Last active
August 11, 2023 18:31
-
-
Save 0xToxin/3519f09ddd1d7c3d70d116132b490d4a to your computer and use it in GitHub Desktop.
Decryption of the latest variant of KLBanker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import malduck, base64 | |
stringsArr = ["l6PjPku2W0NahCbd36HRrMt3OvjY3svw1l1VAr63795ZSuvoliYrT76jhbTr4DE8", "4WRsAYF5K2xRj+RDB0sKxkw/o2ydLwGi6hIsHroFCdSiRcRHYtZnvb0vCwvSX/gZZm0XrYdyIRihnH0golgTnw==", "kmzDkgXFNZdRuTuEfEqezXxHNC1Rwm0b4ue46PIMCepKi1QIqIq7E2+SGtocFtO8", "6R8tAX5y2sTw3n3BbYUlkjyTeUc5Ofw54meqCSi4mH+9ZYfEB2131KxLGdN69eJK", "Jr6UMUJ0YhXKRkEIpLCp24bTPyxnJWdtVXhOC7+0AyWQWTSPZjyonsULOO2ZOWF/", "xGJJoWLWFMxSxoB8htqGOmYX/TMOIA7Bzko0YYF5Y9EhBvslJyDCKS/rwfro++UP", "SC2owWo4MmTJBghMVtfnpRbs8+qH52p4DmwW3eIP6czxHpW5sHkepVpqH6Gbrahj", "ZfRqRkS4CHiLOSm7xkYtAOZnOtCJ0PUrE0LtPXqgMk3caiFq5kvaQaEnMn9JJVK2", "NEbscDY49aJvF7kL06jKIDFb9jj1YlLzMyWZMl544mrTzoKm+lGEDBWdryGyQrHR", "ojKSz0v47RFdKwl9S6O1zHupe7ZenfrEAR/9rgOrwHwmYNOslKo3MjFCDs9DPNuY","Y4HSgrFfpnLhMfKBVsjyPZD0QPwUKKbg6dWnoqwo5G8E2KM+5S+UyNU/P8conXK4", "EDZYNxVIULdr5D3RKLvWJwjhhmvR8xT4v0KfwrYiSwA54E+o1hpLK2Wk0BIQbwEb", "I0gpZ9ePYvBLfpMhjUvizL3CYp5lh1y9AnM30RW7o0zh4qjMMq0Q/bxLWkR7B7e5", "oR9rs61M+SrQkpnQ21S5AnRhHz3eyDk8Sti9cABB8/gkAfaAEWRg/DY9kOcJDuHv", "Y2U8u7XAzFit5tRfU6k+J1Tly24fOkdY5AP9h/ZcddjjeWMiCUc0CIx+vT0iThqi", "ADRXpeRJ0Go792tm1wFmjzRpjV57GtTCTtFVH5ghhEzs1yg5Xofgus1yuQW0CiWw", "cJDOHLCTjf24Jgs5Y1IUCYNi6+lXWkBNpj3ZVvQGD2qyA+2wYC3JjigbYSNfx3hH", "0wpj5CyqQFhKEDXNX+JPFeeJGwz/rrnMhyTOxVlrDLKExhNznTMpoweEybQUO/+L", "o5WjObAZIsCheDZxCM5K35WxHT7Aq5v6MXvB110PKM4vpQgv9gHVZ01exJGxRJft", "an+k0weN81R+ZNwHqbZ638dKvt9uoYHXNei5gCvKgw7U+CspiBymR2iBepMmo43Z","m9osFZaxh+LNeZskFbmY42mj/M9/78dsw0Y09dnlmvQHNsIc7JIoiUUFgKq1+yXp", "Q/dZKbn6naMkn2IKZgWOXvQKIH0CSHirW9WBvHaGEB8UoqRisrDVAqX59eTwYgBq", "RpN4ffLfJHFKjIhmwSPOZq0RBaVgxL82LFwbNfl0OrhN2EI6I/l+U5jMf3xSzRcO", "YSY5tyT3SyHua5uwPAHId5fOcw1DjEYD+s03PaXNtOBddzINvH4y6a4Ccpir8G1I", "KgWQNMv3MNumbovOfgAxdEFboi02m/aBOHzDdF6Blp40pCpFfIKccL30WU8cFI0L", "j15ZlelHRT7uS9JfkG8JHH2z4EZvGmfIh5/4+eGgwpipK5jxZuVr3IP+EjC2cgtp", "/OnWeegeb+