The AutoIt installer and executables have been digitally signed by AutoIt Consulting Ltd. If you get a Microsoft SmartScreen warning after downloading the installer please see the SmartScreen and AutoIt page for more details.
Autoit Decompiler 33 Download
Download: https://shurll.com/2vImoZ
During the analysis of an AutoIT compiled malware sample, a message box popped up indicating the possible execution of the sample when using Exe2Aut decompiler. This triggered my interest in how this decompiler works and how AutoIt scripts are compiled in the first place. In this writeup, I will explain how the two most common AutoIT decompilers (Exe2Aut and myAut2Exe) work and how they can be tricked into decompiling a decoy script instead of the real script.
Unlike Exe2Aut, MyAut2Exe extracts the bytecode resource and unpacks and decodes it without the help of the embedded interpreter -- making it a full static decompiler because of this, there is no risk of accidentally executing anything.
MyAut2Exe is more advanced than Exe2Aut. It supports multiple versions of AutoIT and AutoHotkey compiled scripts. Therefore, it has more settings to adjust the extraction and unpacking of the compiled script code. To take the hassle out of correctly configuring it, it comes with a feature called "automate". This brute forces the decompiler settings until a script is successfully decompiled. When the "automate" functionality is used, MyAut2Exe parses the executable for AutoIT magic bytecode signatures. Once found, it extracts and decompiles the code. As the parsing and decompilation stops on the first occurrence of the magic bytecode sequence, MyAut2Exe can be easily tricked into decompiling a decoy script as long as it's placed at a lower offset than the real compiled script resource.
What we can learn from this POC is that we shouldn't always blindly trust the output of our tools. Reverse engineers should be aware of how their tools work and how they can possibly be tricked into returning a misleading output. While the tricks presented here might mislead two decompilers, they don't affect the results of a dynamic analysis in a sandbox.
LodaRAT is written in AutoIt, a well known scripting language typically used to automate administrative tasks in Windows. AutoIt scripts can be compiled into standalone binaries, allowing them to be executed on a Windows machine whether or not AutoIt is installed on the host. The original source code can be easily retrieved from these compiled binaries by using an AutoIt decompiler.
Why is it forbidden to ask about decompilation and decompilers for AutoIt? The answer is simple.It's a known weakness of the AutoIt system that the script source code is stored inthe executable file. They try as hard as possible to keep this weakness hidden, to sweep it under the rug.As a professional I find this practice very dishonest towards the AutoIt community.
All files downloaded from C&C server are stored in the %TEMP% folder as Trojan.exe. It uses the string 5cd8f17f4086744065eb0992a09e05a2 as its mutex as well as its registry hive in the affected machine. It uses the value tcpClient_0 as its HTTP server, where it will receive all stolen information from the infected machine. However, since the value was set to null, all stolen information will be sent to the same C&C server.
When the victim clicks the malicious .LNK file, it opens a CMD window, creates an .HTA file which downloads an XML file containing a JS script which in return will download several other files from 1 out of 39 possible locations using BITSAdmin (Microsoft Background Intelligent Transfer Service).
The .LNK file launches a CMD instance using the V/D/c switches. A random named .HTA file containing a download link is created in the C:\Users\Public\Videos\ folder and then executed via PowerShell > MSHTA.
If one of the files can't be located in the code above, the JS will proceed downloading the necessary files using BITSAdmin. The URL path after the "?" is also a randomly generated number.
The C&C server also contained a .NET controller for an AutoIt RAT called HoudRat. Looking at samples of HoudRat, it is clear that HoudRat is just a more feature-rich and less prevalent variant of Retadup. HoudRat is capable of executing arbitrary commands, logging keystrokes, taking screenshots, stealing passwords, downloading arbitrary files and more.
The team at Avast has developed a decryptor for the BianLian ransomware and released it for public download. The BianLian ransomware emerged in August 2022, performing targeted attacks in various industries, such as the media and entertainment...
In this blog, we reviewed a campaign that shows how Brazilian cybercriminals target the customers of financial institutions. While abusing legitimate binaries with code injection, DLL hijacking, RTF exploits and PowerShell downloaders, are not new techniques, using them together along with elaborate social engineering creates a very effective multi-stage infection chain. 2ff7e9595c
Comments