(internal) autoit file limitation

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: (internal) autoit file limitation
    # capa will detect dozens of capabilities for AutoIt samples,
    # but these are due to the AutoIt runtime, not the payload script.
    # so, don't confuse the user with FP matches - bail instead
    namespace: internal/limitation/file
    authors:
      - william.ballenthin@mandiant.com
    description: |
      This sample appears to be compiled with AutoIt.

      AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI.
      capa cannot handle AutoIt scripts. This means that the results will be misleading or incomplete.
      You may have to analyze the file manually, using a tool like the AutoIt decompiler MyAut2Exe.
    scopes:
      static: file
      dynamic: file
    examples:
      - 55D77AB16377A8A314982F723FCC6FAE
  features:
    - or:
      - match: compiler/autoit

last edited: 2023-11-24 10:34:28