wv1a0rA7b0TIir+0Tmh/IPCUpaXH7YXYcSrqZG++h+PQYukhL3Ni0N", "GWphNHzF7mPIlfH9469EibgvEOc9Vyiqhsu9iQoE8Lo7MulqpC2UZxO5hAvKPgC/", "a99Y9Yl4Lujr9XNMm/9rZGcq91+OxugrEg7yBLEn4dL/hgdwm770b6L97h8k6UMr", "AT0b+8rEPXmxDBFm+gHxra4fg+5lOpDgUrrypUFaQQriV03hxNdmBo67PP3kjOUv","aFRO7DMPyARotPBGhVH9QYRtxEkunCUue01BuMHSL8P6KD8zJPT8c9bqCrxpmFVscMcFsp7fFtXvM1+kIdx7Xw==", "aFRO7DMPyARotPBGhVH9QYRtxEkunCUue01BuMHSL8P6KD8zJPT8c9bqCrxpmFVscMcFsp7fFtXvM1+kIdx7Xw==", "qh7JCRu6U5xLyPrGW510TeZJBdE9sJ1w6ZDiYtlU6xp4x+HCTK53f6HNpbr74MxVlQ/786Lt5lmdyEvbbYEr5yUYC07Fo9gqDf9B53BAMlKtWBD/oXTmWgWq/cwhtKIkmTERTkxr49oJxl+4MQt5E5oH3CYrF0+ixqhxss3QTkccZE6KgVeZdK4jJruk26MXH4csG02e0lIGK0HYsJgKOccjSxNOEdqUqZpVRki2W41Q8PMeekqY3i5cEyj+Meq/75bSLmaMIU0h68cT1CxyIvfqaG3NQOlBYDaNW4XT66skZnHkXXy97P+fHVSx/nl/wZDKLGYjiNsvqTP4M48+yo0qt8RGyY5gTekuDUkm9FYuow+rCxiu0uuS7z1zdgNfJwfctP+VoKU1iKADnQN3OgBSW0pcryYtUAyyl3kPEBZFfg82FJ9qru5UFFAEgSooBVfgCNuN+YwUwnXi2OsBcEaOMaV9f+CSxra8vceXsyrcPC1gD2AT+JGryCu0n21CQ57n6JymD6YyjL/GOEGzpYE06DTt5oHL8HHClxoJU5//P4n6lPnj+wZMq/kyn++vf7de02rHehqrbyGW6jfy/95oviQO759CNctkhpKBvJi9rroKLOPgwT4LRJC0MNCwD+J8QVomwZIl/SSFivvg6w==", "aUD356FC9+cSs6VxERHOXMBWdjLteHW8HuZcWd3MC2+ZAfBKw2slICSi9TdnByDgj/A7OWGBTIlP6Ye2A5dH5w==","rb0cc7ak/fHJoPiS0r9GgsrdynsSnlfPpVKOP5uzdlI=","rJjQIQncKN9tQX4eEsGyKsPAl4tImJDyC7TkuJ6Lz6pNse58O6roCStUZ1yYx3b8WtE8OimBW+RsLeB2eKafY6U9e2g5Qg/dpVMuAjo/lkuhCZ7vDE74EFyDu5ZTs1Dx","BcNQagZVZUeYtYn/VsEjRrb5YoR9FRg9NRJ3EmZWZ1Q=","eCJSqGmnWTl3B6lfrqYp3aUUEGg9qp14Iq8cD901w4U=","Ppb1QelPuWzhGKI2gscfvuknm+d9G3VuoDSqNMFzGOM=","+gifE1hJGOWXuUMx7WfH2fYsIGBVqEXw2s9yNaOPNic=","YQZe1w6nnrVpGi8RmMabGcUhoHEXXy72sF7WTTaCZnJhRQqGarwn4cz4aA+8iQy1","a5IsyQAn7MnNwxmaZyZnOuG4cau7JWA6jRui0WhkjqamCOHbObSADJHbgQVde6eJ","NTk54AoZdxy7tGCGVIP8u3GpslrLmAGuBsG7gpIZ12w=","oIgIjiNffKrZVgY4KTQQcHND4asIIjXdv1xSF97j87qXr+Q1IP9JF/nkpbMPDFN4","0Z7ESGlrRVuaAdls6bxPWsWvNhFs7/rdSuQaPqzp1ok=","yc4Dqqhr8uj1oCh6hLV912F7Gj4vE46tYms27AfFhYk=","/I/pzKYqAB+sMGF9VLm5Zhk3XlZpKO76SV6Xyj1Ztu0=","cy7uBB7iUpP8/KE44sOcBMf1GmjXdoF9jNXE5+C/jGTcOzq3y585ZGpIwqj7KPq9","tHLVTcHINsosx3yKKwe+bGz4DGGDIn3hTt2F1FjWHmI=