A few years ago I developed script to decrypt .quar files created by MalwareBytes. Since the decryption routine was different from a typical xor I was not sure how the MalwareBytes will react – I asked them for a permission to release the code publicly for the benefit of the DFIR\/RCE community, but unfortunately, they refused at that time.<\/p>\n
Since I posted info about my script on one of the DFIR forums I have been asked many times by many researchers to share the script with them privately.<\/p>\n
Today I noticed that the cat is out of the bag and the code for decrypting .quar files was already made public by someone else here<\/a>.<\/p>\n The script is actually covering many other quarantine files as well which is awesome.<\/p>\n Great work by the Optiv guys.<\/p>\n Let’s hope that code for all types of Quarantine files will eventually be made public.<\/p>\n Update<\/strong><\/p>\n Since some people asked, here is a short perl script for decrypting .quar files:<\/p>\n A few years ago I developed script to decrypt .quar files created by MalwareBytes. Since the decryption routine was different from a typical xor I was not sure how the MalwareBytes will react – I asked them for a permission … Continue reading use strict;\r\nuse warnings;\r\nuse Crypt::RC4;\r\nuse Digest::MD5 qw (md5 );\r\n\r\nmy $f=shift || die (\"Gimme a file name!\\n\");\r\nopen F,\"<$f\";\r\nbinmode F;\r\nread F,my $data,-s $f;\r\nclose F;\r\n\r\nmy $rc4 = Crypt::RC4->new( md5 ('XBXM8362QIXD9+637HCB02\/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb') );\r\nmy $newdata = $rc4->RC4( $data );\r\n\r\nopen F,\">$f.out\";\r\nbinmode F;\r\nprint F $newdata;\r\nclose F;<\/pre>\n","protected":false},"excerpt":{"rendered":"