crypto

DarkRATv2/README.md

@@ -327,6 +327,46 @@ It's clearly a trend: up and coming malware dev take an existing malware as a re
 ![git1](https://raw.githubusercontent.com/albertzsigovits/malware-writeups/master/DarkRATv2/img/git1.png)  
 ![git2](https://raw.githubusercontent.com/albertzsigovits/malware-writeups/master/DarkRATv2/img/git2.png)  
 
+#### Cryptography
+There's a distinct string in the disassembly of the builder:  
+
+![cryptob](https://raw.githubusercontent.com/albertzsigovits/malware-writeups/master/DarkRATv2/img/cryptob.png)  
+
+It is also found in the following project: hCrypt, which is an AES encrypted PE Loader:  
+https://github.com/Include-sys/hCrypt/blob/master/Stub/main.cpp  
+
+```c
+#include <fstream>
+#include "VirtualAES\VirtualAES.h"
+#include <Windows.h>
+#include <TlHelp32.h>
+
+/*
+*	AES Encrypted and AntiVM PE Loader (Crypter Stub)
+*	
+*	https://www.github.com/Include-sys/hCrypt
+*
+*	Coded by Include-sys for Educational Purposes
+*/
+
+/*		Virtual Machine Detection Functions			*/
+```
+
+```c
+/*		  AES-256 Bit Decryption Function			*/	
+void AESDecrypt(char* toDecrypt, int size)
+{
+	//Explanation exist in Builder
+	unsigned char key[KEY_256] = "S#q-}=6{)BuEV[GDeZy>~M5D/P&Q}6>";
+
+	unsigned char ciphertext[BLOCK_SIZE];
+	unsigned char decrypted[BLOCK_SIZE];
+
+	aes_ctx_t* ctx;
+	virtualAES::initialize();
+	ctx = virtualAES::allocatectx(key, sizeof(key));
+```
+
 ## Panel
 ![menu](https://raw.githubusercontent.com/albertzsigovits/malware-writeups/master/DarkRATv2/img/panel_menu.png)