VBSAESStager
VBScript AES stager. coronofacial.Ru C2. kiley-delimiter character-level obfuscation. AES-CBC IV first-16-bytes from base64 blob. Invoke-Expression decrypted payload. HKLM Run key persistence.
Threat Profile
Type
Loader
Programming LanguageVBScript
C2 ProtocolHTTP
First Seen2023
Targets
Küresel
Purpose / Capabilities
- Loader/Stager
C2 Servers 1
| Address | Port | Protocol | Status | Action |
|---|---|---|---|---|
coronofacial.ru
|
80 | HTTP | INACTIVE |
⚠ C2 addresses are shared solely for threat intelligence and defensive purposes. Unauthorized access to these addresses constitutes a criminal offense.
Research Reports (1)
VBSAESStager -- coronofacial.Ru C2 Degisken OPSEC Hatasi, kiley Delimiter Karakter Seviyesi VBScript Obfuskasyonu, AES-CBC base64 IV Ilk 16 Byte PowerShell Sahne, Invoke-Expression Sifre Cozme Zinciri | Kritik
VBSAESStager 1457e5a3 1.4MB VBScript. coronofacial.Ru C2 degisken OPSEC hatasi. kiley delimiter karakter seviyesi obfuskasyon. AES-CBC IV ilk 16 byte PowerShell. Invoke-Expression sifre cozme.
Read Report →