Skip to content

Instantly share code, notes, and snippets.

@Plazmaz Plazmaz/decode.vbs
Last active Oct 17, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
A tool for decoding IcedID arrays
Raw
decode.vbs
' Usage: cscript decode.vbs <array>
' Example:
' cscript decode.vbs "Array(g6,u7,s8,d4,z3,u7,b6,l5,j4,e9,k7,z1,k7)"
' returns qMUuDMFaZ.txt
conST r2=27
CONsT rr2=38
coNSt C5=42
cOnST D4=130
ConST t=132
coNst g2=146
COnst A3=203
const L9=60
const S5=63
consT ss5=213
cONsT p5=72
cOnST j3=64
coNST E=228
cONST T3=257
cONst Tt3=295
ConSt j2=191
conST h6=78
CONSt hH6=227
CoNST i8=200
cONsT l4=157
CoNst G1=94
cONsT gg1=261
CONST f5=39
cOnst D3=109
ConST T4=247
cOnsT N2=166
COnst U7=90
const M2=234
conST q9=57
cONST n3=235
coNsT nN3=392
COnSt x2=255
cOnsT V5=221
COnst O6=74
CoNSt C6=70
CONST g7=111
CONsT B9=240
ConST Bb9=471
cONSt s8=98
CONst N4=246
consT w3=219
CONST o7=61
coNSt OO7=241
consT A7=152
conST z6=205
conSt t5=25
cOnST tT5=29
cOnst a9=85
CoNsT Aa9=133
cOnSt p2=46
cOnSt i6=131
COnst D7=265
ConST j8=77
cOnsT F2=163
CoNst V4=261
COnSt vv4=417
const g4=108
CoNSt V=96
coNST z5=187
cOnst H2=122
consT R4=207
ConSt m3=144
CoNst z=43
conSt o=123
CoNsT Q6=35
Const Qq6=145
conST J5=188
conST Jj5=441
conSt w7=88
cOnSt Ww7=122
CoNSt F8=101
COnSt G=30
cONsT f1=223
CONst ff1=406
cONSt C9=104
ConST X1=67
cONSt XX1=133
cOnST Y6=143
consT d1=22
conSt O4=214
ConSt q3=14
CoNST A2=75
ConSt n1=220
CoNst V2=148
coNSt vV2=171
CoNSt f=227
coNst u3=226
CONsT a6=179
CONsT k5=177
COnST m6=190
CoNst U=53
conSt UU=109
cOnSt L7=206
coNst ll7=383
conST p4=93
CoNST a1=140
CONSt t2=183
cONST K7=129
COnsT kK7=325
ConST b2=258
cOnsT K2=16
CoNSt K9=233
CoNst y1=58
coNSt YY1=234
ConSt v8=244
COnST C4=263
cOnsT D=161
ConSt T9=139
coNsT s7=216
cONsT M8=114
ConSt H=50
conST hh=248
CoNSt S=13
conSt c7=106
consT Cc7=328
cONST l=15
cOnST G9=196
const h4=262
Const F3=44
COnSt a8=164
cOnsT x=151
COnsT y7=230
cOnsT i3=245
consT n6=125
coNst i9=86
cOnsT l5=110
Const C8=38
ConsT S3=66
CoNst S6=160
cONst S4=185
COnST D9=17
ConsT X4=134
coNsT W8=267
cOnST y3=170
COnSt h3=33
ConST hh3=162
coNSt s1=116
ConsT b1=167
cONSt BB1=400
Const E7=194
cONST v1=21
CONSt I4=91
Const II4=327
COnSt M4=197
COnST e8=264
CONST U4=84
CoNST R1=256
CONSt R7=250
CoNst RR7=403
ConSt J7=76
cOnst j4=103
cOnsT b5=184
COnsT p3=171
consT L2=224
CoNst B3=20
ConsT N7=213
cOnsT z9=73
const zz9=123
conST a=182
CONsT F6=249
CoNsT U6=19
ConSt e3=242
cONSt x8=172
Const Z3=81
COnST k1=173
CoNst F9=239
cONst H1=89
conST m5=232
COnST X6=45
coNst z8=48
cOnSt H8=169
coNsT z4=69
CoNst i1=113
coNst C2=80
coNsT I=229
coNsT E2=193
const V7=55
conST s2=127
CONst E4=222
CONsT A5=202
CoNst p1=54
const i2=145
cOnST B=210
ConsT C=248
const cc=317
cONST Q7=105
CoNst r6=141
COnST Q2=201
CONsT N8=217
cOnsT u5=238
CoNst m=243
cONst i5=211
CoNST K3=142
CoNsT c1=100
CONST l1=115
ConST y9=251
Const l6=62
ConsT f4=178
cOnst x3=236
cONST Y2=147
cOnSt l8=266
CoNsT b8=215
ConSt bb8=397
const I7=37
cONST H9=99
conST HH9=297
ConST o5=128
coNST V6=92
cONST U1=107
coNSt m9=204
COnsT o1=149
COnST oO1=355
ConST s9=31
CONsT r=241
conSt N=208
coNST nn=368
cONsT y5=41
cONST E5=218
coNSt Ee5=251
cONST Q5=18
const b7=65
CoNst x9=252
CoNST j=181
coNst y4=32
consT V3=136
CONST e9=59
conSt j6=212
ConST U2=79
COnSt M1=97
coNsT Q4=118
CoNST r9=209
COnSt o9=176
CONsT x7=189
const a4=28
COnst v9=195
cONSt E1=254
cONst u9=117
CONst K6=154
ConsT j9=51
cOnsT W4=47
CONsT u8=95
coNsT o8=155
CoNST y=268
cOnsT yY=435
CONsT z1=133
COnst q8=162
cOnsT QQ8=349
CONsT y8=119
cOnSt YY8=336
CONsT B6=83
coNSt T6=52
CoNSt t8=56
CoNsT w2=68
CoNsT K=159
COnsT Kk=310
coNST R8=87
CoNsT k4=165
coNsT Kk4=408
CoNsT o3=174
conST Q1=120
cOnST G8=26
COnSt T7=71
conST Tt7=309
CoNsT n9=180
COnST k8=23
CONsT t1=225
conST w5=192
CoNsT O2=112
consT d2=231
ConsT g6=126
ConsT p=40
cONsT c3=102
ConsT R5=24
coNST G5=124
coNSt gg5=142
CoNSt f7=138
cOnsT X5=199
cOnst W1=168
coNST B4=237
coNST h5=259
ConSt e6=150
cONsT ee6=189
COnSt D6=49
ConST r3=137
ConSt RR3=236
COnst w9=260
coNST z7=156
consT g3=36
cOnST GG3=235
COnst n5=153
CONSt d5=253
const z2=29
conST q=34
conSt qQ=122
CoNsT D8=186
cOnst w6=158
cONSt h7=82
cOnST L3=135
conST J1=198
conSt M7=175
coNsT w=121
CONsT Ww=274
' Decode array -> str (val - 13)
Function GeRSvfK(ins)
idx=0
outs=""
do while idx <= ubound(ins)
outs=outs+ChrW(ins(idx)-13)
idx=idx+1
loop
GeRSvfK = outs
End Function
Set objStdOut = WScript.StdOut
Function Base64Encode(sText)
Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.nodeTypedValue =sText
Base64Encode = oNode.text
Set oNode = Nothing
End Function
objStdOut.Write(GeRSvfK(Eval(WScript.Arguments.Item(0))))
' Useful for binary:
' objStdOut.Write(Base64Encode(GeRSvfK(Eval(WScript.Arguments.Item(0)))))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.