AutoIt Compiled Script
Bundling malware inside a compiled AutoIt executable, where the interpreter stub carries the obfuscated script and payload as appended resources.
AutoIt is a legitimate Windows scripting language whose Aut2Exe compiler bundles
a script with a copy of the AutoIt interpreter into a standalone .exe. The
result is a normal-looking PE whose own code is just the interpreter; the actual
logic lives in a compressed, lightly obfuscated script appended inside the file.
RAT families such as DarkComet, Remcos, and AsyncRAT are routinely delivered this
way because the malicious behaviour never appears in the PE's instructions.
At runtime the interpreter locates the embedded script, decompresses it, and
executes it. The script typically allocates memory, decodes a shellcode or PE
blob carried as an AutoIt string or FileInstall resource, and runs it — often
via process hollowing — so the payload only exists in memory after the script
runs.
How it works
A compiled AutoIt file marks the embedded script region with the signature
AU3!EA06 (or the older EA05), followed by the compressed and checksum-wrapped
script bytes. The interpreter scans for that marker and inflates the script:
Compiled AutoIt (.exe) layout
+----------------------------+ offset 0
| PE headers |
+----------------------------+
| AutoIt interpreter (.text) | generic stub, identical across samples
+----------------------------+
| resources / appended data |
| "AU3!EA06" magic | marks start of embedded script
| [compressed script] | LZSS/MT-obfuscated AutoIt source
| [checksum] |
+----------------------------+The decompressed script usually decodes and runs a binary payload:
; deobfuscated AutoIt script (conceptual)
$payload = BinaryDecode($obfuscated_blob) ; recover shellcode / PE
$mem = DllStructCreate("byte[" & ...) ; allocate executable buffer
DllCall("kernel32.dll", "ptr", "VirtualAlloc", ...)
; copy $payload into RWX memory, then transfer execution (hollowing)Detection & analysis
Static analysis: Search the file for the AU3!EA06/AU3!EA05 magic and the
characteristic AutoIt strings (>>>AUTOIT SCRIPT<<<, AutoIt v3); extractors
such as Exe2Aut, myAut2Exe, and UN-PACKER recover the original script for
review. A large appended region after the interpreter's sections, reading high
entropy (~7.7 bits/byte), points to the compressed script and embedded payload.
Dynamic analysis: Run the sample in a sandbox; the interpreter writes the
decompressed script to a temp file in some versions, so monitor %TEMP% and
breakpoint on VirtualAlloc/WriteProcessMemory/CreateProcessW to capture the
in-memory payload as the script decodes and injects it. Dump the RWX buffer after
the decode routine to obtain the real shellcode or PE.
Detection rule hint: Flag PE files carrying the AU3!EA06 signature or the
>>>AUTOIT SCRIPT<<< marker together with runtime memory allocation and process
injection calls — a pattern common to AutoIt-wrapped RATs and rare in benign
automation scripts, which seldom allocate RWX memory and hollow other processes.