/MSIL-Ransom-Part-01

Source Code of MSIL Ransom

GNU General Public License v3.0GPL-3.0

MSIL-Ransom

Source Code of MSIL Ransom. Continue on https://github.com/petikvx/MSIL-Ransom

Tools

You can also use this decompilers : https://github.com/icsharpcode/ILSpy https://github.com/dnSpyEx

And this deobfuscator : https://github.com/ViRb3/de4dot-cex

Script

_1_Deobfuscate.cmd

for /r %%G in ("*.exe";"*.dll") do de4dot.exe "%%G"

_2_Decompile.cmd

for /r %%G in ("*.exe";"*-cleaned.dll") do (
mkdir "%%G-dir"
dotnet ilspycmd "%%G" -p -o "%%G-dir"
)

Under Linux

function decompiledotnet {

	# https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/sdk-6.0.400-linux-x64-binaries
	# mkdir -p $HOME/dotnet && tar zxf dotnet-sdk-6.0.400-linux-x64.tar.gz -C $HOME/dotnet
	# export DOTNET_ROOT=$HOME/dotnet
	# export PATH=$PATH:$HOME/dotnet
	# 
	#
	# dotnet new tool-manifest # if you are setting up this repo
	# dotnet tool install --local ilspycmd --version 7.2.1.6856
	# 

	for directorytoscan in ${@}
	do

		cd $directorytoscan

		for t in *-cleaned.exe
		do
			newname=$(echo $t|sed s/'-cleaned.exe'/'.exe'/g)
			mv $t $newname
		done

		for t in *exe
		do
			newdirectory=$(echo $t|sed s/'.exe'/''/g)
			mkdir -p $newdirectory
			echo "Create $newdirectory"

			dotnet ilspycmd $t -p -o $newdirectory
			echo "$t is now decompile"

			rm $t


		done

		# Delete empty directories
		rm $(find . -name "*" -type d -empty)

		cd ..

	done

}
  • Thu 15 Sep 2022 10:07:27 AM UTC : 3661 samples
  • Thu 15 Sep 2022 01:07:40 PM UTC : 3667 samples
  • Thu 15 Sep 2022 01:22:58 PM UTC : 3671 samples
  • Fri 16 Sep 2022 03:23:02 AM UTC : 3710 samples
  • Fri 16 Sep 2022 05:47:07 PM UTC : 3750 samples
  • Sat 17 Sep 2022 02:42:44 PM UTC : 3761 samples
  • Sat 17 Sep 2022 06:51:54 PM UTC : 3811 samples
  • Mon 19 Sep 2022 09:59:48 AM UTC : 3883 samples
  • Wed 21 Sep 2022 04:17:18 AM UTC : 3946 samples
  • Thu 22 Sep 2022 08:13:21 AM UTC : 3994 samples
  • Fri 23 Sep 2022 03:50:55 AM UTC : 4023 samples
  • Sat 24 Sep 2022 09:47:54 AM UTC : 4044 samples
  • Sun 25 Sep 2022 08:15:06 AM UTC : 4179 samples
  • Sun 25 Sep 2022 05:04:04 PM UTC : 4198 samples
  • Tue 27 Sep 2022 04:42:46 PM UTC : 4224 samples
  • Wed 28 Sep 2022 04:28:16 AM UTC : 4267 samples
  • Thu 29 Sep 2022 12:21:17 PM UTC : 4328 samples
  • Sun 02 Oct 2022 04:32:12 AM UTC : 4383 samples
  • Sun 02 Oct 2022 04:44:16 AM UTC : 4400 samples
  • Wed 05 Oct 2022 09:32:56 AM UTC : 4458 samples
  • Thu 06 Oct 2022 05:42:30 PM UTC : 4491 samples
  • Sat 15 Oct 2022 04:38:44 AM UTC : 4523 samples
  • Sun 16 Oct 2022 01:54:00 PM UTC : 4555 samples
  • Tue 18 Oct 2022 04:40:27 AM UTC : 4564 samples
  • Thu 27 Oct 2022 11:51:00 AM UTC : 4565 samples
  • Fri 28 Oct 2022 04:58:07 AM UTC : 4566 samples
  • Fri 28 Oct 2022 04:59:07 AM UTC : 4590 samples
  • Tue 01 Nov 2022 05:32:55 PM UTC : 5008 samples
  • Thu 03 Nov 2022 05:51:37 AM UTC : 5065 samples
  • Wed 09 Nov 2022 04:54:43 AM UTC : 5086 samples
  • Sat 12 Nov 2022 08:46:58 AM UTC : 5103 samples
  • Thu 09 Feb 2023 06:54:14 PM UTC : 5104 samples
  • Thu 09 Feb 2023 08:17:16 PM UTC : 5114 samples
  • Fri 10 Feb 2023 05:17:45 AM UTC : 5137 samples
  • Fri 10 Feb 2023 04:19:20 PM UTC : 5205 samples
  • Fri 10 Feb 2023 06:35:45 PM UTC : 5215 samples