Skip to content

Instantly share code, notes, and snippets.

@r00tten

r00tten/b12c59c082db972b11cc6e78fb10afc4_powershell_decrypt.py

Last active December 5, 2019 18:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save r00tten/97db6e13107c83069507f3c502ad4ade to your computer and use it in GitHub Desktop.
Save r00tten/97db6e13107c83069507f3c502ad4ade to your computer and use it in GitHub Desktop.
Download ZIP
Decryption routine for Powershell script, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
Raw
b12c59c082db972b11cc6e78fb10afc4_powershell_decrypt.py
#!/usr/bin/python
import sys
import re
def decryptor(z5ef583):
b9d4bc = "qaf669";
vfc9c = ""
for i in xrange(0, len(z5ef583), 2):
s3c1193 = int(('0x' + z5ef583[i:i+2]), 16)
vfc9c += chr(s3c1193 ^ int(hex(ord((b9d4bc[(i/2) % len(b9d4bc)]))), 16));
return vfc9c;
def main():
if len(sys.argv) <= 1:
print '[+] powershellDecryptor.py <file_to_decrypt>'
exit()
file = open(sys.argv[1], 'r')
data = file.read()
file.close()
array = re.findall("w48cda9\(\"(.*?)\"\)", data)
for i in array:
datum = decryptor(i)
data = re.sub('w48cda9\(\"'+ i + '\"\)', '\"' + datum + '\"', data)
file = open(sys.argv[1] + '_decrypted', 'w')
file.write(data)
file.close()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment