Reverse Engineering Asked by ringXzero on April 12, 2021
// Decompiled with JetBrains decompiler
// Type:
// Assembly: rgdfgdfg, Version=1.9.2.1, Culture=neutral, PublicKeyToken=null
// MVID: 59450446-F2C7-4225-B831-8B4909494F7E
// Assembly location: C:UsersryankDesktopMalware_SamplesPastebinPayloadHWWKFile.exe
using System;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
internal class u003CModuleu003E
{
private static byte[] ѢﬧѡﬦﬣﬧשׁﬨשׁѠѠѡשׁѠѣﬨѡѣѡѤﬧﬠﬣﬣѢѡѡﬤѡﬨѠѣﬥѠﬤuFB29ﬨﬤﬣﬡbnlVMImALUAXucSYKZSYsqgmdhsGAu007Bu007B_u0029V15ru003Cu0021kLWu003ENdXu003Cu0024u007Du0022u003Cu005Bou002B;
static u003CModuleu003E.ѥﬥѡѠﬠѥﬣﬣﬥﬨﬠﬡuFB29ѥﬣﬢѠѢѢﬠﬦѠﬢѥѥѥﬢѤﬤﬦѤﬠﬣﬧѠuFB29uFB29שׁﬡflxShkcwFFVAPdOfCzepHwOVWfaEu002433u0040ou0022u003BFv6u002Bgu002B6u007C5sp9wDu007EyC ﬣѤﬦﬢѢѢѡﬤﬣﬧﬢﬠѣﬠѢﬤﬠѠשׁѠuFB29ѥuFB29ѠﬧﬣﬢﬦﬧﬨﬣﬢﬡﬡѥﬡﬥﬤﬥﬡfQscSDUEIJNhHvHHiWXFWeKtNFvskUWPu0027Nu0024u003Eu003FLu003D1u002B_u005Eu003Eh6XGDu005Bgu0026; internal static byte[] ѣﬠѤѢѠﬤשׁשׁﬡѣѢuFB29ﬨﬢѤשׁﬤﬣﬢѤﬡﬣuFB29ѤuFB29ﬦѠﬤѡﬡﬡѣשׁﬢѣﬠﬢﬠﬨbssMtdECXrgBvOIKMujEzlplcZvmYu003Au007Du007CSJau007C9u002D12ML4ITu005Esq5u0021YLu0022; internal static u003CModuleu003E.ﬤuFB29uFB29ﬦѠﬣﬣѥﬤﬨﬨѠѥﬦﬡѥѢﬦѣѢѣѣﬤuFB29שׁѡѣﬦﬡﬣﬧﬧѤﬥѥﬢѥﬡuFB29wEbxdRjWoqHCDKlqKsLbdJbFAixRu0020su002A7Lu003Bu005D572lu003Fu0029wvu0021Fu007BMeZu0028u0028Qu0023 ﬠѠﬦﬤﬢﬦѢﬥﬨѢﬡﬠѢﬦﬧﬥﬠѢﬥѤuFB29ѠﬨשׁﬢѤﬢѥuFB29ﬧѥѤשׁﬦﬥѤﬢѣשׁWztnNkAwNHFRaniAlRkFgHLlyuvkPJ9mu003DJWu00254u007Eu003Bg3d7bu003Cu005Bu003FPKKgiu0021; internal static Assembly ѥﬨѤﬡﬥﬡﬤﬨѢﬠѣѢѥﬤﬧѥﬡﬦѣﬧﬢﬠѠﬠѢﬡuFB29ѤﬥﬥﬢѢѠﬧﬠﬢѡﬢѥstBblIAkNABTObjujFJETiAegJxUAu0026u003Cpeu0029fu003FLBu0027FKQQyu007Cu003Cu00405nKu007EJwu0022; internal static u003CModuleu003E.ﬥﬧѢѣﬥѠuFB29ѤﬢѢѣﬢﬧﬣשׁѠﬥﬦѠﬨuFB29ﬥѠﬡﬨѥﬤѠѥѢѣuFB29ﬢﬠﬡﬤﬢѤﬤPBUjQBqDxlPPWLlUjmxzDRkTbdIInTNAu005CAu0024Cu0028bxu0021u0025u003Eu003FYg5BsRoUu002Du0024 ﬡﬣﬡuFB29ﬠשׁﬣѣﬧﬣѠuFB29ﬢﬥﬥשׁѢﬢﬤשׁﬦﬠѢѤѥѠﬡѠuFB29ﬣﬣѠﬧﬤuFB29uFB29ﬦѥﬧyVsFZntXHrdCYJeLmjtSgBamjxOmOxeu003Au007DQu002Bu003EIu007Du0023u007C6u005DmdBWu002Fu007DIRHu0025;
private static GCHandle ѢﬣﬥﬢשׁѣﬠﬨﬨשׁѠﬣﬦﬣﬥﬧﬥשׁﬦѢﬤѥѥﬠﬣﬤѥﬧѤﬣﬨﬣѢﬦѡﬢשׁѤﬦnJUXgIvjdASdQQDhYLNjwiuNcIPou003FDu007E6u0025aK0u0040jtZaBfu002Du007D9u0028kNfVd(
[In] uint[] obj0,
[In] uint obj1)
{
// ISSUE: unable to decompile the method.
}
[STAThread]
[STAThread]
private static int ѡﬥﬧѠﬨѥѤﬥﬢﬨﬦѡﬨﬣѥﬢѢﬠﬡﬥѠѣשׁﬣѠﬤﬥﬤﬥuFB29ѠѢﬢﬦѠﬣﬥﬥﬡISKzKEdGfUOmdKDGJGVocSUOHPLBu005Ctu003Bu0022Tiu007Cu0020u0023u003Eu0028u005E6u005Ccu007EnanE2vu003Au0040(
[In] string[] obj0)
{
// ISSUE: unable to decompile the method.
