Autoit Malware

Introduction to AutoIt Malware Analysis

In the world of malware analysis, encountering different scripting languages used for malicious purposes is an essential part of expanding our understanding of malware behavior. One scripting language that is often employed by malware authors is AutoIt, a powerful tool designed for automating tasks on Windows systems. However, its versatility and ease of use make it an attractive choice for malware creators as well.

In this post, I’ll walk through my first-ever analysis of an AutoIt-based malware sample. We will explore its structure, techniques, and the potential risks it poses to systems. Through this analysis, we’ll gain insights into how AutoIt scripts are designed, how they can be disguised, and the challenges involved in detecting and mitigating such threats.

Technical Details

During my initial analysis of an AutoIt-based malware sample, I started by treating it like a typical Windows executable. I loaded it into IDA Pro for static analysis but quickly realized that standard disassembly approaches weren’t yielding clear insights. AutoIt executables are not compiled like traditional PE binaries; instead, they contain an embedded AutoIt script that is interpreted at runtime. This makes traditional reverse engineering techniques less effective, as most of the malicious logic resides in the script rather than in native machine code.

Realizing this, I shifted my focus to decompiling and extracting the script instead of analyzing the binary in IDA. Through my research, I found that compiled AutoIt scripts can be extracted and deobfuscated for further analysis. By using tools designed for AutoIt script extraction, such as Exe2Aut and MyAutToExe, I was able to retrieve the original script from the executable. However, the extracted script was heavily obfuscated, employing techniques such as string encoding, function indirection, and dynamic execution via Execute(). To fully understand its behavior, I had to deobfuscate the script step by step, removing layers of encoding and reconstructing the original logic. So now, let’s analyze this implant in detail.

• NAME -> New order BPD-003666.exe (32 bit)
• MD5 -> c7888e10961fc8155b336a6b79fd04ff
• SHA1 -> 47b0a24bfffaa1ecb1880f96792cf9676ddcb4cc
• SHA256 -> 11879678130b28ce4f2c4e2645929559b712dadc21974d9107bd7d2afe2cd80a
• Compiler -> Visual Studio 2013 , Packer: UPX -> www.upx.sourceforge.net
• File size -> 713216 bytes
• Entropy -> 7.949

Recognizing AutoIt-Based Malware​

One of the first steps in analyzing any malware sample is identifying the technology or scripting language used. In this case, I started by inspecting the strings within the executable. A quick check revealed multiple indicators pointing to AutoIt, a popular scripting language for Windows automation.

Additionally, I noticed that the binary was packed using UPX. This is quite common because when compiling an AutoIt script into an executable, the AutoIt compiler by default suggests using UPX for compression. Malware authors often take advantage of this feature to reduce the file size and obscure the underlying script. Let’s see them in action:

• “AutoIt”
• “AU3!” – This is the AutoIt signature found in compiled executables.
• “AutoIt script” – Commonly appears in error messages or logs.
• “AutoIt v3” – References to the AutoIt version.
• References to AutoIt functions such as Run, FileInstall, RegRead, InetRead, or ProcessClose

But wait—when we run the unpacked executable, it crashes. I think this is because AutoIt scripts are compiled into executables using a custom runtime and packing mechanism designed to protect the script’s contents. These executables often utilize a modified version of UPX or a similar packing technique to compress and obscure the script.

Additionally, I checked its .rsrc section and found the AutoIt script embedded within it.

Extract the Script

There are several tools available, such as Exe2Aut, AutoIt Extractor, and others. I used Exe2Aut to extract the code, and fortunately, I was able to retrieve it. After copying and pasting the code into Notepad++, I noticed that it was heavily obfuscated. But who’s going to stop us? Lets take a look at that:

The script consisted of 1,408 lines of code. As this was my first time analyzing AutoIt Script, I took the time to research and understand key functions like DllCall, DllStructCreate, FileInstall, DllStructSetData, and DllCallAddress.

From my research, I recognized that invoking WinAPI functions requires a specific structure and parameter setup. However, the arguments in the script were obfuscated. After carefully analyzing the script, I identified that the decryptor function was positioned at the top, which was crucial for deobfuscating the rest of the code.

Func decrypt_str($inputString)
    Local $outputString = ""
    Local $xorValue = 28
    Local $stringLength = StringLen($inputString)

    For $i = 1 To $stringLength
        $outputString &= Chr(BitXOR(Asc(StringMid($inputString, $i, 1)), $xorValue))
    Next

    Return $outputString
EndFunc

To decrypt each obfuscated string, I commented out the rest of the code and used the FileWrite function to save the decrypted output to a file. For example, I used the following line to decrypt and log each string:

FileWrite("debug_output.txt", "Decrypted Output: " & decrypt_str("wynryp/.") & @CRLF)

This allowed me to systematically decrypt each string and save the results to debug_output.txt. Once all strings were decrypted, I replaced the obfuscated strings in the script with their corresponding decrypted values, ensuring the functions would operate correctly with the plaintext data.

Afterward, I cleaned up and refactored the code to enhance readability and deobfuscated the strings. It became evident that the majority of the code was non-functional “junk,” designed solely to obscure the actual logic. The only functionally relevant section that executed was the one involving the large $data variable.

$data =xxxxxxxx

$allocated_mem = DllCall("kernel32.dll", "ptr", "VirtualAlloc", "ptr", 0, "dword", 14336, "dword", 0x3000, "dword", 0x40)[0]

$MapTo_Autoit = DllStructCreate("byte[14336]", $allocated_mem)

FileInstall("tilths", @TempDir & "\tilths", 1)

DllStructSetData($MapTo_Autoit, 1, $data)

DllCallAddress("none", $allocated_mem + 9136)

Debugging Process

I executed the script using both PowerShell and AutoIt3.exe. To monitor its behavior, I inserted two MsgBox calls:

1. The first MsgBox displayed the memory address allocated by the script.

1. The second MsgBox paused the program, allowing me to attach the process to x64dbg for further analysis.

After attaching the process in x64dbg, I set a breakpoint at the allocated memory address and triggered execution by clicking the MsgBox. After analyzing the script, I observed that it executed the decrypted payload 10 times (tilths). During the first iteration, it created a suspended instance of SVCHost.exe and injected an MZ file into it. After resuming the suspended SVCHost.exe, the script proceeded to inject the payload into Explorer.exe, which subsequently executed it—potentially leveraging PowerShell for further operations.

Initially, the malware resolves API functions using a specific method, as illustrated below:

Subsequently, it spawns a suspended instance of svchost.exe, as shown in the following image: (it maps real SvcHost and read that from memory)

Additionally, the malware drops an encrypted payload (titls) into the %TEMP% directory. It then decrypts the payload, loads it into memory, and injects it into the previously created svchost.exe process.

At this stage, we can observe the decrypted titls payload residing in the memory of svchost.exe:

After dumping the payload, Windows Defender successfully detects it, indicating the presence of known malicious signatures or behavioral heuristics.

so what is FormBook Malware? we can refere to checkpoint explanation FormBook is an infostealer malware that was first discovered in 2016. It steals various types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes.

Now that we understand the nature of this threat, we are dealing with a highly evasive infostealer. 🩻

---

titls.exe Analysis

• Hash: B35EC9BABE885EA6D6341B13FA9349695666BD08498B4C8392205607FAB23953

The executable is packed, as indicated by its high entropy value of 7.95. Upon loading it into IDA, we can observe encrypted code, suggesting obfuscation or runtime unpacking behavior.

Additionally, the binary contains only a single section (.text), and the compilation tool is identified as Visual Studio 2005. No useful strings are present, further reinforcing the likelihood of packing or encryption mechanisms. This suggests that the payload is heavily obfuscated to hinder static analysis and reverse engineering efforts.

However, instead of diving into the complexities of decrypting and dumping the binary, let’s take a simpler approach by leveraging dynamic analysis tools like Process Monitor (ProcMon). Before proceeding, it’s important to note that the malware employs anti-analysis techniques to detect monitoring tools like ProcMon. To bypass these checks, I renamed ProcMon.exe to a less suspicious name, ensuring that the malware does not recognize it as a monitoring tool.

The malware actively checks for the presence of monitoring tools by querying the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24 This key is associated with ProcMon’s driver, and its presence indicates that the system is being monitored. By renaming ProcMon.exe and rename the Reg-Value, we can effectively evade the malware’s detection mechanisms and proceed with our analysis.

Observing the Malware Behavior with ProcMon

the attacker leverages SVChost.exe to drop the final-stage payload, Hostname.exe, onto the compromised system. This payload is typically encrypted or obfuscated to evade detection by security software.

Once the payload (Hostname.exe) is dropped, the malware employs an impersonation technique to escalate privileges. Specifically, it targets the TrustedInstaller service, a high-integrity Windows process responsible for managing system files and updates. By acquiring the token of the TrustedInstaller process, the malware gains elevated privileges, allowing it to operate with system-level access.

With the TrustedInstaller token, the malware ensures its persistence on the system. By operating under the guise of a trusted system process, it can evade traditional security measures and maintain a foothold on the compromised machine. This step is critical for the attacker, as it ensures that the payload remains active even after reboots or attempts to terminate the malicious process.

svchost.exe loads aut35CA.tmp, the malware proceeds with decrypting its payload before injecting it into a legitimate process, typically explorer.exe or winrar.exe. This stealthy process injection serves as a key mechanism for executing the final-stage payload, hostname.exe, while evading detection. also it drops a copy of svchost into C:\Program Files (x86)\Office Depot with randomized names

C:\Program Files (x86)\Office Depot\qwyx.dll
C:\Program Files (x86)\Office Depot\zxtv.exe
C:\Program Files (x86)\Office Depot\rsla.dat

And it doesn’t just stop there either.It makes sure that even if the system reboots, it’ll still run. To do this, it adds itself to the Run registry key, ensuring that every time the system starts, so does the malware.

To counter dynamic analysis and sandbox environments, the malware employs an anti-analysis technique by monitoring for specific processes such as vmtools.exe, powershell.exe, and procexp.exe. If any of these are detected, the malware enters an infinite loop, effectively halting execution and preventing further analysis. Once executed, hostname.exe encrypts harvested data and exfiltrates it to a predefined set of domains.

Once hostname.exe is running, its primary mission is to harvest sensitive data. It scours the system for any valuable information—like system credentials, personal data, or configuration details. Once gathered, it encrypts the stolen data and exfiltrates it to a set of predefined remote domains, giving the attacker direct access to the sensitive information. This shows that the malware’s purpose isn’t just to infect the system—it’s after valuable intelligence.

Further analysis reveals more about the malware’s behavior. It drops a file at the path:

C:\Windows\Registration\R000000000006.clb

This file is mapped into memory, and it contains information that could prove dangerous. Specifically, it holds the Security Identifiers (SIDs) for high-privilege system accounts:

S-1-5-32-544 (Administrator SID)
S-1-5-18 (LocalSystem SID)

also it contains Event Tracing and Service Manipulation strings such as RegisterModule2, StartTraceGuid, and StopTraceGuid, which appear to be related to Event Tracing for Windows (ETW)

RegisterModule2, StartTraceGuid, StopTraceGuid → Possible manipulation of ETW (Event Tracing for Windows). IsServiceRunning, CreateApplicationService, DeleteApplicationService → Possible service manipulation. IsVolumeSnapshotted, NeedWaitForSnapshotCompleted → Possible interaction with Volume Shadow Copies.

and check for \Device\CdRom0:$VMCB$ to see if it is in a VM or not -> it is related to AMD processors(wanted to Check Hypervisor)

after all it Drops these two file and when i checked we will see it contains queary and data about browsers and otehr data :

C:\Users\lockbit\AppData\Local\Temp\U7-5I27 -> SQLITE 3

and C:\Users\lockbit\AppData\Local\Temp\TS_72BF.tmp (Apple HFS/HFS+) contains:

i’ll add them to IOC section.

Network Traffic Analysis

During our analysis, we observed that the malware communicates with multiple domains. Some of these domains are shown below:

One of the key indicators of malicious activity is the exfiltration of data to a specific domain. Below is an example of how the malware attempts to send stolen information to its command-and-control (C2) server:

Indicators of Compromise (IoCs)

Domain & IP Addresses

Domain	IP Address
yueolt[.]shop	193.162.133.205
xrrkkv[.]info	47.83.1.90
theweb[.]services	5.134.116.201
themutznuts[.]xyz	84.32.84.32
stellaritemvault[.]shop	199.115.118.7
sscexampyq[.]watches	199.59.243.228
spinco[.]news / ddvids[.]xyz	76.223.54.146
shibbets[.]xyz / satoshichecker[.]xyz / pembukaan[.]xyz / nakaligtas[.]xyz / iquery[.]xyz / esushi[.]xyz	13.248.169.48
nhc7tdkp6[.]live	149.104.35.122
lucynoel6465[.]shop	104.21.80.1
fucwnq[.]info	47.83.1.90
christmas-goods[.]store	84.32.84.32
childhealth[.]pro	162.213.251.166
btbjpu[.]info / awhgfr[.]info	47.83.1.90
brispere[.]site	69.57.163.227
2hvve[.]xyz	172.67.222.20

---

Suspicious File & Registry Paths

File Paths:

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.4355_none_a865f0c28672571c\comctl32.dll  
C:\Users\lockbit\AppData\Local\Temp\aut35CA.tmp  
C:\Users\lockbit\AppData\Local\Temp\tilths

C:\Windows\SysWOW64\HOSTNAME.EXE
C:\Windows\SysWOW64\en-US\HOSTNAME.EXE.mui
C:\Windows\Registration\R000000000006.clb
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Users\lockbit\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\lockbit\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
C:\Users\lockbit\AppData\Local\Microsoft\Windows\INetCache\IE
C:\Users\lockbit\AppData\Local\Microsoft\Windows\INetCookies
C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
C:\Users\lockbit\AppData\Local\Google\Chrome\User Data\
C:\Users\lockbit\AppData\Local\Opera Software\Opera Stable
C:\Users\lockbit\AppData\Local\AVG\Browser\User Data
C:\Users\lockbit\AppData\Local\Kinza\User Data
C:\Users\lockbit\AppData\Local\URBrowser\User Data
C:\Users\lockbit\AppData\Local\AVAST Software\Browser\User Data
C:\Users\lockbit\AppData\Local\SalamWeb\User Data
C:\Users\lockbit\AppData\Local\CCleaner Browser\User Data
C:\Users\lockbit\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\lockbit\AppData\Local\Slimjet\User Data
C:\Users\lockbit\AppData\Local\360Chrome\Chrome\User Data
C:\Users\lockbit\AppData\Local\Comodo\Dragon\User Data
C:\Users\lockbit\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\lockbit\AppData\Local\Chromium\User Data
C:\Users\lockbit\AppData\Local\Torch\User Data
C:\Users\lockbit\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\lockbit\AppData\Local\Iridium\User Data
C:\Users\lockbit\AppData\Local\7Star\7Star\User Data
C:\Users\lockbit\AppData\Local\Amigo\User Data
C:\Users\lockbit\AppData\Local\Blisk\User Data
C:\Users\lockbit\AppData\Local\CentBrowser\User Data
C:\Users\lockbit\AppData\Local\Chedot\User Data
C:\Users\lockbit\AppData\Local\CocCoc\Browser\User Data
C:\Users\lockbit\AppData\Local\Elements Browser\User Data
C:\Users\lockbit\AppData\Local\Epic Privacy Browser\User Data
C:\Users\lockbit\AppData\Local\Kometa\User Data
C:\Users\lockbit\AppData\Local\Orbitum\User Data
C:\Users\lockbit\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\lockbit\AppData\Local\uCozMedia\Uran\User Data
C:\Users\lockbit\AppData\Local\Fenrir Inc\Sleipnir5\User Data 
C:\Users\lockbit\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\lockbit\AppData\Local\Coowon\Coowon\User Data
C:\Users\lockbit\AppData\Local\liebao\User Data
C:\Users\lockbit\AppData\Local\QIP Surf\User Data
C:\Users\lockbit\AppData\Local\Microsoft\Edge\User Data\Profile 1\Ya Passman Data
C:\Users\lockbit\AppData\Local\Temp\U7-5I27 -> SQLITE 3
C:\Users\lockbit\AppData\Local\Temp\U7-5I27-journal
C:\Users\lockbit\AppData\Local\Temp\U7-5I27-wal
C:\Users\lockbit\AppData\Local\Temp\TS_72BF.tmp  -> Apple HFS/HFS+
%systemroot%\system32\com\dmp
C:\Users\lockbit\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
\Device\CdRom0:$VMCB$


