Datei Kimligi
| SHA256 | 06798ab00b4cb050918236f0ac5c3a30252dadfe6c8e7563e276966e7727c055 |
|---|---|
| MD5 | b950d4671c9c3a723aff0bf8b27e563f |
| SHA1 | dc9d8c742c301901e832f34781f9eb0ccd5204a8 |
| Größe | 786432 byte |
| Tur | /opt/ksentinel/samples/06798ab00b4cb050_COTIZACION.com.exe: PE32 executable (GUI |
| Derleme | Unbekannt |
| Packer | UPX |
Yetenekler
- TCP Socket C2
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Telegram: @8KHK @cTSJt @DxR4Lmz @iJry @lZWP
PE Analizi
Guvenlik Taramasi
file entropy: 7.822304 (probably packed) fpu anti-disassembly: no imagebase: normal entrypoint: normal DOS stub:
Import Tablosu
Imported functions
Library
Name: mscoree.dll
Functions
Function
Hint: 0
Name: _CorExeMainBinwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Microsoft executable, portable (PE) 56862
Familie Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
AsyncRAT — Malware-Profil
AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.
Technische Details
C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu
Attribution / Bedrohungsakteur
Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.
Fähigkeiten & Verhalten
IOC-Liste (5 Indikatoren)
#
dc9d8c742c301901e832f34781f9eb0ccd5204a8
# SHA256
06798ab00b4cb050918236f0ac5c3a30252dadfe6c8e7563e276966e7727c055
# MD5
b950d4671c9c3a723aff0bf8b27e563f
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Typ | Wert | Bemerkung |
|---|---|---|
| dc9d8c742c301901e832f34781f9eb0ccd5204a8 | ||
| sha256 | 06798ab00b4cb050918236f0ac5c3a30252dadfe6c8e7563e276966e7727c055 | |
| md5 | b950d4671c9c3a723aff0bf8b27e563f | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
C2-Server (8 erfasste Server für diese Familie)
| Adresse | Typ | Port | Protokoll | Status | Land |
|---|---|---|---|---|---|
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
C2-Adressen stammen ausschließlich aus vom KEYDAL-Team manuell verifizierten Malware-Samples. Kommerzielle Nutzung ist untersagt.