Skip to content

Instantly share code, notes, and snippets.

@0xToxin

0xToxin/loaderDecrypt.py

Created February 11, 2023 11:15
Show Gist options
  • Save 0xToxin/eb643035572de18335b4f799aeb0c87d to your computer and use it in GitHub Desktop.
Save 0xToxin/eb643035572de18335b4f799aeb0c87d to your computer and use it in GitHub Desktop.
Download ZIP
Decrypts the loader from the batch script
Raw
loaderDecrypt.py
from malduck import aes
from base64 import b64decode
BATCH_FILE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.bat'
AES_KEY = 'I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc='
AES_IV = 'mehcJXqMnXZUmnmrBD1Eeg=='
OUTPUT_ARCHIVE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/one.gz'
batchFile = open(BATCH_FILE_PATH, 'r').readlines()
encFile = ''
for line in batchFile:
if ':: ' in line:
encFile = line[3:]
break
key = b64decode(AES_KEY)
iv = b64decode(AES_IV)
data = b64decode(encFile)
plainData = aes.cbc.decrypt(key, iv, data)
open(OUTPUT_ARCHIVE_PATH, 'wb').write(plainData)
print(f'[+] gz archive was created in:{OUTPUT_ARCHIVE_PATH}')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment