Decrypt antivirus quarantine files with DeXRAY

Useful to access quarantined files of Symantec and McAfee


It can happen to have to analyze suspicious files on a compromised machine, but if the antivirus puts them in ‘in quarantine’ (usually encrypted in a specific directory), how recover them? 
Simple, with DeXRAY by Hexacorn:

DeXRAY is a simple perl script that tries to discover encrypted executables and DLLs (or, more generically — Portable Executables a.k.a. PE) within a given data file e.g. it could be an encrypted PE that is embedded inside a malicious dropper (including non-PE files e.g. PDFs) or network traffic.

DeXRAY attempts to decrypt

  • Any binary file (using X-RAY)
  • Symantec Quarantine files (VBN/QBD)
  • McAfee Quarantine files (BUP)

Usage:

perl DeXRAY.pl <filename or directory>

What is the output?

If it works, you will get files saved as <original filename.XXXXXXXX.YY.out>


More technical info and downloads

DeXRAY – simple XORcarver

Comments