Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #REF[0]: https://twitter.com/_Y000_/status/1674531786422902788
- #REF[1]: https://blog.talosintelligence.com/new-horabot-targets-americas/
- main(){
- if [ $# -ne 1 ]; then
- echo "Usage: $0 <raw.ps>";
- return 1;
- fi;
- raw0=$1;
- cRaw1 $raw0;
- getB64 raw1.bin;
- getVars1 raw1.bin;
- cRaw2 raw1.bin vars1.bin;
- cRaw3 raw2.bin;
- }
- cRaw1(){
- echo "Pending:raw1.bin"&&cat "$1"|sed "s/\\\/a/g"|sed "s/\//b/g" > raw1.bin&&echo "Success:raw1.bin";
- }
- cRaw2(){
- echo "Pending:raw2.bin";
- raw=`cat $1`;
- i=0;
- for v in `cat $2`;do
- raw=`echo "$raw"|sed "s/{$v/{var$i}/g";`;
- echo "PENDING: STEP $i ...";
- echo $raw;
- echo "SUCCESS: STEP $i";
- i=$((i+1));
- done
- echo "$raw" > raw2.bin;
- }
- cRaw3(){
- echo "PENDING: raw3.bin";
- cat $1|sed "s/\$(\[Text.Encoding\]::Unicode.GetString(\[Convert\]::FromBase64String('\([^\']*\)')))/'\1'/g" > raw3.bin;
- raw3=`cat raw3.bin`;
- for lb64 in `cat B64.txt`;do
- str=`echo -n $lb64|base64 -d|tr -d '\0'`;
- echo "PENDING $lb64";
- raw3=`echo "${raw3//"$lb64"/"$str"}"`;
- echo "$raw3";
- echo "SUCCESS: $str"
- done
- echo "$raw3" > raw3.bin;
- echo "SUCCESS: raw3.bin";
- }
- getVars1(){
- echo "Pending:vars1.bin"&&cat "$1"|sed "s/\\\/a/g"|sed "s/\//b/g"|grep -Eio "{[^\{\}]*}"|sed 's/=$//g'|sed 's/\$//g' > vars1.bin&&echo "Success:vars1.bin";
- }
- getB64(){
- echo "PENDING: B64.txt";
- for l in `cat $1|grep -Eio "FromBase64String\([^)]*"|grep -Eio "'.*'"|sed "s/'//g"`;do
- echo $l;echo "";
- done > B64.txt
- echo "SUCCESS: B64.txt";
- }
- main $@;
Add Comment
Please, Sign In to add comment
