[milkshake2020]

Interesting. thanks

[china]

puyuo

[gfx06]

Thanks for sharing

[bardnar]

The PoshC2 server showed in a previous thread (https://breachforums.hn/Thread-Ransomwar...n-Internet) had a second stage powershell script that I've reorganized and commented (noob-friendly). Enjoy!

thank you for this

[pashupata]

lets see whats here

This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Leeching | http://breached26tezcofqla4adzyn22notfqw...an-Appeals if you feel this is incorrect.

[zinzeur]

thanks comrade, best regards

[PulseCipher]

just dug up the C2 server's IP for this botnet. It's 95.213.145.101. Heads up, it's dodging pings, so don't waste your time there.
Quick rundown of the op:

Cert Validation Bypass: Script blows past SSL cert checks. No surprise there, just letting anything through.

C2 IP: Main address is 95.213.145.101, hitting up /wpaas/load.php/

for the payload.

Encryption Key: Comms are wrapped up tight with this key:

qwp0r0wXGPOeyFtIdP6qDHZCynQmtPzP6xkC3xX9sAc=

Good luck intercepting without it.

Payload Ops: Grabs the payload from the C2, decrypts, and runs it if it spots a "key" in there. Could be anything nasty.

Staying Hidden: Configures a web client, sets headers, maybe uses a proxy. Keeps trying to get the payload, doubling wait time between each attempt (30 tries max).

[Unethical]

just dug up the C2 server's IP for this botnet. It's 95.213.145.101. Heads up, it's dodging pings, so don't waste your time there.
Quick rundown of the op:

Cert Validation Bypass: Script blows past SSL cert checks. No surprise there, just letting anything through.

C2 IP: Main address is 95.213.145.101, hitting up /wpaas/load.php/

for the payload.

Encryption Key: Comms are wrapped up tight with this key:

qwp0r0wXGPOeyFtIdP6qDHZCynQmtPzP6xkC3xX9sAc=

Good luck intercepting without it.

Payload Ops: Grabs the payload from the C2, decrypts, and runs it if it spots a "key" in there. Could be anything nasty.

Staying Hidden: Configures a web client, sets headers, maybe uses a proxy. Keeps trying to get the payload, doubling wait time between each attempt (30 tries max).

This is good - nice work

[PulseCipher]

just dug up the C2 server's IP for this botnet. It's 95.213.145.101. Heads up, it's dodging pings, so don't waste your time there.
Quick rundown of the op:

Cert Validation Bypass: Script blows past SSL cert checks. No surprise there, just letting anything through.

C2 IP: Main address is 95.213.145.101, hitting up /wpaas/load.php/

for the payload.

Encryption Key: Comms are wrapped up tight with this key:

qwp0r0wXGPOeyFtIdP6qDHZCynQmtPzP6xkC3xX9sAc=

Good luck intercepting without it.

Payload Ops: Grabs the payload from the C2, decrypts, and runs it if it spots a "key" in there. Could be anything nasty.

Staying Hidden: Configures a web client, sets headers, maybe uses a proxy. Keeps trying to get the payload, doubling wait time between each attempt (30 tries max).

This is good - nice work

Thanks!

[DaddyIamGayy]

The PoshC2 server showed in a previous thread (https://breachforums.hn/Thread-Ransomwar...n-Internet) had a second stage powershell script that I've reorganized and commented (noob-friendly). Enjoy!

For real let me see, let me see, side bro let me go first?