RETouch installer and download

Although RETouch source code is hosted in the GitHub, the RETouch binaries are not. That is because the size limit of the free GitHub account. Now the latest binary with Windows installer is in the DropBox. Donwload link for RETouch is https://www.dropbox.com/sh/hvttkwkt4ovk5r7/AAAn4xqQgjqU0UiD1hVoQv9aa?dl=0

A sample analysis walkthrough with RETouch: Testing a new feature

Here is another example how to analyze a malware with RETouch. I picked up Zahlung_03_04_2018_658348.doc from hybrid-analysis.com. This sample was suitable to test new script deobfuscation feature. This new feature tries to make obfuscated script to more human readable. Feature is not yet available in Github code and will be released with RETouch 1.1 version.

Below is the image of the original code.

First I select the correct script language, that is VBScript in this case. I also select inserting linebreaks after VBScript keywords, function and variable renaming and also unescaping escaped codes.

The final result is _almost_ readable. At this point the easiest way to proceed is to copy/paste code to a Word document and do final fixing.

Copy/Pasting code to VBA-editor enables syntax checking and highlighting. That is very handy for the final steps with the code. Below is the start of the fixed VBA-code. It also shows "mysterious" procA function.

After fixing the latter part of the code, the code starts to make sense. "Mysterious" procA converts Base64 code to text. The text is split to shorter strings which are obfuscated by coding them with Base64.

VBA-code uses MSXML2.XMLHTTP to download an exe file from https://tous1site.name/axctogh.exe. Final lines start Wscript.Shell to execute downloaded file.

Executable file is no longer available and what it does would be outside of RETouch's scope anyway.

A sample analysis walkthrough with RETouch

Here is an example how to analyze a malware with RETouch. The malware's hash (SHA256) is 63eaddbbe91031cb1d8f38cdbc679adacd232f97bbc061f02073d909c11c1594 and it can be found from VirusTotal. First I open datafile 63eaddbbe91031cb1d8f38cdbc679adacd232f97bbc061f02073d909c11c1594.bin (Word document). If I didn't know the SHA256, I would get the checksums first.

RETouch can calculate most commonly used hashes: MD5, SHA1 and SHA256.

Next, I check the strings that this binary file contains.

One string catches the attention: "powershell". Following strings look a lot like Base64 encoded data.

To extract Base64 data, I open binary file in hex view mode. After locating string "powershell", I select following text until I found '='-character.

I paste the text I copied from the hex view and convert Base64 to binary data.

Converted data's hex dump seems to have value zero in almost every second value. This indicates that hex dump could be Unicode encoded text.

The text really was Unicode encoded. Now I have PowerShell code which builds a string from numeric char values. I select only string building part of the code and execute the PowerShell code.

This gets the final unobfuscated code.

What the code actually does is not relevant now. The relevant thing in here is that RETouch has done its job.

RETouch 1.0 released

RETouch is a windows application for deobfuscating and analyzing malicious scripts. Malicious scripts are commonly the first step of malware infection. Since script files are text-based, RETouch has functionality to handle texts and strings. For binary analyses there are plenty of excellent applications available. RETouch aims to be • extendible with scripting • "umbrella" for external applications Because malware and malicious scripts evolve quickly, the core functionality is just not enough. That is why RETouch provides easy scripting to extend its core functions.

Like any software with version number 1.0 this is far from perfect. I have started to program the next version with some features I left from version 1.0.