{
	"id": "d6b59a12-ffcd-4ae4-80b8-3251bd3fe1f8",
	"created_at": "2026-04-06T00:21:14.238465Z",
	"updated_at": "2026-04-10T03:20:40.149547Z",
	"deleted_at": null,
	"sha1_hash": "437ec791cff4e9b1e643247f7fea12c44ce0332f",
	"title": "Automating The Analysis Of An AutoIT Script That Wraps A Remcos RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6184010,
	"plain_text": "Automating The Analysis Of An AutoIT Script That Wraps A\r\nRemcos RAT\r\nBy Amged Wageh\r\nPublished: 2022-01-03 · Archived: 2026-04-05 21:50:52 UTC\r\n11 min read\r\nJan 2, 2022\r\nThreat actors usually depend on some sort of a first stager to drop their malware, one good candidate for this\r\nmission is AutoIT scripts because of their capabilities of interacting with COM objects, calling DLLs’ functions,\r\nand simulating user interactions.\r\nIn this story, we’ll discuss some important tips for analyzing AutoIT malware and we’ll apply those tips to a real-world sample from the wild. We’ll also write a couple of python scripts to automate the analysis and to extract and\r\ndecrypt the config of the Remcos agent.\r\nDelivery\r\nAutoIT scripts can be delivered in two ways:\r\n1. An au3 script, which requires AutoIT to be either installed on the system or it could be shipped with the\r\nscript.\r\n2. The script could be compiled with the interpreter itself as a standalone executable. In this case, we’d need\r\nto extract the script from the exe file using either Exe2Aut or MyAut2Exe .\r\nImportant Functions\r\nLike any other scripting language, there are some specific functions and macros that malware authors could use to\r\nperform their nefarious tasks, the following is a list of the functions that are prone to be abused by malware\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 1 of 21\n\nauthors:\r\nDllCall()\r\nDllStructCreate()\r\nDllStructGetPtr()\r\nDllCallAddress()\r\nIsAdmin()\r\nObjCreate()\r\nObjectGet()\r\nBinaryToString()\r\nStringToBinary()\r\nBinary()\r\nBinaryLen()\r\nAutoItSetOption()\r\nEnvGet()\r\nEval()\r\nExecute()\r\nInetGet()\r\nProcessList()\r\nRegRead()\r\nRegWrite()\r\nFileRead()\r\nFileWrite()\r\nShellExecute()\r\nShellExecuteWait()\r\nRun()\r\nRunAs()\r\nSleep()\r\nStringReverse()\r\nTCPSend()\r\nTCPRecv()\r\nUDPSend()\r\nUDPRecv()\r\nAnd here is a list of macros that could be abused by malware authors:\r\n@AppDataCommonDir\r\n@AppDataDir\r\n@AutoItExe\r\n@AutoItPID\r\n@AutoItX64\r\n@CommonFilesDir\r\n@ComputerName\r\n@ComSpec\r\n@CPUArch\r\n@DesktopCommonDir\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 2 of 21\n\n@DesktopDir\r\n@DocumentsCommonDir\r\n@FavoritesCommonDir\r\n@FavoritesDir\r\n@HomeDrive\r\n@HomePath\r\n@HomeShare\r\n@LocalAppDataDir\r\n@OSArch\r\n@ProgramFilesDir\r\n@ProgramsCommonDir\r\n@ProgramsDir\r\n@ScriptDir\r\n@ScriptFullPath\r\n@ScriptName\r\n@StartMenuCommonDir\r\n@StartMenuDir\r\n@StartupCommonDir\r\n@StartupDir\r\n@SystemDir\r\n@TempDir\r\n@UserName\r\n@UserProfileDir\r\n@WindowsDir\r\nRefer to the AutoIT documentation to understand what each function and macro does, links in the references\r\nsection.\r\nExample From The Wild\r\nDuring one of the incidents that I have engaged with, I found a Remcos agent that has been delivered as a UPX\r\npacked binary wrapped inside an AutoIT script. The script has been delivered separately from the interpreter\r\nalongside a batch script that glues everything together and executes the script.\r\nSogni.tmp\r\nThis script starts by adding MZ to a file named Mia.exe.com then, it copies the contents of another file called\r\nDai.tmp to the same file, the Dai.tmp file contains the AutoIT interpreter without MZ at the beginning. This\r\ntrick usually being done to bypass the security controls that inspect the files with the MZ header.\r\nPress enter or click to view image in full size\r\nSogni.tmp Contents\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 3 of 21\n\nThen a file named Arteria.tmp will be passed to the interpreter to be run. The Arteria.tmp is the file that\r\ncontains the malicious AutoIT script.\r\nArteria.tmp\r\nBy examining that script, we can see that it is being obfuscated with four techniques:\r\n1. A custom-written obfuscator has been applied.\r\n2. Declaring switch cases inside a loop that will only be executed once.\r\n3. Wired variable and function names.\r\n4. Declaring functions and variables that are never being used.