Decrypting MalwareBytes Quarantine Files with Python
MalwareBytes will rename malicious files found during a virus scan to a GUID (e.g. 403dab27-42d6-40e4-8a8b-f4eb4a3ffe82) with a .quar extension. These files are encrypted using ARC4 (also known as RC4) stream cipher.
Update (2022): MalwareBytes has updated their encryption key. The methods below using the old 68-character key no longer work with current versions. See the Updated Method section below for the current working solution. Thanks to malexmave for reporting this and providing the updated key!
Original Method (Historical)
To decrypt these files, I looked online to see what was already available. I found this blog post, which included a Perl script to decrypt. Not being a fan of Perl, I decided to roll my own using Python. Below is what I came up with:
import sys, os
from arc4 import ARC4
import hashlib
if len(sys.argv) < 2:
print("You must include a .quar file to decrypt!")
sys.exit(1)
with open(sys.argv[1], "rb") as encrypted_file:
arc4 = ARC4( hashlib.md5('XBXM8362QIXD9+637HCB02/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb'.encode('utf-8')).digest() )
decrypted = arc4.decrypt(encrypted_file.read())
with open( sys.argv[1]+".decrypted", "wb") as decrypted_file:
decrypted_file.write(decrypted)
decrypted_file.close()
This script does have a dependency of the arc4 Python library (pip3 install arc4), but it works and produces files with the same hash as the Perl script on the reference blog post.
The blog post also links to a Python file in the Cuckoo sandbox that is capable of decrypting MalwareBytes .quar files. This is great, because we can utilize some of their code as it’s already in Python! You can find the original file here and their GPL license file here. I took snippets of their code, updated them for Python3, and then modified it slightly to work the same as the previous script:
import hashlib
import sys, os
if len(sys.argv) < 2:
print("You must include a .quar file to decrypt!")
sys.exit(1)
def rc4_decrypt(sbox, data):
out = bytearray(len(data))
i = 0
j = 0
for k in range(len(data)):
i = (i + 1) % 256
j = (j + sbox[i]) % 256
tmp = sbox[i]
sbox[i] = sbox[j]
sbox[j] = tmp
val = sbox[(sbox[i] + sbox[j]) % 256]
out[k] = val ^ data[k]
return out
def mbam_ksa():
# hardcoded key obtained from mbamcore.dll
m = hashlib.md5()
m.update("XBXM8362QIXD9+637HCB02/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb".encode('utf-8'))
key = bytearray(m.digest())
sbox = list(range(256))
j = 0
for i in range(256):
j = (j + sbox[i] + key[i % len(key)]) % 256
tmp = sbox[i]
sbox[i] = sbox[j]
sbox[j] = tmp
return sbox
def mbam_unquarantine(f):
with open(f, "rb") as quarfile:
data = bytearray(quarfile.read())
sbox = mbam_ksa()
outdata = rc4_decrypt(sbox, data)
return outdata
def main():
MBAMDequarantineFile = mbam_unquarantine(sys.argv[1])
with open( sys.argv[1]+".decrypted2", "wb") as decrypted_file:
decrypted_file.write(MBAMDequarantineFile)
decrypted_file.close()
main()
While this script is much longer and does the exact same thing as the other one, it does not need the arc4 Python library to run.
Updated Method (2022)
As reported by malexmave in issue #6, MalwareBytes has updated their encryption key. The old 68-character key no longer works with current versions of MalwareBytes.
New Encryption Key
The current working encryption key is a 16-byte array:
bytes([0x03, 0x7a, 0x55, 0xc5, 0xdf, 0x39, 0xd2, 0x89, 0x7f, 0xef, 0x88, 0x3d, 0xc0, 0x47, 0xb3, 0x17])
Updated Python Script
Here’s the updated script using the new key:
import sys
from arc4 import ARC4
if len(sys.argv) < 2:
print("You must include a .quar file to decrypt!")
sys.exit(1)
# Updated encryption key for current MalwareBytes versions
key = bytes([0x03, 0x7a, 0x55, 0xc5, 0xdf, 0x39, 0xd2, 0x89,
0x7f, 0xef, 0x88, 0x3d, 0xc0, 0x47, 0xb3, 0x17])
with open(sys.argv[1], "rb") as encrypted_file:
arc4 = ARC4(key)
decrypted = arc4.decrypt(encrypted_file.read())
with open(sys.argv[1] + ".decrypted", "wb") as decrypted_file:
decrypted_file.write(decrypted)
print(f"Decrypted file saved as: {sys.argv[1]}.decrypted")
This script requires the arc4 Python library: pip3 install arc4
Alternative: No External Dependencies
If you prefer not to use external libraries, here’s a version with the ARC4 implementation included:
import sys
if len(sys.argv) < 2:
print("You must include a .quar file to decrypt!")
sys.exit(1)
def rc4_decrypt(key, data):
"""ARC4 decryption implementation"""
# Key-scheduling algorithm (KSA)
sbox = list(range(256))
j = 0
for i in range(256):
j = (j + sbox[i] + key[i % len(key)]) % 256
sbox[i], sbox[j] = sbox[j], sbox[i]
# Pseudo-random generation algorithm (PRGA)
out = bytearray(len(data))
i = j = 0
for k in range(len(data)):
i = (i + 1) % 256
j = (j + sbox[i]) % 256
sbox[i], sbox[j] = sbox[j], sbox[i]
val = sbox[(sbox[i] + sbox[j]) % 256]
out[k] = val ^ data[k]
return out
# Updated encryption key for current MalwareBytes versions
key = bytes([0x03, 0x7a, 0x55, 0xc5, 0xdf, 0x39, 0xd2, 0x89,
0x7f, 0xef, 0x88, 0x3d, 0xc0, 0x47, 0xb3, 0x17])
with open(sys.argv[1], "rb") as quarfile:
encrypted_data = bytearray(quarfile.read())
decrypted_data = rc4_decrypt(key, encrypted_data)
with open(sys.argv[1] + ".decrypted", "wb") as decrypted_file:
decrypted_file.write(decrypted_data)
print(f"Decrypted file saved as: {sys.argv[1]}.decrypted")
Additional Resources
For more advanced use cases, check out the Maldump project by NUKIB, which also includes updated MalwareBytes quarantine file decryption capabilities.
Credits
- Original research: Hexacorn Blog
- Updated encryption key: malexmave
- Cuckoo Sandbox quarantine module: Cuckoo Modified
Enjoy!