{
	"id": "0dc7923f-4d57-4e3f-a642-64200832265c",
	"created_at": "2026-04-06T00:08:41.086568Z",
	"updated_at": "2026-04-10T03:21:16.762126Z",
	"deleted_at": null,
	"sha1_hash": "9d20c04e72e9f366a7a223198928a33d0f3b61ef",
	"title": "Complex obfuscation? Meh… (1/2)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4853910,
	"plain_text": "Complex obfuscation? Meh… (1/2)\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 20:02:26 UTC\r\nFor some time now, we’ve been monitoring a new strain of malicious programs that we are referring to as “Meh”\r\n(we will explain why later on). It all started when we came across large amounts of files with randomly generated\r\nstrings at their beginning, followed by a compiled AutoIt script… and what a ride it has been since. In this blog\r\nseries, we will describe how we peeled away at Meh’s obfuscation and what we found thereafter.\r\nAnalysis\r\nMeh is composed of two main parts. The first part is a crypter, we named MehCrypter, that consists of multiple\r\nstages, and is distributed as a compiled AutoIt script prepended with a randomly generated string sequence. This\r\nstring sequence is skipped by the AutoIt interpreter that scans for the magic bytes that determine the file format\r\nand effectively obfuscates the file without influencing its functionality.\r\nThe second part is a password stealer, called Meh. The stealer is the core of the malware and holds many\r\nfunctionalities. It is capable of stealing clipboard contents, keylogging, stealing cryptocurrency wallets,\r\ndownloading additional files via torrents, and much more. Nearly all of its functionalities are performed in\r\nsubthreads, executed from injected processes. We will focus on the password stealer in our next blog post. \r\nMehCrypter\r\nFirst and foremost, Meh is a password stealer/keylogger. But to get there, we need to chew through several layers\r\nof the MehCrypter. First, let’s take a look at a snippet of what the actual crypter looks like from a high level view:\r\nA snippet of the MehCrypter AutoIt script\r\nThe string at the beginning of the file is randomly generated and its length varies as well. We have seen samples\r\nwith several MB of data prepended in this area to samples with almost no data at all. \r\nUpon a closer look, however, the file also contains code which is actually a compiled AutoIt script which can be\r\ninterpreted by the AutoIt interpreter. The interpreter is designed in such a way that it searches the entire file\r\nhttps://decoded.avast.io/janrubin/complex-obfuscation-meh/\r\nPage 1 of 6\n\ncontent until it finds the string AU3!EA06 . Thus, the whole prepended string is skipped completely and serves\r\nonly as a confusion technique to avoid detection.\r\nThe decompilation yields a very readable script which serves a single purpose: concatenate hard coded\r\nhexadecimal strings, decode them, and load the result PE using reflective loading via a custom AutoIt PE loader.\r\nA snippet of an AutoIt PE loader\r\nNote that up to this point, the crypter is very generic and we have seen at least five different families using it so\r\nfar, with the most known being Agent Tesla and XMRig.\r\nMehCrypter dropper\r\nFrom the script described above, we can manually extract the binary. This binary is a very simple dropper written\r\nin Borland Delphi which makes several HTTP POST requests to the C\u0026C server in order to download three\r\nadditional files:\r\nhttp://83[.]171.237.233/s2/pe.bin\r\nhttp://83[.]171.237.233/s2/base.au3\r\nhttp://83[.]171.237.233/s2/autoit.exe\r\nAfter these files are downloaded, they are saved into the C:\\testintel2\\ directory and the file base.au3 is\r\nexecuted (i.e. interpreted by autoit.exe ). pe.bin is an encrypted Meh password stealer binary. But we will get\r\nto that later.\r\nFurthermore, the dropper also tries to clean up the environment from previous installations of the Meh password\r\nstealer, which we’ll discuss in depth in the next part of this blog series. Specifically, it attempts to terminate\r\nseveral processes:\r\nnotepad.exe\r\nwerfault.exe\r\nvbc.exe\r\nsysteminfo.exe\r\ncalc.exe\r\nhttps://decoded.avast.io/janrubin/complex-obfuscation-meh/\r\nPage 2 of 6\n\nThese processes are used by Meh for later PE injections. At this stage it also removes its installation folder\r\nC:\\programdata\\intel\\wireless .