Manuel Statik Analiz (LLM Okumali) — DiceLoader VBS | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056 |
|---|---|
| Dosya Adi | e345rt.vbs |
| Format | VBScript (ZIP icinden cikartildi) |
| Boyut | 237.360 byte |
| String Sayisi | 4.463 |
WPF TextFormatting Exploit Kaniti
tropicalnosort="LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA..." base64 decode => .Formatting.TextFormattingRunPropertiesForegroundBrush -- WPF TextFormattingRunProperties XAML deserialization exploit -- CVE-2022-30137 / benzer XAML injection RCE pattern
.NET Reflection API Cagirilari
_ModuleNameget_MachineNameget_ScopeNameget_FullNameget_UserDomainName -- .NET System.Environment ve Machine reflection cagilari -- Sistem bilgisi toplama (makine adi, domain, kullanici)
Obfuske Fonksiyon Isimleri
Public Function gonesettletongue() Public Function tippleasesettle() acrossparticularaverage= -- base64 encoded payload degiskeni
DiceLoader Hakkinda
DiceLoader, IcedID'nin successor'u olarak da anilan, 2022-2024 doneminde aktif olan bir loader ailesidir. VBScript ile dagitilir, .NET runtime'i XAML deserialization exploit ile suistimal eder. Cobalt Strike, Nokoyawa ransomware ve diger post-exploitation araclariyla zincir olusturur. Genellikle phishing email eki olarak gelir.
IOC
| SHA256 | 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056 |
|---|---|
| Exploit | WPF TextFormattingRunProperties XAML Deserialization |
| Teknik | .NET Reflection API - get_MachineName, get_UserDomainName |
DiceLoader — Malware Profile
DiceLoader VBS. e345rt.vbs keyboard random name. Three-word semantic function obfuscation (bottomautomobilemean pilotshotluck). Base64 .NET BinaryFormatter payload.
Malware Type
Loader
Programming Language
VBScript/.NET
C2 Protocol
HTTPS
Target Systems
Kurumsal
Capabilities & Behavior
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
IOC List (1 indicators)
IOC — DiceLoader
# SHA256
61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
| Type | Value | Note |
|---|---|---|
| sha256 | 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056 |