}
private static Assembly ѡѣﬦﬢשׁﬨﬠﬠѤѤѤѠשׁﬡuFB29ﬨѢﬦﬠﬢﬢﬡѥﬣשׁѡﬦﬣѥﬡѢﬢﬨﬡﬦѢﬧﬣѥzxSugbwvptbiOFZLTdkkVWBgTCTTijtu0022u002A5u007Dqu003BMJEt6pu005DGu003Btu0025Iu005Cu0040u005Eu0025(
[In] object obj0,
[In] ResolveEventArgs obj1)
{
// ISSUE: unable to decompile the method.
}
internal static byte[] ѡﬥѣﬤﬧuFB29ﬣﬠﬤѤѤѡﬥѡﬢﬤﬤﬠﬨﬢﬦuFB29ﬨﬠﬥﬠѠﬦﬣѡשׁѠﬦﬠѥѡuFB29ѢZyEhQghovjVWbJgGDnrmotBOZdVA2u005Ds8u005Cu002Aqmu0027u003Au003F8ELqHu003BKq2u0027tu003Fu0026(
[In] byte[] obj0)
{
// ISSUE: unable to decompile the method.
}
static u003CModuleu003E()
{
u003CModuleu003E.ﬢﬦﬦﬠѢuFB29ѣﬠѥﬢﬠﬡѠѢѥѢﬤuFB29ѣﬦuFB29ѠﬠﬠﬥﬢѡﬧﬣﬧﬣѠﬢuFB29uFB29ѥѡﬥﬦSkDHyitoJRLTycHqdmhEdmaaAyLkHu0029u005CA1u0020u002F6u007Cu003Au003DGOSu0020SSX7su003Bacu002Du0023();
label_1:
int num1 = -1875365012;
while (true)
{
uint num2;
switch ((num2 = (uint) (num1 ^ -271784619)) % 4U)
{
case 0:
u003CModuleu003E.ﬦשׁﬢﬢѣѠﬦﬧﬦשׁﬢѥﬥѠѣﬨѡѤשׁﬣﬤuFB29ѢﬢﬤﬡѥuFB29ﬦﬨﬢѡѣﬢﬤﬧﬧѥwPLLzcwMdVwcfrvCmppXFPiMoZABMx0u0024m1D7u002Cu0022u0028u002C7u002FWgyPpsXoh9();
u003CModuleu003E.ѢﬡﬢѡѢuFB29ﬨשׁѢﬨѥﬤuFB29ѣuFB29ﬦѥѥﬨﬦﬡﬨﬨѣﬨuFB29ﬨﬤѢѤﬤﬠѠﬨѠѠuFB29ѡﬡﬡApKPgUUOKblqtEevuuZlgtayWSpuru00262qu003Cf8u0026u005Du005DFFWu003Fu002DPgaaKu007EOEu0023(); u003CModuleu003E.ﬧѣѢѥﬦﬡﬦѢﬣѡѤﬣuFB29ﬡѠﬢﬣuFB29ﬥשׁﬢѡѥﬦﬤﬡﬦѡﬧѢѠﬦﬨuFB29שׁѢשׁﬡﬢﬢuQPwBFIkAaoMtcDDQDtlidqOtQWjA7u0021u00234XKzXu005DKIu003FHu003E_u005D1eu005BDu0029Dbu002F();
num1 = (int) num2 * -1151438799 ^ 62872991;
continue;
case 1:
u003CModuleu003E.ﬧﬥﬣѡﬢuFB29ѤѤﬧѠѤﬨѥﬧﬤѠשׁﬡѥﬦﬧﬢﬠﬣѠﬧﬣѢשׁﬠѥѣﬦﬥѤﬥѡשׁשׁtIuygSaoMqiAuyaSuniGYsAaloiwu002C6u005BMJAyv7xu0021u007BUu003E9u003D5u0029u003Eu0025Ofu003Bu005Bu002D();
num1 = (int) num2 * 1706151344 ^ 1056318149;
continue;
case 2:
goto label_3;
case 3:
goto label_1;
default:
goto label_6;
}
}
label_3:
return;
label_6:;
}
private static void ﬧѣѢѥﬦﬡﬦѢﬣѡѤﬣuFB29ﬡѠﬢﬣuFB29ﬥשׁﬢѡѥﬦﬤﬡﬦѡﬧѢѠﬦﬨuFB29שׁѢשׁﬡﬢﬢuQPwBFIkAaoMtcDDQDtlidqOtQWjA7u0021u00234XKzXu005D`KIu003FHu003E_u005D1eu005BDu0029Dbu002F()
{
// ISSUE: unable to decompile the method.
}
///most of the rest of the code has this //ISSUE and of course the code that is unreadable
here is where i found the SuppressIldasmAttribute module
using System.Diagnostics;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Runtime.Versioning;
// Assembly rgdfgdfg, Version=1.9.2.1, Culture=neutral, PublicKeyToken=null
// MVID: 59450446-F2C7-4225-B831-8B4909494F7E
// Assembly references:
// mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
// Module references:
// kernel32.dll
[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
[assembly: AssemblyTitle("SuperSoft")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("")]
[assembly: AssemblyCopyright("")]
[assembly: AssemblyTrademark("")]
[assembly: ComVisible(true)]
[assembly: AssemblyFileVersion("1.9.2.1")]
[assembly: TargetFramework(".NETFramework,Version=v4.0", FrameworkDisplayName = ".NET Framework 4")]
[assembly: AssemblyVersion("1.9.2.1")]
[module: SuppressIldasm]
thank you anyone who takes the time to help. sorry if this hurt to read.
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP