AutoIt Malware: From Compiled Binary to Plain-Text Script

AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. As a matter of fact, AutoIt is so closely associated with malware, that AutoIT's website has a wiki article that "addresses" the fact that the legitimate AutoIt binary is often detected as malicious by AntiVirus. In this post, I will not be going into end-to-end analysis of any one sample. Unfortunately, there are way too many different ways that malware authors have leveraged AutoIt for me to write a one-analysis-fits-all post. I will, however, attempt to provide you with a starting point by showing you how to get from a compiled AutoIt binary to a plain-text script.

Defeating the VB5 Packer

In this post, I provide step-by-step instruction on how to unpack an executable that has been packed with a VB5 Packer. I will also cover the bypassing of multiple anti-analaysis controls that were implemented by the packer. The result is a fully functional unpacked executable.