Derin Analiz - AutoIT Compiled FTP Injector | Tehdit: MOYEN
Fichier Kimligi
| SHA256 | 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b |
|---|---|
| Taille | 985,600 byte PE32 x86 Delphi+AutoIT, entropi 6.67, 8 section |
| Dil | AutoIT 3 compiled script (Borland Delphi PE sarici) |
AutoIT Kimlik Dogrulama
AUTOIT: AutoIT 3 scripting dili ile yazilmis ve .exe olarak derlenenmis kotu amacli yazilim!
>>>AUTOIT NO CMDEXECUTE<<< <- AutoIT /nocmdexecute derlemesi\navsupport@autoitscript.com <- AutoIT manifest'ten\n\nAutoIT error mesajlari:\n "Can not redeclare a constant"\n "Can not initialize a variable with itself"\n "Recursion level has been exceeded - AutoIt will quit"\n Bunlar compiled AutoIT runtime icinden gelmektedir
FTP + HTTP Yetenekleri
FTP:\n FtpOpenFileW / FtpGetFileSize\n FTPSETPROXY <- FTP proxy ayari\n\nHTTP:\n InternetConnectW / HTTPSETUSERAGENT\n\nProcess Enjeksiyonu:\n VirtualAllocEx / WriteProcessMemory <- bellek yaz\n\nProses Olusturma:\n CreateProcessW / CreateProcessWithLogonW\n CreateProcessAsUserW <- baska kullanici olarak process baslatma\n LogonUserW / LoadUserProfileW <- kullanici kimligi dogrulama
Diger Yetenekler
WoW64 Manipulasyonu:\n Wow64DisableWow64FsRedirection <- WoW64 dosya yonlendirmesi devre disi\n Wow64RevertWow64FsRedirection <- geri al\n\nToken Manipulasyonu:\n AdjustTokenPrivileges / OpenProcessToken / DuplicateTokenEx\n CheckTokenMembership / GetTokenInformation\n\nNetwork:\n WNetCancelConnection2W <- ag baglantisi kapat\n WSOCK32.dll
IOC
| SHA256 | 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b |
|---|---|
| Dil | AutoIT 3 compiled (Delphi wrapper) |
| FTP | FtpOpenFileW, FtpGetFileSize, FTPSETPROXY |
| Enjeksiyon | VirtualAllocEx + WriteProcessMemory |
| Token | AdjustTokenPrivileges, DuplicateTokenEx |
AutoITMalware — Profil du malware
AutoIT 3 scripting dili ile yazilmis ve Delphi wrapper ile .exe olarak derlenmis kotu amacli yazilim. FTP yukleme kapasitesi (FtpOpenFileW), process injection (VirtualAllocEx+WriteProcessMemory), kullanici kimlik dogrulama (LogonUserW), WoW64 bypass teknikleri.
Type de malware
Loader
Langage de programmation
AutoIT
Protocole C2
custom
Systèmes ciblés
Kuresel
Capacités et comportement
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
Liste IOC (1 indicateurs)
IOC — AutoITMalware
# SHA256
4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
| Type | Valeur | Note |
|---|---|---|
| sha256 | 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b |