Derin Analiz — FalseXmrig RAT | Tehdit: YUKSEK

Archivo Kimligi

SHA256a3fa75fe9b9c0ca9ccdc85ae6733024cbc64c545031aad9150f03fed9335850a
Archivoxmrig_x86_truncated.elf (yanlis isim: aslinda UPX PE32)
Tamaño354,816 byte (PE32 GUI x86, UPX packed)
Entropi7.419 (packed)
EntrypointFAKE (sahte)
SectionsUPX0 (zero length), UPX1 (self-modifying)

NtUnmapViewOfSection: Process Hollowing

PROCESS HOLLOWING: NtUnmapViewOfSection tespit edildi -- xmrig kisves altinda RAT!
NtUnmapViewOfSection\n\n-- NtUnmapViewOfSection: hedef prosesi bos birak, payload inject et\n-- Klasik process hollowing adimi:\n  1. CreateProcess SUSPENDED ile hedef proses ac\n  2. NtUnmapViewOfSection ile bellek unmap et\n  3. VirtualAllocEx ile yeni alan ayir\n  4. WriteProcessMemory ile payload yaz\n  5. SetThreadContext ile EIP degistir\n  6. ResumeThread ile calistir\n-- "xmrig_x86_truncated.elf" ismi: xmrig madenci taklidi kamuflaj

AVICAP32.DLL: Webcam Erisimi

AVICAP32.DLL -> capGetDriverDescriptionA\n\n-- AVICAP32: Windows Video Capture kutuphanesi\n-- capGetDriverDescriptionA: sistemdeki kamera suruculerini listele\n-- Webcam akisi icin yapi:\n  capCreateCaptureWindow -> capDriverConnect -> capGrabFrame\n-- Amac: kurban makinesinin kamera goruntusunu gizlice kayit et\n-- Gdiplus.dll GdipFree: screenshot kapasitesi (GDI+ goruntu isle)

FtpPutFileA: FTP Veri Sizintisi

FtpPutFileA (wininet.dll)\nURLDownloadToFileA\n\n-- FtpPutFileA: ele gecirilen dosyalari FTP sunucusuna yukle\n-- URLDownloadToFileA: C2 sunucusundan ek payload indir\n-- Iki yonlu: indirme (payload al) + yukleme (veri gonder)\n-- FTP: silinmesi zor log birakmaz, AV imzayi gecebilir\n-- cmd.exe entegrasyonu: ShellExecuteA ile sistem komutlari

IOC

SHA256a3fa75fe9b9c0ca9ccdc85ae6733024cbc64c545031aad9150f03fed9335850a
PackerUPX (fake entrypoint)
HollowingNtUnmapViewOfSection
WebcamAVICAP32.DLL capGetDriverDescriptionA
ExfilFtpPutFileA (FTP upload)
DownloadURLDownloadToFileA (payload)

FalseXmrigRAT — Perfil del malware

UPX-packed PE32 RAT disguised as xmrig crypto miner (.elf extension fake). NtUnmapViewOfSection process hollowing. AVICAP32 webcam capture. GDI+ screenshot. FtpPutFileA FTP data exfiltration. URLDownloadToFileA second-stage download. ShellExecuteA CMD execution.

Tipo de malware
RAT
Lenguaje de programación
C/C++
Protocolo C2
FTP/HTTP
Sistemas objetivo
Kuresel

Capacidades y comportamiento

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

Lista IOC (1 indicadores)

IOC — FalseXmrigRAT
# SHA256 a3fa75fe9b9c0ca9ccdc85ae6733024cbc64c545031aad9150f03fed9335850a
TipoValorNota
sha256 a3fa75fe9b9c0ca9ccdc85ae6733024cbc64c545031aad9150f03fed9335850a
Etiquetas
falsexmrigratprocess-hollowingntunmapviewofsection-process-hollowing-confirmedavicap32-dll-capgetdriverdescriptiona-webcam-accessgdiplus-gdipfree-screenshot-capabilityftpputfilea-ftp-data-exfiltrationurldownloadtofile-second-stage-downloadupx-packer-fake-entrypointxmrig-brand-impersonation-elf-extension-fakemsrsaapp-suspicious-executableshellexecutea-cmd-execution