest'ten\n\nAutoIT error mesajlari:\n  "Can not redeclare a constant"\n  "Can not initialize a variable with itself"\n  "Recursion level has been exceeded - AutoIt will quit"\n  Bunlar compiled AutoIT runtime icinden gelmektedir

FTP + HTTP Yetenekleri

FTP:\n  FtpOpenFileW / FtpGetFileSize\n  FTPSETPROXY    <- FTP proxy ayari\n\nHTTP:\n  InternetConnectW / HTTPSETUSERAGENT\n\nProcess Enjeksiyonu:\n  VirtualAllocEx / WriteProcessMemory <- bellek yaz\n\nProses Olusturma:\n  CreateProcessW / CreateProcessWithLogonW\n  CreateProcessAsUserW <- baska kullanici olarak process baslatma\n  LogonUserW / LoadUserProfileW <- kullanici kimligi dogrulama

Diger Yetenekler

WoW64 Manipulasyonu:\n  Wow64DisableWow64FsRedirection <- WoW64 dosya yonlendirmesi devre disi\n  Wow64RevertWow64FsRedirection  <- geri al\n\nToken Manipulasyonu:\n  AdjustTokenPrivileges / OpenProcessToken / DuplicateTokenEx\n  CheckTokenMembership / GetTokenInformation\n\nNetwork:\n  WNetCancelConnection2W <- ag baglantisi kapat\n  WSOCK32.dll

IOC

SHA2564cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
DilAutoIT 3 compiled (Delphi wrapper)
FTPFtpOpenFileW, FtpGetFileSize, FTPSETPROXY
EnjeksiyonVirtualAllocEx + WriteProcessMemory
TokenAdjustTokenPrivileges, DuplicateTokenEx

AutoITMalware — Malware Profili

AutoIT 3 scripting dili ile yazilmis ve Delphi wrapper ile .exe olarak derlenmis kotu amacli yazilim. FTP yukleme kapasitesi (FtpOpenFileW), process injection (VirtualAllocEx+WriteProcessMemory), kullanici kimlik dogrulama (LogonUserW), WoW64 bypass teknikleri.

Malware Tipi
Loader
Programlama Dili
AutoIT
C2 Protokolü
custom
Hedef Sistemler
Kuresel

Yetenekler ve Davranış

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC Listesi (1 gösterge)

IOC — AutoITMalware
# SHA256 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
TürDeğerNot
sha256 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
Etiketler
autoit3-compiled-malware-scriptautoit-nocmdexecute-compile-flagftpopenfilew-ftpgetfilesize-ftp-capabilityftpsetproxy-proxy-ftp-uploadvirtualalloc-writeprocessmemory-injectioncreateprocessasuserw-user-impersonationlogonuserw-credential-logonloaduserprofilew-user-contextwow64disable-wow64revert-64bit-bypassadjusttokenprivileges-duplikatetokenexwnetcancelconnection2w-network-sharehttpsetuseragent-http-capability