Last active
October 6, 2022 20:39
-
-
Save dr4k0nia/dc23c1c3bec75a17597ae2448c8640d0 to your computer and use it in GitHub Desktop.
Simple Decryption Routine for strings and 2nd stage payload of malware sample SHA256: 169bf7d8d5240de6e4d3df6f6be95198075c22620d84d5e95cfc3c5f4e2e4f43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void Main() | |
| { | |
| Decrypt("bISU^wHNIS").Dump(); | |
| Decrypt("fTTBJEK^").Dump(); | |
| Decrypt("kHFC").Dump(); | |
| var file = File.ReadAllBytes("ThomasEdinson.bin"); | |
| var result = file.Select(new Func<byte, int, byte>(stageDecryption)).ToArray<byte>(); | |
| File.WriteAllBytes("ThomasEdinson_Decrypted.bin", result); | |
| } | |
| string Decrypt(string input) | |
| { | |
| return string.Concat(input.Select(new Func<char, char>(stringDecryption)).ToArray<char>()); | |
| } | |
| // Token: 0x060000C9 | |
| internal char stringDecryption(char c) | |
| { | |
| return (char)(c ^ '\''); | |
| } | |
| // Argument supplied to in the EntryPoint method | |
| string key = "ИисусDi4a4ter"; | |
| // Taken from Token: 0x060000CB | |
| internal byte stageDecryption(byte x, int i) | |
| { | |
| return (byte)(key[i % key.Length] ^ (char)x); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Decrypted 2nd stage https://www.malshare.com/sample.php?action=detail&hash=81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e