AutoIt Compiled Script Dropper

Malware delivered as a compiled AutoIt3 script (.a3x or .exe output from AutoIt compiler). The script is executed by the AutoIt3 interpreter, providing a Turing-complete scripting environment with direct Win32 API access while evading traditional static analysis.

Pattern Definition

1. Interpreter: AutoIt3.exe (legitimate, signed by AutoIt Consulting Ltd).
2. Script: .a3x file — a compiled AutoIt script, not plain text.
3. Execution: AutoIt3.exe script.a3x
4. Obfuscation: The .a3x format is binary and does not yield readable strings with standard tools. Decompilation requires Exe2Aut, MyAut2Exe, or similar tools.

Variants

• Single-file dropper: SFX bundles AutoIt3.exe + .a3x. Seen in asgardprotector.
• Standalone compiled .exe: AutoIt script compiled to a single PE with the interpreter embedded. This variant does not need an external AutoIt3.exe.

Defensive Detection

• AutoIt3.exe spawning from unusual parent paths (%TEMP%, Downloads).
• .a3x files written to disk followed by AutoIt3.exe execution.
• AutoIt scripts performing suspicious API calls (file write to startup, registry Run key, network connect).

Cross-References

• asgardprotector — family using this pattern
• iexpress-sfx-dropper — common delivery mechanism for AutoIt payloads