{"id":2929,"date":"2024-09-25T20:30:14","date_gmt":"2024-09-25T20:30:14","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2929"},"modified":"2025-07-29T06:46:27","modified_gmt":"2025-07-29T06:46:27","slug":"autoit-trojan-the-swiss-army-knife-of-malware","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/autoit-trojan-the-swiss-army-knife-of-malware\/","title":{"rendered":"AutoIT Trojan \u2013 the swiss army knife of malware"},"content":{"rendered":"
\n
\"the<\/figure>\n<\/div>\n\n\n

In its legitimate form, AutoIT is an incredibly handy automation language used for scripting Windows-based applications. In its malicious form, it is used to create malware with a variety of functionality. Once an AutoIT trojan has infected a victim’s PC, it can alter default browser settings and perform ad-injection, copy itself to USB memory sticks, delete anti-virus software, keep track of browsing activities, add unwanted extensions\/plugins, and redirect users to unknown or malicious websites.

All in all, AutoIT trojans are a nasty \u2018jack-of-all-trades\u2019 malware. Variants have been used to download further malicious software on the infected PC and even grant attackers remote access \u2013 effectively operating as a back door.

Distribution<\/strong>

Just as AutoIT trojans have various functionalities, this multi-dexterity extends to distribution techniques.

The latest variant (which we\u2019ll analyse today) has been distributed by spoofed e-mail messages, malicious links in Yahoo Messenger chats, or via malicious Java Script embedded on websites which allow remote code execution. 

As if that weren\u2019t bad enough, AutoIT also has the ability to copy itself to external or removable drives as a file called \u2018system.exe\u2019.

When successfully executed, it checks the currently running processes for the following programs:

\uf0a7    Microsoft Management Console (mmc.exe)

\uf0a7    Microsoft Restore Console (rstrui.exe)

\uf0a7    Registry Editor (regedit.exe)

\uf0a7    System Configuration utility (msconfig.exe)

\uf0a7    Task Manager (taskmgr.exe)

If any of these programs are found running, the Trojan restarts the computer.

Further, if any of the following processes are discovered, they will be terminated:

\uf0a7    cmd.exe

\uf0a7    handydriver.exe

\uf0a7    kerneldrive.exe

\uf0a7    nod32krn.exe

\uf0a7    nod32kui.exe

\uf0a7    winsystem.exe

\uf0a7    Wscript.exe

File Details<\/strong><\/p>\n\n\n\n

File Type<\/strong><\/td>Portable Executable (.exe) file<\/td><\/tr>
Md5 hash<\/strong><\/td>ec721f6f111aae46f2ede8f70e435cc4<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static analysis\u00a0<\/strong>

The sample we\u2019re analysing has an icon showing it as a document, but when we view its header it was found to be a proper .exe sample:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Static analysis uncovered the following suspicious API calls, all of which indicate malicious properties:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After opening the file with winrar, we found it was in fact a combination of multiple file types including document, image, and DAT:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Below are more suspicious characteristics we discovered:

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n


Dynamic analysis\u00a0<\/strong>

After executing the sample in a dedicated malware analysis environment, we found AutoIT initiating various child processes including \u2018vwl.exe\u2019 and \u2018RegSvcs.exe\u2019:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Within a few minutes, all processes except Regsvcs.exe were killed. This process maintains a persistent connection to the IP address “213.183.40.3” over port “2001”:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Trojans commonly access this port to gain backdoor entry into victim PCs:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Throughout the infection cycle, the following files were dropped:

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\but.xl

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\daa.dat

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\dal.ico

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\dhu.dat

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ebf.mp4

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ebn.mp3

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\evk.jpg

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\evk.mp3

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\fip.mp4

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ftr.dat

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ghk.ico

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ghm.ppt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\gib.dat

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\glt.icm

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\gph.ppt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ini

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ixi=xob

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\jcj.bmp

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\jjb.docx

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\jpi.txt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\jrj.mp3

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\kma.icm

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\lci.docx

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\mnb.dat

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\mto.docx

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ngb.mp4

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\omu.bmp

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ooc.icm

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\pjq.pdf

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\qbc.txt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\qom.jpg

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\rlc.ppt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\sdo.mp4

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\sug.txt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\tnl.icm

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\tte.txt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\twl.ppt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ukj.mp3

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\uko.txt

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\unm.mp3

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\ute.docx

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\vwl.exe (md5: 71d8f6d5dc35517275bc38ebcc815f9f)

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\wux.bmp

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\wxl.pdf

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\xxh.ppt

The following folders were created:

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Roaming\\remcos

And the following registries were added in order to maintain persistence:

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-21-3006570754-2424674848-4088610848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\f: “C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\\\1”

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-21-3006570754-2424674848-4088610848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate: “C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\vwl.exe C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\IXI_XO~1”

Command and control<\/strong>

External connection to \u201c213.183.40.3:2001\u201d.

Indicators of compromise<\/strong>

Malware executable: ec721f6f111aae46f2ede8f70e435cc4

Vwl.exe: 71d8f6d5dc35517275bc38ebcc815f9f

IP address: 213.183.40.3

Registry values added:

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-21-3006570754-2424674848-4088610848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\f: “C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\\\1”

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-21-3006570754-2424674848-4088610848-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate: “C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\vwl.exe C:\\Users\\<user-name>\\AppData\\Local\\Temp\\77923311\\IXI_XO~1”

Mitigation\/protection<\/strong>

If you\u2019re unlucky enough to fall victim to AutoIT trojan, the below steps will remove the malware:

\u2022\u00a0\u00a0 \u00a0Reboot your system into Safe Mode with Networking;

\u2022\u00a0\u00a0 \u00a0Enter the following registry areas;

o\u00a0\u00a0 \u00a0[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\

o\u00a0\u00a0 \u00a0[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\

o\u00a0\u00a0 \u00a0[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\

\u2022\u00a0\u00a0 \u00a0Check for the display name “backgroundcontainer” and delete it

\u2022\u00a0\u00a0 \u00a0Go to the location: C:\\Users\\{username}\\AppData\\Local and delete the folder “uqgtmedia”\u00a0

\u2022\u00a0\u00a0 \u00a0Open the file C:\\Windows\\System32\\drivers\\etc\\hosts and remove any suspicious IP or domain belonging to some malware or ransomware

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

In its legitimate form, AutoIT is an incredibly handy automation language used for scripting Windows-based applications. In its malicious form, it is used to create malware with a variety of functionality. Once an AutoIT trojan has infected a victim’s PC, it can alter default browser settings and perform ad-injection, copy itself to USB memory sticks, […]<\/p>\n","protected":false},"author":1,"featured_media":2941,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2929","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2929"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2929\/revisions"}],"predecessor-version":[{"id":4343,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2929\/revisions\/4343"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2941"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}