Statik Analiz — VBSDeserialization | Tehdit: YÜKSEK

Dosya Kimligi

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Boyut237,360 byte (VBScript, ASCII text)
IsimxABCDEFGHIJKLMNOPQRSTUVWX (alfabe obfuske isim)

VBScript Base64 Parca Fonksiyonlari

YSOSERIAL GADGET: .NET BinaryFormatter TextFormattingRunProperties deserialization chain!
Public Function enddealthem()\n  enddealthem="AAEAAAD/////AQAAAAAAAAACAgAAAF5NaWNyb3NvZnQu..."\nEnd Function\nPublic Function pilotshotluck()\n  pilotshotluck="ZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1..."\nEnd Function\n...\n\n-- 20+ VBScript Public Function her biri bir base64 parca dondurur\n-- Isimlendirme: "enddealthem", "pilotshotluck", "tropicalnosort" (rastgele)\n-- Fonksiyon cagrilari birlestirilince tam gadget olusur\n-- Decode: Base64 -> BinaryFormatter .NET nesnesi -> RCE

TextFormattingRunProperties: .NET Deserialization RCE

Decode: "Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"\n+ "TextFormattingRunProperties" (Microsoft.VisualStudio.Text.Formatting)\n+ "ObjectDataProvider x:Key=type ObjectType={x:Type s:Type} MethodName=GetType"\n+ "System.Workflow.ComponentModel.AppSettings, System.Workflow.ComponentModel..."\n+ "disableAc..." (DisableActionLinks veya AccessibilityFeatures)\n\n-- TextFormattingRunProperties = bilinen .NET BinaryFormatter gadget chain\n-- ysoserial.net aracinin urettigi bir format\n-- ObjectDataProvider XAML injection: herhangi .NET method cagri\n-- System.Workflow.ComponentModel = yardimci gadget chain bileseni\n-- RCE: sayfada veya uygulamada .NET deserialization gerceklesiyor (MSDT/WinWord/PS)

Sifir Tiklamali Yayilma Mekanizmasi

xABCDEFGHIJKLMNOPQRSTUVWX dosya ismi\n\n-- Alfabe sirasinda dosya ismi: tanimlama zorlastiriyor\n-- VBScript: .vbs uzantisi olmadan calistirilabilir (wscript.exe)\n-- Muhtemel vektör:\n  1. Outlook veya web sayfasinda XAML deserialize (clickonce veya WinWord)\n  2. PowerShell -encodedcommand ile dosya cagrilmasi\n  3. COM objesi uzerinden WScript.Shell -> wscript.exe calistirma

IOC

SHA25661806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Teknik.NET BinaryFormatter TextFormattingRunProperties deserialization RCE
Aracysoserial.net (ObjectDataProvider+XAML gadget chain)

VBSDeserialization — Malware Profile

VBScript .NET BinaryFormatter deserialization exploit. TextFormattingRunProperties ysoserial.net gadget chain. ObjectDataProvider XAML injection for RCE. Base64-chunked via Public Function obfuscation. System.Workflow.ComponentModel gadget. xABCDEFG obfuscated filename.

Malware Type
Exploit
Programming Language
VBScript
C2 Protocol
Local/Network
Target Systems
Küresel

Capabilities & Behavior

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

IOC List (1 indicators)

IOC — VBSDeserialization
# SHA256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
TypeValueNote
sha256 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
Tags
vbsdeserializationvbs-deserializationvbscript-base64-chunk-functions-obfuscationdotnet-deserialization-gadget-textformattingrunpropertiesysoserial-net-gadget-chain-rcemicrosoft-powershell-editor-version-3-0-0-0-deserializationsystem-workflow-componentmodel-appsettings-chainobject-data-provider-xaml-injection-rcexabcdefghijklmnopqrstuvwx-obfuscated-filename