{
	"id": "940fe9eb-3872-404d-b8b1-25652f1ab56e",
	"created_at": "2026-04-06T00:13:40.227484Z",
	"updated_at": "2026-04-10T13:12:51.61675Z",
	"deleted_at": null,
	"sha1_hash": "52bd91b60d7fb5d30509d8ffd39ed55035fb9392",
	"title": "SunCrypt, PowerShell obfuscation, shellcode and more yara",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5334385,
	"plain_text": "SunCrypt, PowerShell obfuscation, shellcode and more yara\r\nBy Posted on\r\nPublished: 2021-03-29 · Archived: 2026-04-05 15:08:07 UTC\r\nThis didn’t start as a blog post. It started as a conversation with Hari Charan @grep_security about something they\r\nwere looking at called SunCrypt ransomware.\r\nLooking up the name I ran across a couple of interesting blog post, one by Sapphire here and one by Acronis here\r\n. Seeing that this was obfuscated PowerShell it peaked my interest.\r\nSearching for some samples to work with also revealed that  you can do a tag search on tri.age of “family:\r\nsuncrypt” (without the space)\r\nThe PowerShell loader we are going to use here is the one from the Acronis blog post with a hash  of  MD5:\r\nd87fcd8d2bf450b0056a151e9a116f72 . There are multiple copies on https://app.any.run/submissions/ for that\r\nhash. There are 3 copies on Tri.age here.\r\nHari Charan @grep_security also pointed me to a couple of  open source yara rules to search for the PowerShell\r\nloaders.\r\nThis one appears as though it will search for the ransomware binary here and this one will search for the\r\nPowerShell script here .\r\nLet’s take a look at some of the encoding.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 1 of 20\n\nIf we look at this part it takes 3 values , assembles them , then it base64 decodes to byte.\r\nBut it will also do something to the strings before it reassembles them.\r\nWe can see the first string is redirected to a function that will read right to left , basically just reverse the string.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 2 of 20\n\nIf we Look at the second string it is getting a substring of what is there starting at index 16 and taking 2000\r\ncharacters.\r\nThe encoded string is actually 2032 characters long before we get the substring.\r\nThe final string is is just another reverse string.\r\nThen we just have a long base 64 string after reassembling the pieces.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 3 of 20\n\nRemember we still have to convert this to byte and it will get loaded into memory using VirtualAlloc.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 4 of 20\n\nLooking at the bytes in a hex editor we can not see anything that makes any sense.\r\nThe next step is to drop this into CyberChef here and view the assembly.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 5 of 20\n\nThis is also where I hinted on Twitter of a “Somewhat useful tool” which will be on my Github.\r\nIf we look down further we see more API calls.\r\nAnd even further down we see a different type of string building using a “push pop”. I have not made a tool for\r\nthat yet.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 6 of 20\n\nAlthough doing this statically we can not tell for sure how this is used it can give some clues as to what it will be\r\ndoing by the API calls.\r\nWhat started all of this was when I was trying to write a yara rule to find more samples to test this tool with and\r\nlook for any outliers that would break it or not be what I was looking for.\r\nI’m still learning yara and this version just looked for the format of the “MOV BYTE PTR”.\r\nI ended up with over 552 hits for this and many false positives. I knew I need to find something to rule out some\r\nof the values that did not return strings or would return either encoded or garbage looking strings.\r\nAfter several hours of trial and error I ended up with this.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 7 of 20\n\nThat reduced it down to 214 hits. It ended up being shellcode and binary samples that used that format. I’m sure\r\nthere are a few more samples in that mix that would be false positives but it was good enough for what I wanted.\r\nAfter going thru that exercise I was wanting to try and find a way to let the obfuscated PowerShell self decode. So\r\nI started by looking for a way to just let it reassemble the base64 string and then write that to a file.\r\nThe template part is the path variable and the pipe out to file. But you have to remember to remove the “[Byte[]]”\r\npart and the “[System.Convert]::FromBase64String” from each one you wanted to rebuild and just dump to a text\r\nfile for further processing of the base64 string.\r\nSo I then went back and searched for how to just output to a binary file since that is what we ultimately wanted\r\nanyway..\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 8 of 20\n\nThe variable for the path can be the same but instead of pipe to write file / text we add the line with the System IO\r\nand make sure we have the variable name the same as in the extracted PowerShell.