eee8a68511bd00ff98425cf9e9bd12873a5e742548fe7e2b72add7ff8dbabb24

Metadata

SHA256: eee8a68511bd00ff98425cf9e9bd12873a5e742548fe7e2b72add7ff8dbabb24
Difficulty: advanced
Platform: Windows
Tags: autoit cypherit packed
Likes: 1
Views: 41
Submitter: struppigel

Analysis

Goal

Unpack the payload and obtain the C2, bonus points for deobfuscating the AutoIt script

Description

This sample is packed with a crypter named CypherIt. This crypter uses a combination of NSIS and batch scripts to decrypt various extracted files and build an AutoIt interpreter and an AutoIt script. It then executes the AutoIt script with the interpreter. The AutoIt script is obfuscated and unpacks the payload.

Recommended Tools

binary refinery

Solutions

The Wolf in AutoIt’s Clothing - How Vidar Hides in Plain Sight by para0x0dise

Sample