{
	"id": "2da8136b-6a85-4bb6-96b2-9e317e7bcb11",
	"created_at": "2026-04-06T00:16:41.160777Z",
	"updated_at": "2026-04-10T13:13:02.790038Z",
	"deleted_at": null,
	"sha1_hash": "035976cfbe9161e84896c038ca11adf7345a9b41",
	"title": "Unpacking NanoCore Sample Using AutoIT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2820562,
	"plain_text": "Unpacking NanoCore Sample Using AutoIT\r\nBy Jacob Pimental\r\nPublished: 2019-05-05 · Archived: 2026-04-05 14:55:12 UTC\r\n05 May 2019\r\nBy Jacob Pimental\r\nIn this article I want to take a look at a Nanocore sample that I found on HybridAnalysis that is using a compiled\r\nAutoIT script as a packing technique. This article will go over how to detect if a sample is using AutoIT and how\r\nto analyze it. The hash for this sample is ad9f99ad687a8ae71a40fd589b028ef6194e35c7.\r\nAs usual, one of the first things I do when analyzing a new sample is to run the “strings” command on the binary\r\nto see if there are any clues as to what it does. When running this command on the sample we will find the string\r\n“This is a third-party compiled AutoIt script.”, which is very self-explanatory. In order to decompile the sample\r\nwe will need to download the program exe2aut. Last I checked, the site to download exe2aut is down so you can\r\ngrab it from my gitHub in the meantime.\r\nWhen running exe2aut you will be presented with a blank screen. To decompile our program you need to drag the\r\nfile onto the screen, which will then display the decompiled AutoIT script. It will also create a file in your working\r\nhttps://goggleheadedhacker.com/blog/post/11\r\nPage 1 of 4\n\ndirectory that also contains the script.\r\nIt looks like the script is lightly obfuscated. The function thksczjzrvh seems to be the string deobfuscation\r\nfunction, taking the obfuscated string and the symbol to remove from the string as parameters. For example, the\r\nfirst variable, nthituvhcf, becomes the string “Execute”.\r\nAt the end of the script we can see a call to multiple functions. The application grabs the resources MSIEXEC1,\r\nAUTOPLAY2, and PRINTFILTERPIPELINESVC3. These resources contain very large hex strings that the script\r\nthen concatenates together to create one extremely large hex string. The script will take this newly created string\r\nand decrypt it using the Windows advapi.dll libray. I used a python script to deobfuscate the decryption function\r\nthe script is using.\r\nhttps://goggleheadedhacker.com/blog/post/11\r\nPage 2 of 4\n\nThe decryption function first uses CryptCreateHash with the key\r\n“akzejgkkukeebssbhftrhvxwizaftqlblnpvsogcvifsnyzpcs” to create a hash of the key. It then uses the function\r\nCryptDeriveKey to create a key from the created hash. Then the data is decrypted using the key from the\r\nprevious function using CryptDecrypt. With the ctypes library in Python I managed to create a tool that will\r\ndecrypt the final payload of the AutoIT script. You can find it on my gitHub here. The decrypted file is a .NET\r\nexecutable. Loading this file into dnSpy confirms that this is NanoCore.\r\nI am not going to go in depth into the NanoCore payload as this article was meant to demonstrate the extraction\r\nprocess and provide insight into how to RE a compiled AutoIT program. I have noticed this specific packing\r\nmethod used in multiple samples, not just NanoCore either. My script was able to unpack each sample\r\nsuccessfully, my hope is that it proves useful to other researchers. Feel free to add commits to improve\r\nfunctionality. Also, feel free to reach out to me on my Twitter and LinkedIn with any questions or comments you\r\nhave on this article or any of my other articles.\r\nThanks for reading and happy reversing!\r\nMalware Analysis, Malware, Unpacking, Scripting, Automation, DotNET, DnSpy, AutoIT\r\nhttps://goggleheadedhacker.com/blog/post/11\r\nPage 3 of 4\n\nMore Content Like This:\r\nSource: https://goggleheadedhacker.com/blog/post/11\r\nhttps://goggleheadedhacker.com/blog/post/11\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://goggleheadedhacker.com/blog/post/11"
	],
	"report_names": [
		"11"
	],
	"threat_actors": [],
	"ts_created_at": 1775434601,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/035976cfbe9161e84896c038ca11adf7345a9b41.pdf",
		"text": "https://archive.orkl.eu/035976cfbe9161e84896c038ca11adf7345a9b41.txt",
		"img": "https://archive.orkl.eu/035976cfbe9161e84896c038ca11adf7345a9b41.jpg"
	}
}