VBSAESStager

VBScript AES stager. coronofacial.Ru C2. kiley-delimiter character-level obfuscation. AES-CBC IV first-16-bytes from base64 blob. Invoke-Expression decrypted payload. HKLM Run key persistence.

Threat Profile
Type Loader
Programming LanguageVBScript
C2 ProtocolHTTP
First Seen2023
Targets Küresel
Purpose / Capabilities
  • Loader/Stager

C2 Servers 1

Address Port Protocol Status Action
coronofacial.ru
80 HTTP INACTIVE

⚠ C2 addresses are shared solely for threat intelligence and defensive purposes. Unauthorized access to these addresses constitutes a criminal offense.

Research Reports (1)

Critical

VBSAESStager -- coronofacial.Ru C2 Degisken OPSEC Hatasi, kiley Delimiter Karakter Seviyesi VBScript Obfuskasyonu, AES-CBC base64 IV Ilk 16 Byte PowerShell Sahne, Invoke-Expression Sifre Cozme Zinciri | Kritik

VBSAESStager 1457e5a3 1.4MB VBScript. coronofacial.Ru C2 degisken OPSEC hatasi. kiley delimiter karakter seviyesi obfuskasyon. AES-CBC IV ilk 16 byte PowerShell. Invoke-Expression sifre cozme.

Read Report →