Dosya Kimligi
| SHA256 | 06798ab00b4cb050918236f0ac5c3a30252dadfe6c8e7563e276966e7727c055 |
|---|---|
| MD5 | b950d4671c9c3a723aff0bf8b27e563f |
| SHA1 | dc9d8c742c301901e832f34781f9eb0ccd5204a8 |
| Boyut | 786432 byte |
| Tur | /opt/ksentinel/samples/06798ab00b4cb050_COTIZACION.com.exe: PE32 executable (GUI |
| Derleme | Bilinmiyor |
| Packer | UPX |
Yetenekler
- TCP Socket C2
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Telegram: @8KHK @cTSJt @DxR4Lmz @iJry @lZWP
PE Analizi
Guvenlik Taramasi
file entropy: 7.822304 (probably packed) fpu anti-disassembly: no imagebase: normal entrypoint: normal DOS stub:
Import Tablosu
Imported functions
Library
Name: mscoree.dll
Functions
Function
Hint: 0
Name: _CorExeMainBinwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Microsoft executable, portable (PE) 56862
Aile Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
AsyncRAT — Malware Profile
AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.
Technical Details
C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu
Attribution / Threat Actor
Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.
Capabilities & Behavior
IOC List (5 indicators)
#
dc9d8c742c301901e832f34781f9eb0ccd5204a8
# SHA256
06798ab00b4cb050918236f0ac5c3a30252dadfe6c8e7563e276966e7727c055
# MD5
b950d4671c9c3a723aff0bf8b27e563f
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Type | Value | Note |
|---|---|---|
| dc9d8c742c301901e832f34781f9eb0ccd5204a8 | ||
| sha256 | 06798ab00b4cb050918236f0ac5c3a30252dadfe6c8e7563e276966e7727c055 | |
| md5 | b950d4671c9c3a723aff0bf8b27e563f | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.