Jump to content
Tuts 4 You

[DecompileMe] Virus found in my PC [.NET]


bomblader

Recommended Posts

Looks like I was infected by some virus, no idea where I got it.
It's .NET
 
You have to run it like this in order to run:
adobe_flash_player.exe /00000017

 

Anyone can decompile this and find out what's doing? Looks like a custom obfuscator was used. De4Dot is cleaning it up but strings and other data is still encrypted.

 

 

Thanks!

adobe_flash_player.rar

Edited by bomblader
Link to comment
Share on other sites

Pretty boring and ordinary malware, calls home, download commands, does some downloads (pay-per-click scam?), uploads stuff and other boring crap. 


 


Deobfuscate only inside VMware using this command-line:



de4dot adobe_flash_player.exe --strtyp delegate --strtok 06000195
  • Like 1
Link to comment
Share on other sites

I think it's some kind of shitty thing that visits webpages.


 


The problem is, I have absolutely no idea where I got this. I always run executables sandboxed and it also added itself to HKLM startup (I ran the infected .exe as administrator, wtf)


 


Also, what decompiler you are using? (Sweden)


Edited by bomblader
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...