MalwareBytes will rename malicious files found during a virus scan to a GUID (e.g. 403dab27-42d6-40e4-8a8b-f4eb4a3ffe82) with a .quar extension. These files are encrypted using RC4 and a long 68 character key.

To decrypt these files, I looked online to see what was already available. I found this blog post, which included a Perl script to decrypt. Not being a fan of Perl, I decided to roll my own using Python. Below is what I came up with:

import sys, os
from arc4 import ARC4
import hashlib


if len(sys.argv) < 2:
    print("You must include a .quar file to decrypt!")
    sys.exit(1)

with open(sys.argv[1], "rb") as encrypted_file:
    arc4 = ARC4( hashlib.md5('XBXM8362QIXD9+637HCB02/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb'.encode('utf-8')).digest() )
    decrypted = arc4.decrypt(encrypted_file.read())
    with open( sys.argv[1]+".decrypted", "wb") as decrypted_file:
        decrypted_file.write(decrypted)
        decrypted_file.close()

This script does have a dependency of the arc4 Python library (pip3 install arc4), but it works and produces files with the same hash as the Perl script on the reference blog post.

The blog post also links to a Python file in the Cuckoo sandbox that is capable of decrypting MalwareBytes .quar files. This is great, because we can utilize some of their code as it’s already in Python! You can find the original file here and their GPL license file here. I took snippets of their code, updated them for Python3, and then modified it slightly to work the same as the previous script:

import hashlib
import sys, os

if len(sys.argv) < 2:
    print("You must include a .quar file to decrypt!")
    sys.exit(1)

def rc4_decrypt(sbox, data):
    out = bytearray(len(data))
    i = 0
    j = 0
    for k in range(len(data)):
        i = (i + 1) % 256
        j = (j + sbox[i]) % 256
        tmp = sbox[i]
        sbox[i] = sbox[j]
        sbox[j] = tmp
        val = sbox[(sbox[i] + sbox[j]) % 256]
        out[k] = val ^ data[k]

    return out

def mbam_ksa():
    # hardcoded key obtained from mbamcore.dll
    m = hashlib.md5()
    m.update("XBXM8362QIXD9+637HCB02/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb".encode('utf-8'))
    key = bytearray(m.digest())
    sbox = list(range(256))
    j = 0
    for i in range(256):
        j = (j + sbox[i] + key[i % len(key)]) % 256
        tmp = sbox[i]
        sbox[i] = sbox[j]
        sbox[j] = tmp

    return sbox

def mbam_unquarantine(f):
    with open(f, "rb") as quarfile:
        data = bytearray(quarfile.read())

    sbox = mbam_ksa()
    outdata = rc4_decrypt(sbox, data)

    return outdata

def main():
    MBAMDequarantineFile = mbam_unquarantine(sys.argv[1])
    with open( sys.argv[1]+".decrypted2", "wb") as decrypted_file:
        decrypted_file.write(MBAMDequarantineFile)
        decrypted_file.close()

main()

While this script is much longer and does the exact same thing as the other one, it does not need the arc4 Python library to run.

Enjoy!


Brandon Hinkel

I work in the Cyber Security field and love being outdoors in my free time