Common Information
| Type | Value |
|---|---|
| Value |
import "hash"
rule PoshC2_ImplantCorePs1 {
meta:
description = "PoshC2 - Implant-Core.ps1"
sha256 = "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2"
strings:
$x1 = "$payloadraw = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)\"" ascii fullword
$s2 = "$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))" ascii fullword
$s3 = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri"
$s4 = "$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear)" ascii fullword
$s5 = "g(`\"$EncodedCompressedScript`\"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()\"" ascii fullword
$s6 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)" ascii fullword
$s7 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" ascii fullword
$s8 = "$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)" ascii fullword
$s9 = "$payload = $payloadraw -replace \"`n\", \"\"" ascii fullword
$s10 = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri"
$s11 = " [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte"
$s12 = " [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte"
$s13 = " $splitcmd = $ReadCommandClear -replace \"multicmd\",\"\"" ascii fullword
$s14 = " $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte"
$s15 = " if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app"
$s16 = " $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte"
$s17 = " if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app"
$s18 = "function Decrypt-String($key, $encryptedStringWithIV) {" ascii fullword
$s19 = "dData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()" ascii fullword
$s20 = " if (($ReadCommandClear) -and ($ReadCommandClear -ne \"fvdsghfdsyyh\")) {" ascii fullword
condition:
hash.sha256(0, filesize) == "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2" or uint16(0) == 0x6b24 and filesize < 40KB and 1 of ($x*) and 4 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |