Sample

Metadata

SHA256: ee69b74d0f0dd59fcd87304863626efb727ad6255bc29a7d48b7a441390dff1a
Difficulty: medium
Platform: Windows
Tags: autoit cypherit obfuscated packed
Likes: 0
Views: 56
Submitter: struppigel

Analysis

Goal

This is packed by CypherIt crypter. Unpack the malware.
Bonus: Extract the config of the payload.

Description

CypherIt is an AutoIt based crypter. The unpacking stub is an obfuscated, large AutoIt script with a lot of junk code.

Tip: There is an easier way to unpack this than deobfuscating the AutoIt script. Do proper triage and identify obvious encryption algorithms.

Sidenote: There is another CypherIt sample here with a different difficulty. The reason is that this sample here uses an earlier version of CypherIt, which was easier to unpack.

Recommended Tools

autoitripper binary refinery

Solutions

Unpacking AutoIt Stub with Large Obfuscated Script Reference by struppigel

Image

Video

Solution by struppigel: Unpacking AutoIt Stub with Large Obfuscated Script

Comments

Please login to view and post comments.