Statik Analiz — FTP Injector Loader | Tehdit: ORTA

Dosya Kimligi

SHA25600f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98
Boyut1,462,026 byte (PE32 GUI x86, 6 sections)
Entropi6.785 (normal, gizlenilmemis)

VirtualAllocEx + WriteProcessMemory: Process Injection

VirtualAllocEx\nWriteProcessMemory\n\n-- VirtualAllocEx: hedef proses bellegi ayir\n-- WriteProcessMemory: ayrilmis belleye payload yaz\n-- Klasik DLL/shellcode injection: hedef prosese kod enjekte et\n-- AdjustTokenPrivileges: enjeksiyon icin yuksek yetki al

FTP + HTTP Ag Kapasitesi

FtpOpenFileW\nFtpGetFileSize\nInternetOpenW\nInternetConnectW\nHttpSendRequestW\nInternetOpenUrlW\n\n-- FtpOpenFileW: FTP sunucusundan dosya ac/indir\n-- FtpGetFileSize: indirilecek dosya boyutunu kontrol et\n-- HttpSendRequest: HTTP POST/GET ile C2 iletisimi\n-- Cift kanal: FTP (payload indir) + HTTP (komut al)

XOR Sifreleme + Kripto Hash

CryptAcquireContextA\nCryptCreateHash\n-XOr]\nBITXOR\n\n-- CryptAcquireContextA: Windows kriptografi saglayicisi baslat\n-- CryptCreateHash: payload veya anahtar icin hash hesapla\n-- -XOr] / BITXOR: XOR ile string/config sifreleme\n-- AdjustTokenPrivileges: yuksek ayricalik alma

IOC

SHA25600f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98
InjectionVirtualAllocEx + WriteProcessMemory
FTPFtpOpenFileW, FtpGetFileSize
HTTPInternetOpenW, HttpSendRequestW, InternetConnectW
CryptoCryptAcquireContextA, CryptCreateHash, XOR

FTPInjectorLoader — Malware Profile

Generic FTP+HTTP dual-channel loader/injector PE32 x86. VirtualAllocEx + WriteProcessMemory for process injection. FtpOpenFileW + FtpGetFileSize for FTP payload download. HttpSendRequest for HTTP C2. CryptAcquireContextA + CryptCreateHash + XOR for payload encryption. AdjustTokenPrivileges for privilege escalation. No cleartext C2 IOCs (encrypted).

Malware Type
Loader
Programming Language
C/C++
C2 Protocol
FTP/HTTP
Target Systems
Kuresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — FTPInjectorLoader
# SHA256 00f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98
TypeValueNote
sha256 00f01750994214b5d936755f4e67db0663fe9787960817e2bcb7b3c85e394f98
Tags
ftpinjectorloaderprocess-injectionvirtualallocex-writeprocessmemory-injection-confirmedftpopenfilew-ftpgetfilesize-ftp-channelinternetopenw-httpsendrequest-http-c2cryptacquirecontexta-cryptcreatehash-windows-cryptobitxor-xor-string-obfuscationadjusttokenprivileges-privilege-escalationdual-channel-ftp-http-payload