*HELP* - Infected by Powershell.exe (Clipper/RAT/...)

[калашнитолы]

Looks like you have a rat infestation on your system, abusing lolbins for persistence. I assume "C:\Users\digi-\AppData\Roaming\logs.txt" contains a base64 encoded string.
Have you also installed Sysmon to monitor process execution and other system activities?

 

[Extinction]

Hello alotofus here is the file logs.txt but it's crypted :

 

[Extinction]

калашнитолы Hello thank you I am gonna install Sysmon and I tell you, yes you are right the file logs.txt is crypted !

 

[Extinction]

On Ccleaner I have this entry for the startup and I can't delete these startup commands, and yes it is the powershell.exe that is corrupted... Like a backdoor because sometimes it is connected to the Internet and sometimes not .. Maybe NSA? :P
Thanks chapo

 

[alotofus]

Hello alotofus here is the file logs.txt but it's crypted :

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

gchq.github.io

paste file contents to the input and you will get the decoded form.

In result, this script has ability of replacing clipboard contents with the its operators various (dash, btc, trc20...) cryptocurrency addresses. Additionally operator is able to upload and execute further scripts to the victims machine.

 

[Extinction]

Output : ÓO@Û`..°Mv(".Ó"rº,¡ûV.whÂÃS×M5÷N6Ð.B<.F<.uè.V.whÂÀÞ}éÝz°M.æ.Ø.N.X§x.M .V.whÂÀÞ}éÝz

 

[Extinction]

I am gonna format and reinstall all my windows... I think it's the best solution ?

 

[Balrog777]

I am gonna format and reinstall all my windows... I think it's the best solution ?

Persistence bots if they are well written, it is almost impossible to remove them, trust me, I have been using sality for a few years, and I have tried to remove it from infected computers with any kind of antivirus tool ... ..

 

[xrahitel]

скачивай тыц запускаешь от Админа, смотришь куда и что ломиться и VT тыц сносишь powershell на х#й, также чистишь все через реестр, но обычно достаточно заменить сам powershell.exe и.т.д

 

[sijiloso]

скачивай тыц запускаешь от Админа, смотришь куда и что ломиться и VT тыц сносишь powershell на х#й, также чистишь все через реестр, но обычно достаточно заменить сам powershell.exe и.т.д

Спасибо и удачи в соревнованиях. Закажите свою статью. Я люблю это. Удачи, пойдем за тобой.

 

[alotofus]

Output : ÓO@Û`..°Mv(".Ó"rº,¡ûV.whÂÃS×M5÷N6Ð.B<.F<.uè.V.whÂÀÞ}éÝz°M.æ.Ø.N.X§x.M .V.whÂÀÞ}éÝz

You are doing something wrongly. Anyways i've uploaded decoded file (WARNING! MALICIOUS CODE INSIDE),

 

[Shelly1999]

Try TronScrpit

 

[Candesartan]

You are doing something wrongly. Anyways i've uploaded decoded file (WARNING! MALICIOUS CODE INSIDE),

Thanks, interesting to read.

 

[jajajaOw]

Persistence bots if they are well written, it is almost impossible to remove them, trust me, I have been using sality for a few years, and I have tried to remove it from infected computers with any kind of antivirus tool ... ..

wiping disk and reinstalling should remove said malware no?