Manuel Statik Analiz (LLM Okumali) — DiceLoader VBS | Tehdit: KRITIK

Arquivo Kimligi

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Arquivo Adie345rt.vbs
FormatVBScript (ZIP icinden cikartildi)
Tamanho237.360 byte
String Sayisi4.463

WPF TextFormatting Exploit Kaniti

tropicalnosort="LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA..."

base64 decode =>
.Formatting.TextFormattingRunPropertiesForegroundBrush
-- WPF TextFormattingRunProperties XAML deserialization exploit
-- CVE-2022-30137 / benzer XAML injection RCE pattern

.NET Reflection API Cagirilari

_ModuleNameget_MachineNameget_ScopeNameget_FullNameget_UserDomainName
-- .NET System.Environment ve Machine reflection cagilari
-- Sistem bilgisi toplama (makine adi, domain, kullanici)

Obfuske Fonksiyon Isimleri

Public Function gonesettletongue()
Public Function tippleasesettle()
acrossparticularaverage=  -- base64 encoded payload degiskeni

DiceLoader Hakkinda

DiceLoader, IcedID'nin successor'u olarak da anilan, 2022-2024 doneminde aktif olan bir loader ailesidir. VBScript ile dagitilir, .NET runtime'i XAML deserialization exploit ile suistimal eder. Cobalt Strike, Nokoyawa ransomware ve diger post-exploitation araclariyla zincir olusturur. Genellikle phishing email eki olarak gelir.

IOC

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
ExploitWPF TextFormattingRunProperties XAML Deserialization
Teknik.NET Reflection API - get_MachineName, get_UserDomainName

DiceLoader — Perfil do malware

DiceLoader VBS. e345rt.vbs keyboard random name. Three-word semantic function obfuscation (bottomautomobilemean pilotshotluck). Base64 .NET BinaryFormatter payload.

Tipo de malware
Loader
Linguagem de programação
VBScript/.NET
Protocolo C2
HTTPS
Sistemas-alvo
Kurumsal

Capacidades e comportamento

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

Lista IOC (1 indicadores)

IOC — DiceLoader
# SHA256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
TipoValorNota
sha256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Tags
diceloadervbswpf-exploitnet-reflectionbase64obfuskescript