During a recent engagement, the LIFARS DFIR Team discovered a sample of rare malware, which uses not very common techniques.
It turns out that this malware was written entirely as AutoIt script, then obfuscated and compiled to the executable.
Usual methods of malware analysis such as behavioral analysis didn’t work very well for this sample, but because knowledge of this malware’s capabilities was crucial to help our client answer his questions, we proceeded with reverse engineering of this malware. This process also included the development of a custom AutoIt deobfuscator tailored to this malware along with continued manual analysis.
We found that this malware is based on Qulab Stealer and Clipper, referencing itself as QuilClipper – tool for stealing the credentials, browser history, cookies, but also can replace the contents of clipboard – especially the addresses of cryptocurrency wallets. However, in this case, the analyzed sample of QuilClipper uses only a small portion of its features and capabilities...
Download Clipper AutoIt v2 – QUILCLIPPER AutoIt Malware Case Study