"%systemroot%\system32\usoclient.exe" StartOobeAppsScanAfterUpdate
"%systemroot%\system32\usoclient.exe" StartWork
%systemRoot%\system32\usosvc.dll
C:\Windows\TEMP\TS_72BF.tmp
\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted
\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work
\\?\C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted
\\?\C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate
\\?\C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work


SchedSvc.pdb
taskcomp.pdb
tzres.dll

Registry Keys:

HKCU\Software\AutoIt v3\AutoIt  
HKLM\Software\Microsoft\Wow64\x86\xtajit  
HKLM\System\CurrentControlSet\Control\Nls\CustomLocale\EMPTY
HKLM\System\CurrentControlSet\Services\PROCMON24
HKLM\SOFTWARE\Microsoft\Wow64\x86\HOSTNAME.EXE
HKCR\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\(Default)
HKCU\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKLM\System\CurrentControlSet\Control\Hvsi\IsHvsiContainer
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKLM\SOFTWARE\WOW6432Node\Mozilla\Mozilla Thunderbird\
HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2

---

Yara Rules

• New order BPD-003666.exe : 11879678130b28ce4f2c4e2645929559b712dadc21974d9107bd7d2afe2cd80a

  rule autoit_malware  
  {  
    meta:  
        author = "Alireza Hosseini"  
        description = "Detects AutoIt malware scripts and compiled binaries"  
        date = "2025-03-06"  
        reference = "Common AutoIt signature detection"  
  
    strings:  
        $signature = "AU3!"
        $upx = "UPX!"          
        $autoit_func1 = "AutoItSetOption"  
        $autoit_func2 = "Run"  
        $autoit_func3 = "ShellExecute"  
        $autoit_func4 = "RegWrite"  
        $autoit_func5 = "RegRead"  
        $autoit_func6 = "FileWrite"  
        $autoit_func7 = "FileRead"  
        $autoit_func8 = "InetGet"  
        $autoit_func9 = "DllCall"  
        $autoit_func10 = "HttpOpenRequest"  
  
    condition:  
        $signature or $upx or any of ($autoit_func*)  
  }
  

• HOSTNAME.EXE - 379CBA8D0A1288E316126AC75A354C03BE76A61EAD6BD5EC6C72ED7DA3DC49D9

  rule Hostname_EXE_Detection
  {
    meta:
        description = "Detects hostname.exe based on specific PDB, EXE, and related string indicators"
        author = "Alireza Hosseini"
        date = "2025-03-06"
  
    strings:
        $pdb    = "hostname.pdb" nocase
        $exe    = "hostname.exe" nocase
        $app    = "Hostname APP" nocase
        $dllname   = "040904B0"
        $ext    = "TG4"
  
    condition:
        uint16(0) == 0x5A4D and all of ($pdb, $exe, $app, $dllname, $ext)
  }
  

Thank you for your interest and support of my blog!

---

---

<

Blog Archive

Archive of all previous blog posts

>

Next Post

Elastic Defend Bypass: UAC Bypass Chain Leading To Silent Elevation