pinksawtooth

if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
    $TypeDef = @'
 using System;
 using System.Runtime.InteropServices;
 namespace TokenInformation {
     [Flags]
     public enum ProcessAccess {
         All = 0x001FFFFF,
         Terminate = 0x00000001,

pinksawtooth

84fef099ce23dc8bff13baa279e3ecb66131f255f0e5590c8eee8afb86d51da5 Backdoor.Win64.LILITH.B
80ffaea12a5ffb502d6ce110e251024e7ac517025bf95daa49e6ea6ddd0c7d5b Trojan.Win32.BROLER.F
901210a6fb308926bb5b4374aaa0f662dbd235d829068a854606126f276dc2fa TROJ_AVNGR.ZLGI
fb0d86dd4ed621b67dced1665b5db576247a10d43b40752c1236be783ac11049 Trojan.Win32.DLOADR.AUSUPV
cf035b3ddf1072ab414d82b6540ec8d06703d281a2f606d1e42c771d9391dfac HKTL_SCRENCAP.ZYGD
2411d1810ac1a146a366b109e4c55afe9ef2a297afd04d38bc71589ce8d9aee3 Trojan.Win32.DOWNNW.AA
5e4a190f8f4fc8800cf348cdc0e1ddc674215b02d1ef9b9a9e12605a3e0315cf Backdoor.Win64.LILITH.B
7924cb540d8fd0bcad6207e9386f60b1b1091a2ced52c127cac1a0f5465b42df Backdoor.Win32.LILITH.A
1fdd9bd494776e72837b76da13021ad4c1b3a47c8a49ca06b41dab0982a47c7e TrojanSpy.Win32.BROLER.A
f3ff180ec14ddcd38f438ea3a968c1558d5eabac596fb920d2eddd043c5a4122 Backdoor.Win32.LILITH.A

pinksawtooth

int __usercall sub_401090@<eax>(const char *a1@<ecx>, _DWORD *a2@<edi>)
{
  const char *v2; // esi
  int v3; // edx
  signed int v4; // esi
  unsigned int v5; // eax
  double v6; // st7
  double v7; // st7
  void *v8; // eax
  void *v9; // ebx

pinksawtooth

_Z10aBypassUACv    
_Z10aCharToIntPc
_Z10aGetOsArchv    
_Z10aIntToChari    
_Z11aAutoRunSetPc
_Z11aCheckAdminv    
_Z11aCreateFilePc    
_Z11aFileExistsPKc    
_Z11aGetTempDirv    
_Z11aProcessDllPcS_

pinksawtooth

checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb

pinksawtooth

Your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:

1. Download "Tor Browser" from https://www.torproject.org/ and install it.

2. Open this link In the "Tor Browser"

http://huhighwfn4jihtlz.onion/sdlsgdewwbhr

pinksawtooth

Date: Sat Nov 10 14:59:11 2018
MachineID: 90059c37-1320-41a4-b58d-2b75a9850d2f
GUID: {e29ac6c0-7037-11de-816d-806e6f6e6963}

Path: C:\Users\admin\AppData\Local\Temp\2018-11-10_23-45-01.exe 
Work Dir: C:\ProgramData\BEJ9QK4EIV6EK30NDC91 

Windows: Windows 7 Professional [x86]
Computer Name: PC
User Name: admin

pinksawtooth

import struct

key="APyfhCxJ"
decoded_payload=b""

with open("encoded_payload.bin", 'rb') as f:
    encoded_payload = f.read()

for i in range(len(encoded_payload)):
    decoded_payload+=struct.pack('B',(encoded_payload[i] ^  ord(key[i%len(key)])))

pinksawtooth

ShellcodeHashSearcher: 0x00000043: hash_ror13AddUpperDllnameHash32:0x4b6f1152 kernel32.dll!lstrlenA
ShellcodeHashSearcher: 0x00000083: hash_ror13AddUpperDllnameHash32:0x399f1068 kernel32.dll!lstrcatW
ShellcodeHashSearcher: 0x00000091: hash_ror13AddUpperDllnameHash32:0x7e296212 kernel32.dll!CloseHandle
ShellcodeHashSearcher: 0x0000009f: hash_ror13AddUpperDllnameHash32:0x7131fdc3 kernel32.dll!VirtualFree
ShellcodeHashSearcher: 0x000000ad: hash_ror13AddUpperDllnameHash32:0xffdb946b kernel32.dll!VirtualAlloc
ShellcodeHashSearcher: 0x000000bb: hash_ror13AddUpperDllnameHash32:0xe7729032 kernel32.dll!VirtualProtect
ShellcodeHashSearcher: 0x000000c9: hash_ror13AddUpperDllnameHash32:0x5a3a18a5 kernel32.dll!LoadLibraryA
ShellcodeHashSearcher: 0x000000d9: hash_ror13AddUpperDllnameHash32:0x415e131b kernel32.dll!GetModuleHandleA
ShellcodeHashSearcher: 0x000000e7: hash_ror13AddUpperDllnameHash32:0xea39c6c1 kernel32.dll!GetProcAddress
ShellcodeHashSearcher: 0x000000f5: hash_ror13AddUpperDllnameHash32:0x163ab6c5 kernel32.dll

pinksawtooth

acc := 0
dllhash := 0
for i in dllname {
   dllhash := ROR(acc, 13);
   dllhash := dllhash + toupper(c);
}
for i in input_string {
   acc := ROR(acc, 13);
   acc := acc + toupper(c);
}