","4ScCY9+Ht9nl5KDVOk/4neJYqRpnVWXtNzTO6sAros0=","d1Y1OeDKCiES1qUzin4E9+8OeHsLxL19eV/qmOap3W6uD8XEUBq+mfLjfwHZTrYMuubTq3WctxGqoCsi6asacw==","HB79ryJdJJRxDPAWzXS13pkYCamkZL6wUHwzaM0oYNU=","/XXgBIcZ9aAn6qvN8pqsW/o/dfux2u/icq5RRNQVa6E=","4paXTCxyykaIbj8qgmVuafQr0P9y85mbc+donIBQl38=","8vVfzbQP6sjI26SU6iwkVq0AypFVHshHBuIR8vyWq5Q=","2VqvsjATuskOfkOEkDpCb5T8NtDItUAmJrF8lTDAPZY=","jvQ1MLWrxohxTZR2LbriPSfrUAtYTaJW6mYyIncBCto=","4UmOpLykR1shvzK+f0I4ShG2Uhoc9ehDebVjFy/iUwQ=","iFjBgxx4VOc0odj+S6y6t0XDfe3ung9JZHsI+UPXMrLYJSYhK5IMmfPHG2rwMWXVc1cL3sldXfWS/7aUxadVTWVIY0uoCM9XLmPxIXYRZTs=","5jFsWYhsxxmVsnMGY55Q5Gk2n22pijzxAdmSKYwTnOIsUhtSkM+lk61YQLCmnUSKdfVED9Dl7dhW4mxM/cEKpTEfghEXW5Bs5k4B+ZlyruTMZmM+EgeoeO/mf9zbIsIAh9Fwz1yio1s+nFp9a4XeN6RiLIM4K9loA5q+nqzWFws=","89JK0eHepVt4puCkH5pt9cojJ4V/ufF+UYUIJBW6yVOgMdQ/IAOgpYLhqfMJGp5zZJkrtweKd4x0D2ttM4MUKvM8Edm2lTVy7GgAGF8VNBsEqmxk8GL2DyXeFPm72zMTYlM8Ic4kVI4UuWulYEYIbg==","uMQV84X1JXovdu5aH692s2t4AghznjZA+RrOm6iZbHU=","FQPSws9gDOtcDBZ4L6NKecj9zYuiAQxfi+sgh2GITJE=","3VGRiK7xFdTMgS4O226ZE20T9KN+Sc4dJQ+A5Bg++Jk=","KASjDQA7FcOTljmC0PVBUJnBNB7cburrVCK3df0fsdk=","j9jnXUDNxG7xO5IHRcE0qcII/7XiJafcpB6xf916dHu98/mp+Rd6OiA8hJFVQs1vliShXAnffiX7z+EVknY8qw==","v+hlJADEjgn9jcpoHkbXUG5mjUJz6hQT+QUHraRJzfw=","r66KVBltXCeaXQ65wc2C4RkPXfGw9+ZT56x7/I6476g=","Dg2GQUw+A4AOnguBvBcTjcjybiZkZWCOeuZoV3pyFdo=","eumjC6OGdvpXm1rLwKuNefOhcv/LE+gNIPx+1c1/xPI=","sC6zp6p0ui2QzFHKcfq6vYl6CZ3U2Vo7yW1LgKFTJ6Q="] | |
key = b'8521' | |
for string in stringsArr: | |
md5Key = malduck.md5(key) | |
b64Data = base64.b64decode(string) | |
iv = b64Data[0:16] | |
encData = b64Data[16:] | |
decData = malduck.unpad(malduck.aes.cbc.decrypt(md5Key,iv,encData)) | |
print(decData.decode()) | |
''' | |
OUTPUT: | |
aigodmoney009.access.ly | |
freelascdmx979.couchpotatofries.org | |
439mdxmex.damnserver.com | |
897midasgold.ddns.me | |
disrupmoney979.ditchyourip.com | |
kakarotomx.dnsfor.me | |
skigoldmex.dvrcam.info | |
i89bydzi.dynns.com | |
infintymexbrock.geekgalaxy.com | |
brockmex57.golffan.us | |
j1d3c3mex.homesecuritypc.com | |
myfunbmdablo99.hosthampster.com | |
