Common Information
| Type | Value |
|---|---|
| Value |
import "hash"
rule PoshC2_DropperPs1 {
meta:
description = "PoshC2 - dropper.ps1"
sha256 = "a7f763a818db6da6433b4ffcafbbbd680597fee28bb97760ddd384caf0c25992"
strings:
$s1 = "$primern = (Get-Webclient -Cookie $pp).downloadstring($script:s)" ascii fullword
$s2 = "if ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add(\"Host\",$h)}" ascii fullword
$s3 = "$procname = (Get-Process -id $pid).ProcessName" ascii fullword
$s4 = "$o=\"$env:userdomain;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;$procname;#REPLACEURLID#\"" ascii fullword
$s5 = "} if ($cookie) { $wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, \"SessionID=$Cookie\") }" ascii fullword
$s6 = "$getcreds = new-object system.management.automation.PSCredential $username,$PSS;" ascii fullword
$s7 = "$wc.Headers.Add(\"User-Agent\",\"#REPLACEUSERAGENT#\")" ascii fullword
$s8 = "$PSS = ConvertTo-SecureString $password -AsPlainText -Force;" ascii fullword
$s9 = "$wp.Credentials = $getcreds;" ascii fullword
$s10 = "{$a.Key = [System.Convert]::FromBase64String($key)}" ascii fullword
$s11 = "if ($username -and $password) {" ascii fullword
$s12 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]"
$s13 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]"
$s14 = "$d = (Get-Date -Format \"yyyy-MM-dd\");" ascii fullword
$s15 = "if ($key.getType().Name -eq \"String\")" ascii fullword
$s16 = "$password = \"#REPLACEPROXYPASS#\"" ascii fullword
$s17 = "#REPLACEPROXYCOMMAND#" ascii fullword
$s18 = "$wc = New-Object System.Net.WebClient;" ascii fullword
$s19 = "$e = $a.CreateEncryptor()" ascii fullword
$s20 = "elseif($h){$script:s=\"https://$($h)#REPLACECONNECT#\";$script:sc=\"https://$($h)\"}" ascii fullword
condition:
hash.sha256(0, filesize) == "a7f763a818db6da6433b4ffcafbbbd680597fee28bb97760ddd384caf0c25992" or uint16(0) == 0x5223 and filesize < 10KB and 8 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |