Skip to content

Instantly share code, notes, and snippets.

@0xToxin

0xToxin/loader.ps1

Created February 10, 2023 22:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xToxin/bf43e018245f6e24f1a9274054275653 to your computer and use it in GitHub Desktop.
Save 0xToxin/bf43e018245f6e24f1a9274054275653 to your computer and use it in GitHub Desktop.
Download ZIP
.NET loader string decryption + extraction of encrypted payload in loader resources
Raw
loader.ps1
#Sample => https://bazaar.abuse.ch/sample/3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50/
$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\dotNetLoader.bin")
$mainType = $reflectedAsm.GetType("rwcQssqTcyOdXXoBLoie.DCPmslvtGCDAiOhxxQvq")
$key = [System.Convert]::FromBase64String("iUlREPUR7NQ6ocefGLoxBty1eSNembQTSWsROZidb0A=")
$iv = [System.Convert]::FromBase64String("U+YnktYGyx/j43tP2+WVyw==")
$encryptedStrings = ("8qhzRqWw9fiH/7/a5reZMA==", "D/l1SD7OECP0XB2rUm87gA==", "lbk35FoNbOitTifMeNV97Q==", "uJDwrcc4OjLfnn4YCE0Bxw==", "x9nd50/ydQ4NyJMlduaTA1aZE7EpXLNuSa2GwfmjWlxjNEtyTrE+c9z9hlGIXS4Q")
foreach ($encArg in $encryptedStrings){
$decodedArg = [System.Convert]::FromBase64String($encArg)
$DecResult = [System.Text.Encoding]::UTF8.GetString(($mainType.GetMethod("MvljRQYEXFVoIflOHPxg")).invoke($null,@($decodedArg, $key, $iv)))
Write-Output $DecResult
}
$stream = $reflectedAsm.GetManifestResourceStream("payload.exe")
$binaryReader = New-Object System.IO.BinaryReader($stream)
$contents = $binaryReader.ReadBytes($stream.Length)
$DecResult = $mainType.GetMethod("MvljRQYEXFVoIflOHPxg").invoke($null,@($contents, $key, $iv))
$binaryDecom = $mainType.GetMethod("XWmzUoViPReUSRriqGvB").invoke($null, @(,$DecResult))
[io.file]::WriteAllBytes('C:\one_decom.bin',$binaryDecom)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment