MalwareBytes will rename malicious files found during a virus scan to a GUID (e.g. 403dab27-42d6-40e4-8a8b-f4eb4a3ffe82) with a .quar extension. These files are encrypted using RC4 and a long 68 character key.
To decrypt these files, I looked online to see what was already available. I found this blog post, which included a Perl script to decrypt. Not being a fan of Perl, I decided to roll my own using Python. Below is what I came up with:
import sys, os from arc4 import ARC4 import hashlib if len(sys.argv) < 2: print("You must include a .quar file to decrypt!") sys.exit(1) with open(sys.argv, "rb") as encrypted_file: arc4 = ARC4( hashlib.md5('XBXM8362QIXD9+637HCB02/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb'.encode('utf-8')).digest() ) decrypted = arc4.decrypt(encrypted_file.read()) with open( sys.argv+".decrypted", "wb") as decrypted_file: decrypted_file.write(decrypted) decrypted_file.close()
This script does have a dependency of the arc4 Python library (pip3 install arc4), but it works and produces files with the same hash as the Perl script on the reference blog post.
The blog post also links to a Python file in the Cuckoo sandbox that is capable of decrypting MalwareBytes .quar files. This is great, because we can utilize some of their code as it’s already in Python! You can find the original file here and their GPL license file here. I took snippets of their code, updated them for Python3, and then modified it slightly to work the same as the previous script:
import hashlib import sys, os if len(sys.argv) < 2: print("You must include a .quar file to decrypt!") sys.exit(1) def rc4_decrypt(sbox, data): out = bytearray(len(data)) i = 0 j = 0 for k in range(len(data)): i = (i + 1) % 256 j = (j + sbox[i]) % 256 tmp = sbox[i] sbox[i] = sbox[j] sbox[j] = tmp val = sbox[(sbox[i] + sbox[j]) % 256] out[k] = val ^ data[k] return out def mbam_ksa(): # hardcoded key obtained from mbamcore.dll m = hashlib.md5() m.update("XBXM8362QIXD9+637HCB02/VN0JF6Z3)cB9UFZMdF3I.*c.,c5SbO7)WNZ8CY1(XMUDb".encode('utf-8')) key = bytearray(m.digest()) sbox = list(range(256)) j = 0 for i in range(256): j = (j + sbox[i] + key[i % len(key)]) % 256 tmp = sbox[i] sbox[i] = sbox[j] sbox[j] = tmp return sbox def mbam_unquarantine(f): with open(f, "rb") as quarfile: data = bytearray(quarfile.read()) sbox = mbam_ksa() outdata = rc4_decrypt(sbox, data) return outdata def main(): MBAMDequarantineFile = mbam_unquarantine(sys.argv) with open( sys.argv+".decrypted2", "wb") as decrypted_file: decrypted_file.write(MBAMDequarantineFile) decrypted_file.close() main()
While this script is much longer and does the exact same thing as the other one, it does not need the arc4 Python library to run.