Decrypting MalwareBytes .quar files

November 8, 2015 in Forensic Analysis

A few years ago I developed script to decrypt .quar files created by MalwareBytes. Since the decryption routine was different from a typical xor I was not sure how the MalwareBytes will react – I asked them for a permission to release the code publicly for the benefit of the DFIR/RCE community, but unfortunately, they refused at that time.

Since I posted info about my script on one of the DFIR forums I have been asked many times by many researchers to share the script with them privately.

Today I noticed that the cat is out of the bag and the code for decrypting .quar files was already made public by someone else here.

The script is actually covering many other quarantine files as well which is awesome.

Great work by the Optiv guys.

Let’s hope that code for all types of Quarantine files will eventually be made public.

Update

Since some people asked, here is a short perl script for decrypting .quar files:

use strict;
use warnings;
use Crypt::RC4;
use Digest::MD5 qw (md5 );

my $f=shift || die ("Gimme a file name!\n");
open F,"<$f";
binmode F;
read F,my $data,-s $f;
close F;

my $rc4 = Crypt::RC4->new( md5 ('XBXM8362QIXD9+637HCB02/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb') );
my $newdata = $rc4->RC4( $data );

open F,">$f.out";
binmode F;
print F $newdata;
close F;

Comments are closed.