\r\nWe would like to mention one file that is also created by the Meh dropper:\r\nC:\\testintel2\\a.txt\r\nThis file contains only three bytes: meh . This was so hilarious upon the first look that we decided to name the\r\nwhole family Meh, including its crypter, MehCrypter.\r\nbase.au3 uses the same crypter (MehCrypter) as the original sample. However, it contains a shellcode only\r\ninstead of a whole PE binary. Thus, it omits the PE loader part and it is executed using the CallWindowProc API\r\nfunction.\r\nbase.au3 shellcode\r\nbase.au3 shellcode has two parts. In the first part, the shellcode constructs yet another shellcode on the stack. We\r\ncan see its beginning at the address 0x00000025 . The second shellcode is executed later via an indirect jump.\r\nAssembly of the base.au3 shellcode with the beginning of the second shellcode\r\nThe second part is an unencrypted binary file. The MZ header starts at the address 0x0000168A .\r\nAssembly of the base.au3 shellcode with the beginning of the binary\r\nAs we might guess, the second (constructed) shellcode is in fact another PE loader that just loads and executes the\r\nhardcoded binary file. This binary is the last stage of the crypter’s envelope and is a stager for the Meh password\r\nstealer.\r\nMeh stager\r\nhttps://decoded.avast.io/janrubin/complex-obfuscation-meh/\r\nPage 3 of 6\n\nAfter the long journey of peeling away MehCrypter’s layers, we finally reach the Meh stager, written in Borland\r\nDelphi. This stager is the third (and final) PE loader, which decrypts the aforementioned pe.bin file using a very\r\nsimple XOR cipher.\r\npe.bin decryption\r\nThe decryption function takes two inputs – a base64-encoded ciphertext and a key. Fortunately, both of these are\r\ncontained in the pe.bin .\r\nThe contents of the pe.bin file can look like this:\r\nThe contents of pe.bin file with the highlighted XOR key\r\nAs can be seen in the screenshot above there is a randomly generated string at the beginning of the file, similarly\r\nto the initial AutoIt script. After a series of random letters, however, we can see a string delimited by pipes,\r\nfollowed by a base64 string. These are exactly the parameters the decryption function needs. A corresponding\r\ndecryptor written in Python can be found below.\r\nThe key, as shown above, is not used in this exact form. The malware replaces the first character of the key-string\r\nwith “ a ” and omits the last letter. Thus, the actual key is asUzmbiYd .\r\nAfter that, the base64 string is decoded and a one-byte key is derived from the XOR key string:\r\nThe bit-negated version of this one-byte key is then used to decrypt the content of the file. As mentioned before,\r\nthe cipher is a simple XOR cipher:\r\nDue to a bad key-derivation procedure, the actual size of the key-space is just 256 keys. Therefore, an analyst can\r\nbruteforce the decryption key, e.g. by trying to decrypt the PE file header looking for MZ magic bytes.\r\nThe whole decryptor written in Python can be found here.\r\nCampaign overview\r\nThe surge of Meh and MehCrypter infections started mid-June where we were counting several thousands\r\ninfections per day. The malware is most prevalent in Spain where Avast blocked infection attempts on more than\r\nhttps://decoded.avast.io/janrubin/complex-obfuscation-meh/\r\nPage 4 of 6\n\n80,000 of our users. The second most targeted country is Argentina with more than 2,000 attacked users.\r\nMap illustrating the countries Meh has targeted from June to September 2020\r\nGraph illustrating Meh’s spread in time (hits)\r\nSummary\r\nIn this post, we looked into a MehCrypter family that is used to obfuscate many malware families circulating in\r\nthe wild. One of these families is the Meh password stealer, which we will describe in detail in the next part of the\r\nseries, so stay tuned!\r\nIoCs\r\nhttps://decoded.avast.io/janrubin/complex-obfuscation-meh/\r\nPage 5 of 6\n\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/janrubin/complex-obfuscation-meh/\r\nhttps://decoded.avast.io/janrubin/complex-obfuscation-meh/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decoded.avast.io/janrubin/complex-obfuscation-meh/"
	],
	"report_names": [
		"complex-obfuscation-meh"
	],
	"threat_actors": [],
	"ts_created_at": 1775434121,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d20c04e72e9f366a7a223198928a33d0f3b61ef.pdf",
		"text": "https://archive.orkl.eu/9d20c04e72e9f366a7a223198928a33d0f3b61ef.txt",
		"img": "https://archive.orkl.eu/9d20c04e72e9f366a7a223198928a33d0f3b61ef.jpg"
	}
}