irocketxmtm.hopto.me | |
hotdiamond777.loginto.me | |
imrpc7987bm.mmafan.biz | |
dmrpc77bm.myactivedirectory.com | |
jxjmrpc797bm.mydissent.net | |
askmrpc747bm.mymediapc.net | |
myinfintyme09.geekgalaxy.com | |
infintymex747.geekgalaxy.com | |
infintymexb.geekgalaxy.com | |
jinfintymexbr.geekgalaxy.com | |
minfintymexbr.geekgalaxy.com | |
cinfintymex.geekgalaxy.com | |
9mdxmex.damnserver.com | |
ikmidasgold.ddns.me | |
rexsrupmoney979.ditchyourip.com | |
kktkarotomx.dnsfor.me | |
megaskigoldmex.dvrcam.info | |
izt89bydzi.dynns.com | |
zeedinfintymexbrock.geekgalaxy.com | |
zeedinfintymexbrock.geekgalaxy.com | |
OFF|NAO|dia06mx.est-a-la-maison.com|8022|BIENVENIDOSALABANCAENLNEABBVAMXICO|BIENVENIDOSALABANCAENLNEABBVAMXICO|INDEXBBVANET|BBVANETCASH|SANTANDERMXICOSPARTEDELABANCAELECTRNICA|SANTANDERM|BANCOSANTANDERSGOO|BANCONACIONALDEMXICOCITIBANAMEX|BANCANETCITIBANAMEXCOM|BANAMEX|BANORTEELBANCOFUERTEDEMXICO|BANORTEELBANCOFUERTEDEMXICO|BINANCECORRETORADECRIPTOMOEDASPARABITCOINETHEREUMEALTCOINS|COMPREEVENDABITCOINRAPIDAMENTEPAXFUL|BITSOMSQUEUNEXCHANGEDECRIPTOUNASOLUCINCOMPLETA | |
Configurando las actualizaciones de Windows. | |
/ | |
completado. No apagues el equipo.Para no corromper su sistema operativo. | |
User | |
PC | |
Ligado | |
IP | |
Mensagem mostrada | |
_modal_win_update | |
_modal_inicial | |
_modal_Recorte_Tela | |
_modal_loading | |
modal_error | |
modal_tocalm | |
_blcoqueio_tempo_determinado | |
/s /t 0 | |
shutdown | |
mailto:teste@teste.com?subject=teste&body=teste | |
{DOWN} | |
{UP} | |
{TAB} | |
http:// | |
/16Psyche.txt | |
/kepler186f.txt | |
\\1.bat | |
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1" | |
cmd /min /C REG ADD "HKCU\Control Panel\Desktop" /v Win8DpiScaling /t REG_DWORD /d 0x00000001 /f | |
cmd /min /C REG ADD "HKCU\Control Panel\Desktop" /v LogPixels /t REG_DWORD /d 0x00000060 /f | |
taskmgr.exe | |
taskmgr | |
Magnifier | |
MagnifierWindow | |
http://cnt-blackrock.geekgalaxy.com | |
?op= | |
&us= | |
&nm= | |
&vs= | |
VisaoAPP | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment