Manuel Statik Analiz (LLM Okumali) — DiceLoader VBS | Tehdit: KRITIK

Fichier Kimligi

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Fichier Adie345rt.vbs
FormatVBScript (ZIP icinden cikartildi)
Taille237.360 byte
String Sayisi4.463

WPF TextFormatting Exploit Kaniti

tropicalnosort="LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA..."

base64 decode =>
.Formatting.TextFormattingRunPropertiesForegroundBrush
-- WPF TextFormattingRunProperties XAML deserialization exploit
-- CVE-2022-30137 / benzer XAML injection RCE pattern

.NET Reflection API Cagirilari

_ModuleNameget_MachineNameget_ScopeNameget_FullNameget_UserDomainName
-- .NET System.Environment ve Machine reflection cagilari
-- Sistem bilgisi toplama (makine adi, domain, kullanici)

Obfuske Fonksiyon Isimleri

Public Function gonesettletongue()
Public Function tippleasesettle()
acrossparticularaverage=  -- base64 encoded payload degiskeni

DiceLoader Hakkinda

DiceLoader, IcedID'nin successor'u olarak da anilan, 2022-2024 doneminde aktif olan bir loader ailesidir. VBScript ile dagitilir, .NET runtime'i XAML deserialization exploit ile suistimal eder. Cobalt Strike, Nokoyawa ransomware ve diger post-exploitation araclariyla zincir olusturur. Genellikle phishing email eki olarak gelir.

IOC

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
ExploitWPF TextFormattingRunProperties XAML Deserialization
Teknik.NET Reflection API - get_MachineName, get_UserDomainName

DiceLoader — Profil du malware

DiceLoader VBS. e345rt.vbs keyboard random name. Three-word semantic function obfuscation (bottomautomobilemean pilotshotluck). Base64 .NET BinaryFormatter payload.

Type de malware
Loader
Langage de programmation
VBScript/.NET
Protocole C2
HTTPS
Systèmes ciblés
Kurumsal

Capacités et comportement

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

Liste IOC (1 indicateurs)

IOC — DiceLoader
# SHA256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
TypeValeurNote
sha256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Tags
diceloadervbswpf-exploitnet-reflectionbase64obfuskescript