Skip to content

lowlevel01/deAutoIt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
images
images
 
 
README.md
README.md
 
 
deautoit.py
deautoit.py
 
 

Repository files navigation

deAutoIt

A handy tool that automatically extracts the next stage of malware using AutoIt that decodes the next stage via known patterns encountered during analyses.

Note: Actually the RC4, LZNT1 Patterns is related to a CypherIt Crypter (didn't know this information when I wrote this tool) as mentioned by Unit42 here
usage: deautoit.py [-h] [-s SCRIPT] [-a AUTOIT]

A tool to automate extraction of stage 2 of some cases of malware using AutoIt.

options:
  -h, --help           show this help message and exit
  -s, --script SCRIPT  Work directly on the script (deobfuscate strings before using it)
  -a, --autoit AUTOIT  extract the script and embedded files then work on them

Real World Examples:

1- probably Purelog Stealer :

sha256:1c78b60b0ea5b53fd95bc16b6d9a4421d8e9dc0e2e1b0eb4bcb9951afae45774

This samples uses AutoIt de deliver the next stage, the tool automatically extracts the next stage. sample_exe

2-Lumma Stealer :

sha256:05a0e74cac490fe2e0e36aac9f1e439945ee024b08cfea7e779e358599a71398

This samples uses an AutoIt script at an advanced stage, the tool automatically extracts the next stage sample_script

About

Automatic extraction of the next stage in certain patterns of malware using Autoit (e.g CypherIt crypter)

Topics

malware-analysis autoit unpacker

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages