Manuel Statik Analiz (LLM Okumali) — DiceLoader VBS | Tehdit: KRITIK

Dosya Kimligi

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Dosya Adie345rt.vbs
FormatVBScript (ZIP icinden cikartildi)
Boyut237.360 byte
String Sayisi4.463

WPF TextFormatting Exploit Kaniti

tropicalnosort="LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA..."

base64 decode =>
.Formatting.TextFormattingRunPropertiesForegroundBrush
-- WPF TextFormattingRunProperties XAML deserialization exploit
-- CVE-2022-30137 / benzer XAML injection RCE pattern

.NET Reflection API Cagirilari

_ModuleNameget_MachineNameget_ScopeNameget_FullNameget_UserDomainName
-- .NET System.Environment ve Machine reflection cagilari
-- Sistem bilgisi toplama (makine adi, domain, kullanici)

Obfuske Fonksiyon Isimleri

Public Function gonesettletongue()
Public Function tippleasesettle()
acrossparticularaverage=  -- base64 encoded payload degiskeni

DiceLoader Hakkinda

DiceLoader, IcedID'nin successor'u olarak da anilan, 2022-2024 doneminde aktif olan bir loader ailesidir. VBScript ile dagitilir, .NET runtime'i XAML deserialization exploit ile suistimal eder. Cobalt Strike, Nokoyawa ransomware ve diger post-exploitation araclariyla zincir olusturur. Genellikle phishing email eki olarak gelir.

IOC

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
ExploitWPF TextFormattingRunProperties XAML Deserialization
Teknik.NET Reflection API - get_MachineName, get_UserDomainName

DiceLoader — Malware Profile

DiceLoader VBS. e345rt.vbs keyboard random name. Three-word semantic function obfuscation (bottomautomobilemean pilotshotluck). Base64 .NET BinaryFormatter payload.

Malware Type
Loader
Programming Language
VBScript/.NET
C2 Protocol
HTTPS
Target Systems
Kurumsal

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — DiceLoader
# SHA256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
TypeValueNote
sha256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Tags
diceloadervbswpf-exploitnet-reflectionbase64obfuskescript