Derin Analiz - AutoIT Compiled FTP Injector | Tehdit: MOYEN

Fichier Kimligi

SHA2564cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
Taille985,600 byte PE32 x86 Delphi+AutoIT, entropi 6.67, 8 section
DilAutoIT 3 compiled script (Borland Delphi PE sarici)

AutoIT Kimlik Dogrulama

AUTOIT: AutoIT 3 scripting dili ile yazilmis ve .exe olarak derlenenmis kotu amacli yazilim!
>>>AUTOIT NO CMDEXECUTE<<<  <- AutoIT /nocmdexecute derlemesi\navsupport@autoitscript.com  <- AutoIT manifest'ten\n\nAutoIT error mesajlari:\n  "Can not redeclare a constant"\n  "Can not initialize a variable with itself"\n  "Recursion level has been exceeded - AutoIt will quit"\n  Bunlar compiled AutoIT runtime icinden gelmektedir

FTP + HTTP Yetenekleri

FTP:\n  FtpOpenFileW / FtpGetFileSize\n  FTPSETPROXY    <- FTP proxy ayari\n\nHTTP:\n  InternetConnectW / HTTPSETUSERAGENT\n\nProcess Enjeksiyonu:\n  VirtualAllocEx / WriteProcessMemory <- bellek yaz\n\nProses Olusturma:\n  CreateProcessW / CreateProcessWithLogonW\n  CreateProcessAsUserW <- baska kullanici olarak process baslatma\n  LogonUserW / LoadUserProfileW <- kullanici kimligi dogrulama

Diger Yetenekler

WoW64 Manipulasyonu:\n  Wow64DisableWow64FsRedirection <- WoW64 dosya yonlendirmesi devre disi\n  Wow64RevertWow64FsRedirection  <- geri al\n\nToken Manipulasyonu:\n  AdjustTokenPrivileges / OpenProcessToken / DuplicateTokenEx\n  CheckTokenMembership / GetTokenInformation\n\nNetwork:\n  WNetCancelConnection2W <- ag baglantisi kapat\n  WSOCK32.dll

IOC

SHA2564cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
DilAutoIT 3 compiled (Delphi wrapper)
FTPFtpOpenFileW, FtpGetFileSize, FTPSETPROXY
EnjeksiyonVirtualAllocEx + WriteProcessMemory
TokenAdjustTokenPrivileges, DuplicateTokenEx

AutoITMalware — Profil du malware

AutoIT 3 scripting dili ile yazilmis ve Delphi wrapper ile .exe olarak derlenmis kotu amacli yazilim. FTP yukleme kapasitesi (FtpOpenFileW), process injection (VirtualAllocEx+WriteProcessMemory), kullanici kimlik dogrulama (LogonUserW), WoW64 bypass teknikleri.

Type de malware
Loader
Langage de programmation
AutoIT
Protocole C2
custom
Systèmes ciblés
Kuresel

Capacités et comportement

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

Liste IOC (1 indicateurs)

IOC — AutoITMalware
# SHA256 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
TypeValeurNote
sha256 4cc12d29c4de4d3316ed62add841d20e66bbd5419cd8011e774f937f201be72b
Tags
autoit3-compiled-malware-scriptautoit-nocmdexecute-compile-flagftpopenfilew-ftpgetfilesize-ftp-capabilityftpsetproxy-proxy-ftp-uploadvirtualalloc-writeprocessmemory-injectioncreateprocessasuserw-user-impersonationlogonuserw-credential-logonloaduserprofilew-user-contextwow64disable-wow64revert-64bit-bypassadjusttokenprivileges-duplikatetokenexwnetcancelconnection2w-network-sharehttpsetuseragent-http-capability