\r\nIdentifying the De-obfuscation Function\r\nDe-obfuscating the malware is very crucial to have a successful analysis, mostly, the de-obfuscation function is\r\nthe function that is being called the most, in this case, a function called faBwnHc is the function that is being\r\ncalled the most and it’s not an AutoIT function (custom written) so this is the most suspected function.\r\nTo make it harder for analysts, the function itself applies the same obfuscation techniques 2, 3, and 4 that have\r\nbeen mentioned previously so, we need to defeat them in order to understand how to deobfuscate the rest of the\r\nscript.\r\nDefeating unnecessary loops and switch cases:\r\nThe loops and the switch cases always have the same pattern as follows:\r\n\u003cvariable1\u003e = number1 ; a number that determines the switch case\r\n\u003cvariable2\u003e = number2 ; a not used variable\r\nDo ; the start of the loop\r\nswitch variable1 ; start of the switch cases\r\ncase numberX\r\n statements\r\ncase numberY\r\n statements\r\n...\r\ncase number1 ; the case that contains the statements\r\n statements ; that will get executed.\r\n ExitLoop ; to exit the loop so, it runs only once\r\ncase numberZ\r\n statements\r\nEndSwitch\r\nUntil numberW\r\nNext\r\nSo, for defeating this technique, we have to remove the unnecessary code. The following python function has been\r\nwritten for that purpose:\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 4 of 21\n\nAfter running this function and saving the returned semi de-obfuscated script, we’ll get a clearer view of the\r\nscript’s deobfuscation function.\r\nDeobfuscation function\r\nDefeating a custom written obfuscator:\r\nBy manually going through the function to further understand what it does, we can see the following:\r\nThe deobfuscation function deobfuscated\r\nIt accepts two arguments, the first one is a string of numbers separated by dots however, the second argument is\r\njust a number. The function splits the first string then it loops over the numbers list and subtracts the second\r\nargument from each number, then it converts the result to a character and concatenates those characters into a\r\nstring, that string will be the de-obfuscated string.\r\nA python function has been written to follow the same de-obfuscation technique.\r\nAnd another function that automates the deobfuscation by looping over all the function calls and replacing them\r\nwith the deobfuscated string\r\nOnce the script gets de-obfuscated, we can have a clearer idea of what is going on.\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 5 of 21\n\nPress enter or click to view image in full size\r\nSemi de-obfuscated script\r\nDefeating the unnecessary declared variables and functions:\r\nThe malware author has stuffed the script with so many unused functions and variables, to defeat this obfuscation\r\ntechnique, a python script has been written to tokenize the script and remove the unused declared functions and\r\nvariables as follows:\r\nDefeating the weird named variables and functions:\r\nNow, we need to manually go through the script to understand what it does so we can rename the variables and the\r\nfunctions with meaningful names.\r\nBuffer Decompression\r\nThe function that is originally called ZsMuinqqKkZyNasdzfRZygWqdvdbo is responsible for decompressing a buffer\r\nthat was originally being compressed with an inflating compression,\r\nPress enter or click to view image in full size\r\nBuffer decompression\r\nKilling Switches\r\nFor evading AV sandboxes, the malware checks the computer name and halts if the computer name is one of the\r\nknown names that AV products use, for example: tz which is being used by Bitdefender , NfZtFbPfH which\r\nis being used by Kaspersky , and ELICZ which is being used by AVG . It also halts if it found a file named\r\naaa_TouchMeNot_.txt under the C:\\ directory, mostly is trick is being used to avoid self-infection and to evade\r\nDefender AV Emulators.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 6 of 21\n\nKill Switches\r\nAnti Analysis\r\nThe function that is originally named YlNhpDElbjgxIsNhKUV , applies an anti-analysis technique where it gets the\r\nnumber of milliseconds that have elapsed since the system was started then it sleeps for a number of milliseconds\r\nand it recalculates the number of milliseconds that have elapsed again, then it calculates that delta and exits if the\r\ndifference is either bigger than the delta + 500 or smaller than the delta — 500 .\r\nPress enter or click to view image in full size\r\nAnti Analysis\r\nProcess Hollowing\r\nThe function that is originally called wJKkYYrSKDWGKUxnJpLSngpYQJY takes a binary buffer and a command line\r\nthat points to the path of the same process to be spawned by passing the command line to CreateProcessW .\r\nPress enter or click to view image in full size\r\nSpawning itself\r\nIt calls the function that was originally named iIGEjbvuSPKbstetiETZTXUzxISkJG for calling\r\nNtUnmapViewOfSection to hollow out the contents of the spawned process then it calls the functions that were\r\noriginally named oRnvqSVbsowWGStGmLJnlz and YRZhNmLxfZ to call VirtualAllocExNuma to allocate a new\r\nmemory region inside the hollowed process.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 7 of 21\n\nHollowing\r\nThen, it calls WriteProcessMemory to write the binary buffer.\r\nPress enter or click to view image in full size\r\nWriting the buffer\r\nIt calls VirtualProtectEx to add the execution permission to the newly created region.\r\nPress enter or click to view image in full size\r\nAdding execution permissions\r\nThen, it calls SetThreadContext to point the thread’s entry point to the newly created section, finally, it calls\r\nNtAlertResumeThread to resume the suspended thread.\r\nPress enter or click to view image in full size\r\nResume thread\r\nDynamically dumping the injected buffer\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 8 of 21\n\nAfter we understood how it injects the buffer, let’s dynamically dump it out to continue our analysis.\r\nGet Amged Wageh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFirstly, let’s hollow out the contents of the anti-analysis function so it wouldn’t bother us.\r\nDefeating the anti-analysis function\r\nNow, let's open the AutoIT interpreter in x32dbg and adjust the command line to pass the script as an argument\r\nand reload.\r\nPress enter or click to view image in full size\r\nx32dbg command line\r\nSet a breakpoint on IsDebuggerPresent , WriteProcessMemory , and NtAlertResumeThread .\r\nSince it is an AutoIT script, it will call IsDebuggerPresent to check whether the script is being debugged or not.\r\nOnce the breakpoint hits, follow the instructions until you get to the memory location where it holds the\r\nBeingDebugged flag in the PEB then, change the flag to 0 so if by any chance there is any other check it fails.\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 9 of 21\n\nBeingDebugged flag\r\nOnce the CreateProcessW ’s breakpoint hits, change the arguments of the function to change the create flag to 4\r\nto create the process in a suspended mode.\r\nPress enter or click to view image in full size\r\nCreate in suspended mode\r\nThen, attach another debugger to the newly created process. make sure that the same breakpoints are being set and\r\nresume the process.\r\nOnce resumed, it will hit on the CreatePricessW with a creation flag of 4 .\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 10 of 21\n\nPress enter or click to view image in full size\r\nSuspended process creation\r\nAfter running the debugger again, it’ll hit on the VirtualAllocExNuma , by checking the first parameter which is a\r\nhandle to the process in which it allocates a region of memory, we can see it’s a handle to the lastly created\r\nprocess.\r\nPress enter or click to view image in full size\r\nProcess handle\r\nThe second parameter reveals that it allocates the memory in the 0x400000 base address.\r\nBase Address\r\nBy inspecting the allocated memory via Process Hacker and we can see it’s empty as of now.\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 11 of 21\n\nAllocated memory\r\nOnce we let the WriteProcessMemory function runs, it will write the buffer into that region of memory, which\r\nappears to be an executable.\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 12 of 21\n\nWritten buffer\r\nNow, we can hit the save button to dump the buffer on the disk.\r\nBy checking dumped file via PE-Bear, it appears to be a UPX packed binary and the Section headers need to be\r\nfixed.