[p1nk]

Props to @Benkow_ for this find also. Not sure if anyone has another name for it.

https://www.virustotal.com/en/file/15c1 ... /analysis/


Strings are base64 encoded then:

Code: Select all

def decode( instr, key):
    for index, byte in enumerate( instr[:-2] ):
        out += chr( ord( byte) - ( len( instr ) -1 )  %  len( key ) - ord( key[ index % len( key ) ] ) + ord( instr[-1] )  )
    return out

Strings:

Code: Select all

\Google\Chrome\User Data\Default\Login Dat
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
============CoreFTP=============
\Microsoft\Backups
\Microsoft\Backups
\RSBot.d
\Microsoft\Backups\RSBot.d
\Microsoft\Backups\account
\RareBot_Accounts.in
\Microsoft\Backups\RareBot_Accounts.in
\.minecraft\lastlogi
\Microsoft\Backups\lastlogi
\Bitcoin\wallet.da
\Microsoft\Backups\setting
\Microsoft\Backups\FilezillaSites.xm
============Internet Explorer=============
Username:
Password:
============ImVu=============

WindowsLive:name=
Username:
Wscript.Shel
HKEY_CURRENT_USER\Software\Nimbuzz\PCClient\Application\passwor

============NimBuzz=============
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DU
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DU
============No-IP==========;��
============Opera=============
\Apple Computer\Preferences\keychain.plis
<array
<dict