\r\nMoving on to the large base64 string.\r\nUsing Notepad++ we notice the highlighted area is all 1 section. You may also notice the extra parameter name\r\nright after the join.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 9 of 20\n\nSearching for that value we find it all the way up right after the code for the shellcode reassembling.\r\nSo when we go to use the self decode trick we need from here all of the way to the end of the highlighted area to\r\nbe sure we have all of the needed parameters to rebuild the base64 string before it gets decoded to hex/binary data.\r\nOnce we drop this into our wrapper and verify we have the proper output name set we can then just input it into\r\nthe PowerShell ISE and run it and it will output our binary file for the next step.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 10 of 20\n\nNow the first four bytes of this output appears to be a length of the remaining bytes in the output. These will need\r\nto be removed for the next step.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 11 of 20\n\nHere we see it is a 32 bit binary with a Timestamp of 9/18/2020  although the file was assembled today in the\r\ncreated date.\r\nIf we look at the Unicode strings we can see that file extension strings are not obfuscated or hashed like the other\r\nblog post showed.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 12 of 20\n\nOne of the next things I was looking for is how to extract the ransom Note.\r\nThe other Blog post gives us clues what we are looking for so lets look at the file in a hex editor.\r\nThere is a very distinctive string that begins with “11” as it turn out “0x11” is the xor key.\r\nOne of the other samples used 0x13 for the xor key.\r\nIf we scroll down to the end we can see clearly where this section will end.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 13 of 20\n\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 14 of 20\n\nIf we keep scrolling down while we still have multiple “11” values we get to this.\r\nIf we xor that by 0x11 we get this.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 15 of 20\n\nNext I upped this to Anyrun here because I could not figure out at the time where the ip was coming from.\r\nOne of the last pieces of this puzzle is that it does a post request with some encoded data.\r\nIf we look at the data that gets dumped from the packet we see this.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 16 of 20\n\nSo as a guess I checked to see if it had a single byte xor key and to my surprise it did.\r\nThe same one as the rest to decode with, 0x11.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 17 of 20\n\nDoes this passed  hex value look familiar ? It is from the section where the IP was extracted.\r\nWhat is it? I do not know. If someone does please let me know.\r\nOne other thing while I was not initially able to find the IP, I dropped this into IDA to see if I could figure out how\r\nit worked.\r\nSeeing this ..\r\nAnd this..\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 18 of 20\n\nWas still no help to figure out what was passed.\r\nI’m sure the IDA Experts could tease out the information quick but that is something else I still need to learn.\r\nWhile working on this and needing more samples to compare I also wrote a yara rule to detect the obfuscation\r\nformat. The open source one  will detect the base 64 encoding method.\r\nThis first version will search for substring as a string and only has to be found once since the value is “11” in the\r\nstring.\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 19 of 20\n\nThis version will search for the “Substring” string  as bytes but allow for multiple possible values in the start point\r\nfor the substring.\r\nWell that is pretty much as far I can go on this.\r\nPossible future research.\r\nSet up a vm with Sysmon and PowerShell logging enabled as suggested by Lee Holmes here and run the sample\r\nto see what the logs will show me.\r\nTake a closer look and learn how the encryption works.\r\nLinks:\r\nLink to Acronis Blog post\r\nLink to Sapphire Blog post\r\nLink to Anyrun for the extracted ransomware\r\nLink to Anyrun for PowerShell sample\r\nLink to tri.age Search\r\nLink to my Github for Files\r\nLink for open source  yara rule for the binary\r\nLink for open source  yara rule for finding the PowerShell script\r\nLink for working with CyberChef Assembly\r\nSource: https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nhttps://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/"
	],
	"report_names": [
		"suncrypt-powershell-obfuscation-shellcode-and-more-yara"
	],
	"threat_actors": [],
	"ts_created_at": 1775434420,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/52bd91b60d7fb5d30509d8ffd39ed55035fb9392.pdf",
		"text": "https://archive.orkl.eu/52bd91b60d7fb5d30509d8ffd39ed55035fb9392.txt",
		"img": "https://archive.orkl.eu/52bd91b60d7fb5d30509d8ffd39ed55035fb9392.jpg"
	}
}