\r\nPress enter or click to view image in full size\r\nPE-Bear inspection\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 13 of 21\n\nFor fixing the headers, we need to make the raw addresses point to the same location as the virtual addresses, and\r\nwe need to recalculate the raw size respectively.\r\nPress enter or click to view image in full size\r\nFixing the section headers\r\nWe also need to make sure that the base image points to the same base where we dumped the binary, which is\r\ncorrect in this case.\r\nChecking the Image Base\r\nOnce we fix the headers, the import table will be fixed and populated automatically.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 14 of 21\n\nThe import table\r\nAs an anti-packing technique, the author has set the optional header’s checksum to 0 , so we can’t unpack it\r\nusing the UPX binary, however, we still can unpack it manually.\r\nChecksum set to 0\r\nThe UPX packed binaries have two sections, UPX0 , AND UPX1 . The UPX1 section has the unpacking routine\r\nand once it runs, it writes the unpacked binary into the UPX0 section so, we can add an execution hardware\r\nbreakpoint on the UPX0 section, once this breakpoint hits, that means that the binary has been fully unpacked and\r\nthe execution flow has been transferred to the newly unpacked binary.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 15 of 21\n\nUPX0 is empty\r\nOpen the UPX packed binary in x32dbg, get to the UPX0 section in the memory map, and follow that section in\r\ndump.\r\nFollowing UPX0 in the dump\r\nThen, set an execution hardware breakpoint on that section.\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 16 of 21\n\nSetting an execution hardware breakpoint\r\nOnce the breakpoint hits, we can check the strings, and we can see that it’s a Remcos RAT agent version 3.3.2\r\nLight.\r\nRemcos strings\r\nLet’s use Scylla plugin to dump the unpacked binary.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 17 of 21\n\nDumping with Scylla\r\nThen, use the Scylla plugin again to fix the dumped binary.\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 18 of 21\n\nFixing the dump\r\nIt’ll show you a box to select the dumped file, and it will create another file with the same name prefixed with\r\nSCY .\r\nRemcos agents store its config file in the resources in a file called SETTINGS , that file is encrypted with RC4, so\r\nlet’s open the remcos agent in PEStudio and dump out the config file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 19 of 21\n\nDumping the config file\r\nRemcos configs have the following pattern, the first byte is the key length followed by the key itself, then the\r\nencrypted data which is the agent’s configuration.\r\nSo, by opening the configuration file in a hex editor, we can see that the key length here is 14 bytes.\r\nPress enter or click to view image in full size\r\nRC4 Key length\r\nFinally, we can use CyberChef for decrypting the configuration file and get the C2 address.\r\nPress enter or click to view image in full size\r\nThe config file\r\nA python script has been written to automate the config extraction and decryption.\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 20 of 21\n\nThanks for reading, I’d appreciate your comments and feedback. 😊\r\nReferences\r\nhttps://github.com/AmgdGocha/AutoIT-Remcos\r\nhttps://github.com/fossabot/myAut2Exe\r\nhttp://domoticx.com/autoit3-decompiler-exe2aut/\r\nhttp://www.thefoolonthehill.net/drupal/AutoIt%20Debugger\r\nhttps://www.autoitscript.com/forum/topic/192960-isn-autoit-studio/\r\nhttps://www.autoitscript.com/autoit3/docs/macros.htm\r\nhttps://www.autoitscript.com/autoit3/docs/functions.htm\r\nhttps://www.autoitscript.com/autoit3/docs/keywords.htm\r\nhttps://malshare.com/sample.php?\r\naction=detail\u0026hash=d7fc2b593eac64ff4a46ba9f5864d875be3cb13ec8ef0327d781c5cd1e29b4ac\r\nSource: https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nhttps://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87\r\nPage 21 of 21\n\n https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87  \nDumping with Scylla  \nThen, use the Scylla plugin again to fix the dumped binary.\n   Page 18 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87"
	],
	"report_names": [
		"analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/437ec791cff4e9b1e643247f7fea12c44ce0332f.pdf",
		"text": "https://archive.orkl.eu/437ec791cff4e9b1e643247f7fea12c44ce0332f.txt",
		"img": "https://archive.orkl.eu/437ec791cff4e9b1e643247f7fea12c44ce0332f.jpg"
	}
}