Statik Analiz — ResourceDropper | Tehdit: ORTA

Dosya Kimligi

SHA2569ef1cd4cb8ea11e2353228c324a79d074ef1326815abbe2916ea32bdc69960ac
Boyut141,312 byte (PE32+ GUI x86-64, 6 sections)
ImagebaseSuspicious

FindResourceA + LoadResource + LockResource: Gizli PE Payload

KERNEL32.dll -> FindResourceA\nKERNEL32.dll -> LoadResource\nKERNEL32.dll -> LockResource\n+\nKERNEL32.dll -> CreateFileA\nKERNEL32.dll -> WriteFile\nKERNEL32.dll -> CreateProcessA\n\n-- Klasik resource dropper paterni:\n  1. FindResourceA: gizli veri PE kaynak bolumunde (RT_RCDATA)\n  2. LoadResource + LockResource: bellek pointer al\n  3. CreateFileA + WriteFile: gecici dosyaya yaz\n  4. CreateProcessA: calistir\n-- Avantaj: payload PE kaynaginda gizli, strings analizi goremez\n-- CryptGenRandom: rastgele dosya ismi uret -> AV imzasini atla

InternetOpenA + InternetOpenUrlA: HTTP Indir

InternetOpenA\nInternetOpenUrlA\n\n-- WinINet HTTP istemcisi: C2 veya payload URL-den indir\n-- InternetOpenUrlA: dogrudan URL acilisi (GET/POST)\n-- Iki mod muhtemelen:\n  1. Resource icindeki payload calistir\n  2. Sonra URL-den ikinci asama indir\n-- C2 URL: PE kaynak icinde sifrelenmis (statik analizde gorunmez)

CryptGenRandom: Rastgele Dosya Adi

CryptAcquireContextA + CryptGenRandom\n\n-- Kriptografik guclu rastgele bayt uret\n-- Kullanim: drop edilen dosyanin adini ve konumunu rastgele yap\n-- Her calissmada farkli dosya yolu -> hash-tabanli AV tespiti zorlastr\n-- %TEMP% altina: abc123.exe, def456.dll vs (her seferinde degisen)

IOC

SHA2569ef1cd4cb8ea11e2353228c324a79d074ef1326815abbe2916ea32bdc69960ac
TeknikPE resource hidden payload + HTTP download
BypassCryptGenRandom random filename per execution

ResourceDropper — Malware Profile

PE64 resource dropper. FindResourceA+LoadResource+LockResource payload extraction from PE resource section. InternetOpenA+InternetOpenUrlA HTTP second-stage download. CryptGenRandom random filename for AV evasion. CreateProcessA payload execution.

Malware Type
Loader
Programming Language
C/C++
C2 Protocol
HTTP
Target Systems
Küresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — ResourceDropper
# SHA256 9ef1cd4cb8ea11e2353228c324a79d074ef1326815abbe2916ea32bdc69960ac
TypeValueNote
sha256 9ef1cd4cb8ea11e2353228c324a79d074ef1326815abbe2916ea32bdc69960ac
Tags
resourcedropperresource-dropperfindresourcea-loadresource-lockresource-pe-resource-extractioninternetopena-internetopenurla-http-download-wininetcryptacquirecontexta-cryptgenrandom-random-filename-av-evasioncreateprocessa-dropped-file-executioncreatefilea-write-dropped-filesuspicious-imagebase-pe-header