{"id":17988,"date":"2012-08-28T11:20:36","date_gmt":"2012-08-28T18:20:36","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=17988"},"modified":"2025-05-27T22:41:50","modified_gmt":"2025-05-28T05:41:50","slug":"autoit-and-malware-whats-the-connection","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/","title":{"rendered":"AutoIt and Malware: What&#8217;s the Connection?"},"content":{"rendered":"<p>During the last couple of weeks I&#8217;ve come across three malware samples packed using compiled AutoIt scripts, so I decided to explore the connection between AutoIt and the malware\u00a0world. I took the latest 50 samples marked as AutoIt that were submitted to the free scanning site <a href=\"https:\/\/www.virustotal.com\/\">VirusTotal.<\/a><\/p>\n<p>Here are the statistics:<\/p>\n<ul>\n<li>11 wrongly\u00a0classified as malware. Four are RAR executables, two are packed with UPX (Ultimate Packer for eXecutables)<\/li>\n<li>36 AutoIt executables<\/li>\n<li>2 AutoIt scripts<\/li>\n<li>1 too well packed for me to easily see if it is AutoIt related<\/li>\n<\/ul>\n<p>Around 20 of the samples were packed with UPX. (When using AutoIt3Wrapper, UPX\u00a0compression\u00a0is on by default.)<\/p>\n<p>After unpacking the UPX (when needed) and filtering the AutoIt\u00a0executables, I used myAut2Exe, an open-source AutoIt decompiler. One nice thing about\u00a0myAut2Exe is that you can run it with command-line arguments from a script. I found a number of common AutoIt scripts used to pack or drop different malwares and a\u00a0couple of full-blown malware written\u00a0entirely\u00a0in AutoIt.<\/p>\n<h2><span style=\"text-decoration: underline;\"><strong>Common Types:<\/strong><\/span><\/h2>\n<ul>\n<li>7 samples were packed using an obfuscated script that uses x86 code to decode its payload using a buffer and a password which are\u00a0transferred\u00a0as parameters. The x86 code is stored as a byte array in the AutoIt script. After decryption, another process of the malware executable is created in a suspended state: The script replaces the segments with the decrypted executable, patches the main thread context, and resumes the thread. The encrypted executable is concatenated to the end of the executable.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png\" rel=\"attachment wp-att-18203\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18203\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png\" alt=\"\" width=\"1024\" height=\"371\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1-300x108.png 300w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a>The decrypt function reconstructed C code can be seen\u00a0<a href=\"http:\/\/pastebin.com\/rHL1Gt4T\" target=\"_blank\" rel=\"noopener noreferrer\">here.<\/a><\/p>\n<ul>\n<li>5 samples were packed using\u00a0<a href=\"https:\/\/razorsoft.bigcartel.com\/product\/razorcrypt\" target=\"_blank\" rel=\"noopener noreferrer\">RazorCrypt,<\/a> an obfuscated script that uses the Microsoft Cryptography API to encrypt its payload. In this case, too, another process of the malware executable is created in a suspended state: The script replaces the segments with the decrypted executable, patches the main thread context, and resumes the thread. The encrypted executable is saved as an AutoIt script attachment and is dropped to disk before decryption and deleted after running the process.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-3.png\" rel=\"attachment wp-att-18205\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-18205 alignnone\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-3.png\" alt=\"\" width=\"1024\" height=\"202\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-3.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-3-300x59.png 300w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>The decrypt function reconstructed C code can be seen\u00a0<a href=\"http:\/\/pastebin.com\/txxhCK1V\" target=\"_blank\" rel=\"noopener noreferrer\">here.<\/a><\/p>\n<ul>\n<li>5 samples used the utility BaSupportVNC, a legitimate tool. I&#8217;m not sure if it was caught by mistake or was it a part of some hacking activity. The tool was written by Biesbroeck Automation of the\u00a0Netherlands.<\/li>\n<li>2 samples contained AutoIt worms capable of\u00a0spreading through removable media and Windows shares. They can download malware and send instant messages.<\/li>\n<li>1 sample installed itself and a\u00a0Bitcoin miner to make money for the originator.<\/li>\n<li>1 sample was an AutoIt-written malware that\u00a0communicates\u00a0over TCP with a control server. The script is obfuscated using\u00a0Obfuscator.<\/li>\n<li>1 sample was an AutoIt-written malware that\u00a0communicates with a control server using the WinHttp.WinHttpRequest.5.1 object. It is also obfuscated with Obfuscator.<\/li>\n<li>I&#8217;ve saved the best for last: When running myAut2Exe on the final sample, the process creates a very small file containing\u00a0the string\u00a0&#8220;Hacker. Nice try, but Wrong :).&#8221; When looking in the file with a hex editor, I noticed (as expected) a\u00a0second small compiled AutoIt script concatenated to the end of the executable. By deleting this section and rerunning the decompiler, I got the &#8220;real&#8221; script and a few payloads.\u00a0The\u00a0script\u00a0drops an autoextracting RAR file that contains two executables and a resource directory. One of the executables looks like a patcher\/crack for a game; the other is another AutoIt dropper using the same two-scripts technique. This dropper drops two files, again one of them is an AutoIt dropper with the same two-scripts technique that also drops the same file which was dropped\u00a0previously. The last\u00a0two AutoIt\u00a0scripts\u00a0contain a lot of functionality, including a GUI and an x86-shellcode. The scripts&#8217; messages and comments are in Turkish.<\/li>\n<\/ul>\n<h2><strong><span style=\"text-decoration: underline;\">Conclusions<\/span><\/strong><\/h2>\n<div><\/div>\n<div style=\"padding-left: 10px;\"><span style=\"text-decoration: underline;\"><strong>For malware developers:<\/strong><\/span><\/div>\n<div>\n<ul>\n<li>AutoIt is a very convenient\u00a0environment\u00a0for malware and tools development<\/li>\n<li>AutoIt allows both easy\u00a0interface creation for rapid development and full Windows API access for whatever is not supported directly<\/li>\n<li>The output is a single executable, with no\u00a0dependencies, that contains a script and attached binaries<\/li>\n<li>AutoIt is very easy to obfuscate. It supports the Execute() function, which lets a code writer use string manipulations and\u00a0run the resulting string as part of the script.<\/li>\n<\/ul>\n<\/div>\n<div style=\"padding-left: 10px;\"><span style=\"text-decoration: underline;\"><strong>For us:<\/strong><\/span><\/div>\n<div>\n<ul>\n<li>AutoIt is easy to decompile. Even with the\u00a0multiple scripts example, the open-source decompiler can easily be extended to support\u00a0multiple scripts.<\/li>\n<li>Most obfuscation techniques can be overcome using a short script.<\/li>\n<li>Because AutoIt is a scripting\u00a0language, eventually after deobfuscation we have a script with a lot of\u00a0meaningful strings that can be\u00a0reverse-engineered easily (with AutoIt functions and the Windows API in clear text).<\/li>\n<\/ul>\n<\/div>\n<div><span style=\"text-decoration: underline;\"><strong>Python scripts from the research:<\/strong><\/span><\/div>\n<div>\n<ul>\n<li><a href=\"http:\/\/pastebin.com\/d6fQRHum\" target=\"_blank\" rel=\"noopener noreferrer\">Restore Strings:<\/a>A common method of simple AutoIt obfuscation uses a binary hex string instead of clear text. The Execute(BinaryToString(&#8220;0x2030783130303037&#8221;)) script converts them back to strings.<\/li>\n<li><a href=\"http:\/\/pastebin.com\/SpteGQKR\" target=\"_blank\" rel=\"noopener noreferrer\">AutoIt Deobfuscator<\/a>: AutoIt Obfuscator moves the strings from a script to a table in a\u00a0separate\u00a0file. Its content\u00a0is loaded from the file to a table. Then the script runs and loads strings from the table to variables at each function.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-4.png\" rel=\"attachment wp-att-18206\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18206\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-4.png\" alt=\"\" width=\"1024\" height=\"248\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-4.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-4-300x72.png 300w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>During the last couple of weeks I&#8217;ve come across three malware samples packed using compiled AutoIt scripts, so I decided&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[180],"coauthors":[3973],"class_list":["post-17988","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>AutoIt and Malware: What&#039;s the Connection? | McAfee Blog<\/title>\n<meta name=\"description\" content=\"During the last couple of weeks I&#039;ve come across three malware samples packed using compiled AutoIt scripts, so I decided to explore the connection\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AutoIt and Malware: What&#039;s the Connection? | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"During the last couple of weeks I&#039;ve come across three malware samples packed using compiled AutoIt scripts, so I decided to explore the connection\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2012-08-28T18:20:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T05:41:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"371\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"AutoIt and Malware: What&#8217;s the Connection?\",\"datePublished\":\"2012-08-28T18:20:36+00:00\",\"dateModified\":\"2025-05-28T05:41:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/\"},\"wordCount\":852,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png\",\"keywords\":[\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/\",\"name\":\"AutoIt and Malware: What's the Connection? | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png\",\"datePublished\":\"2012-08-28T18:20:36+00:00\",\"dateModified\":\"2025-05-28T05:41:50+00:00\",\"description\":\"During the last couple of weeks I've come across three malware samples packed using compiled AutoIt scripts, so I decided to explore the connection\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"AutoIt and Malware: What&#8217;s the Connection?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AutoIt and Malware: What's the Connection? | McAfee Blog","description":"During the last couple of weeks I've come across three malware samples packed using compiled AutoIt scripts, so I decided to explore the connection","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"AutoIt and Malware: What's the Connection? | McAfee Blog","og_description":"During the last couple of weeks I've come across three malware samples packed using compiled AutoIt scripts, so I decided to explore the connection","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2012-08-28T18:20:36+00:00","article_modified_time":"2025-05-28T05:41:50+00:00","og_image":[{"width":1024,"height":371,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"AutoIt and Malware: What&#8217;s the Connection?","datePublished":"2012-08-28T18:20:36+00:00","dateModified":"2025-05-28T05:41:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/"},"wordCount":852,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png","keywords":["malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/","name":"AutoIt and Malware: What's the Connection? | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png","datePublished":"2012-08-28T18:20:36+00:00","dateModified":"2025-05-28T05:41:50+00:00","description":"During the last couple of weeks I've come across three malware samples packed using compiled AutoIt scripts, so I decided to explore the connection","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/08\/AutoIt-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/autoit-and-malware-whats-the-connection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"AutoIt and Malware: What&#8217;s the Connection?"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/17988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=17988"}],"version-history":[{"count":6,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/17988\/revisions"}],"predecessor-version":[{"id":214563,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/17988\/revisions\/214563"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=17988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=17988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=17988"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=17988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}