GhostLoader

Creating a staging directory and ingress a C# script. Copy a binary from system32 to the staging directory and compile the ingressed script. Stage an executable configuration file and launch the copied binary to indirectly load and run the assembly.

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Compile CSharp code on target
Stage a CSharp script in a temporary directory
Create a staging directory
Copy file with Esentutl
Stage executable configuration file
Launch executable with custom config

Tags

wizard spider, kaseya vsa attack

User-Set Custom Variables

  • payload.uri: ca4de6cd226540141c3495e713149bb4d6390f16/wrapper.cs