Derin Analiz - CoolProject .NET Loader | Tehdit: YUKSEK

文件 Kimligi

SHA2562eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
大小929,280 byte (907 KB) PE32+ GUI x64 .NET
Entropi6.87 (normal)
DOS StubSupheli (non-standard)
TLSFound (anti-analiz)

Gelistirici PDB Yollari

GELISTIRICI: Takma ad: "virtual", proje adi: "cool project lol"!
D:\Users\virtual\Desktop\Malware\projects\cool project lol\Source\stub\loader\obj\Release\net48\Loader.pdb\nD:\Users\virtual\Desktop\Malware\projects\cool project lol\Source\stub\loader_bootstrap\obj\Release\net48\LoaderBootstrap.pdb

Loader Teknikleri

"[*] Injected benign GUI resourceMZ"\n  -> Kotu amacli PE'ye yaniltici bir grafik kaynak enjekte eder\n  -> AV/EDR kaynak analizi atlama teknigidir\n\n"Bootstrap" string\n  -> LoaderBootstrap.pdb ile eslesiyor (iki asamali yukleyici)\n\nSystem.IO.MemoryMappedFiles\n  -> Bellek haritalama ile shellcode/PE yukleme\n\nSystem.Security.Cryptography\n  -> Yukun (payload) sifrelenmis sekilde gizlenmesi

架构

2eac9624, iki asamali bir .NET yukleyicidir (Loader + Bootstrap). Birinci asama (LoaderBootstrap), hedef surecu hazirlar ve sifresiz calistirmak icin ortami kurar. Ikinci asama (Loader), bellege haritalanmis alanda gercek yuku (muhtemelen RAT veya miner) calistirir. "Injected benign GUI resourceMZ" teknigi, sahte bir grafik kaynak eklenerek statik AV tarama atlatma saglar.

IOC

SHA2562eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
Gelistiricivirtual (D:\Users\virtual\)
Projecool project lol
TeknikInjected benign GUI resourceMZ (AV atlama)
架构Loader + Bootstrap iki asamali .NET
PayloadMemoryMappedFiles + AES sifreli yukleyici

CoolProjectLoader — 恶意软件档案

virtual takma adli gelistirici tarafindan uretilen iki asamali .NET yukleyici. PDB yolu: D:\Users\virtual\Desktop\Malware\projects\cool project lol. Birinci asama LoaderBootstrap, ikinci asama Loader. Kotu amacli PE'ye sahte GUI kaynak enjekte eder (Injected benign GUI resourceMZ) AV taramasi atlama icin. System.IO.MemoryMappedFiles ile bellek haritalama yapar.

恶意软件类型
Loader
编程语言
C#/.NET
C2协议
custom
目标系统
Kuresel

能力与行为

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC列表 (1 个指标)

IOC — CoolProjectLoader
# SHA256 2eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
类型备注
sha256 2eac96249e00012e874d427c378cafae63f8ad2aac861121818ccfb4ccb19e90
标签
cool-project-lol-malware-loadervirtual-developer-desktop-malware-projectsinjected-benign-gui-resource-av-bypassloaderbootstrap-two-stage-dotnetsystem-io-memorymappedfiles-shellcode-loadsystem-security-cryptography-payloadsuspicious-dos-stub-tls-anti-analysisnet48-release-x64-loader-stubtwo-stage-loader-bootstrap-architectureav-evasion-fake-gui-resource-injection