[QuickNote] Retrieve unknown python stealer from PyInstaller

[QuickNote] Retrieve unknown python stealer from PyInstaller | 0day in {REA_TEAM} Home About R4ndom’s Beginning Reverse Engineering Tutorials Tutorial #1 : What is Reverse Engineering Tutorial #2 : Intro To Olly Debug Tutorial #3: Using OllyDBG, Part 1 Tutorial #4: Using Olly, Part 2 Tutorial #5: Our First (Sort Of) Crack Tutorial #6: Our First (True) Crack Tutorial #7: More Crackmes Tutorial #8: Frame Of Reference Tutorial #9: No Strings Attached Tutorial #9: Solution Tutorial #10: The Levels Of Patching Tutorial #11: Breaking In Our Noob Skills Tutorial #12: A Tougher NOOBy Example Tutorial #13: Cracking a Real Program Tutorial #14: NAGS (And I don’t Mean Your Mother) Tutorial #15: Using The Call Stack Tutorial #16A: Dealing With Windows Messages Tutorial #16B: Self Modifying Code Tutorial #16C: Bruteforcing Tutorial #17: Working With Delphi Binaries Tutorial #18: Time Trials and Memory Breakpoints Tutorial #19: Patchers Tutorial #20A: Working With Visual Basic Binaries, Pt. 1 Tutorial #20B: Working With Visual Basic Binaries, Pt 2 Tutorial #21: Anti-Debugging Techniques Slugsnack’s Reversing Series by c0lo Slugsnack’s Reversing Series [1] Slugsnack’s Reversing Series [2] Slugsnack’s Reversing Series [3] Slugsnack’s Reversing Series [4] Slugsnack’s Reversing Series [5] Slugsnack’s Reversing Series [6] 0day in {REA_TEAM} Stay updated via RSS Lịch August 2024 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Tìm kiếm Recent Posts – Bài mới [Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader [Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc Archived: All My Technical Articles from VinCSS Empowering Malware Analysis with IDA AppCall Feature [QuickNote] The Xworm malware is being spread through a phishing email [QuickNote] Retrieve unknown python stealer from PyInstaller [QuickNote] DarkGate – Make AutoIt Great Again [QuickNote] Qakbot 5.0 – Decrypt strings and configuration [QuickNote] Phishing email distributes WarZone RAT via DBatLoader [QuickNote] Technical Analysis of recent Pikabot Core Module Bình luận gần nhất Week 04 – 2026… on [Samplepedia Solution] Unveili… Week 48 – 2025… on [Phân tích nhanh] Chiến dịch P… loilv on [Phân tích nhanh] Chiến dịch P… lemycanh on Empowering Malware Analysis wi… Thông tin các mối đe… on [QuickNote] Analysis of malwar… Pages About R4ndom’s Beginning Reverse Engineering Tutorials Tutorial #1 : What is Reverse Engineering Tutorial #10: The Levels Of Patching Tutorial #11: Breaking In Our Noob Skills Tutorial #12: A Tougher NOOBy Example Tutorial #13: Cracking a Real Program Tutorial #14: NAGS (And I don’t Mean Your Mother) Tutorial #15: Using The Call Stack Tutorial #16A: Dealing With Windows Messages Tutorial #16B: Self Modifying Code Tutorial #16C: Bruteforcing Tutorial #17: Working With Delphi Binaries Tutorial #18: Time Trials and Memory Breakpoints Tutorial #19: Patchers Tutorial #2 : Intro To Olly Debug Tutorial #20A: Working With Visual Basic Binaries, Pt. 1 Tutorial #20B: Working With Visual Basic Binaries, Pt 2 Tutorial #21: Anti-Debugging Techniques Tutorial #3: Using OllyDBG, Part 1 Tutorial #4: Using Olly, Part 2 Tutorial #5: Our First (Sort Of) Crack Tutorial #6: Our First (True) Crack Tutorial #7: More Crackmes Tutorial #8: Frame Of Reference Tutorial #9: No Strings Attached Tutorial #9: Solution Slugsnack’s Reversing Series by c0lo Slugsnack’s Reversing Series [1] Slugsnack’s Reversing Series [2] Slugsnack’s Reversing Series [3] Slugsnack’s Reversing Series [4] Slugsnack’s Reversing Series [5] Slugsnack’s Reversing Series [6] Chuyên mục 2011 in review (1) Another malicious document with CVE-2017–11882 (1) Bruce Dang… (1) Common Macro Malware Techniques (1) Flare-on 2016 {Sad_but_True} (1) Flare-On7 (3) [Flare-On7] Chal7-re_crowd write-up (Eng) (1) [Flare-On7] Chal7-re_crowd write-up (Vie) (1) [Flare-On7] Chal9-crackinstaller write-up (1) Fun with x64dbg theme (1) IDA Pro section (69) Fentanyl (IDAPython script) (1) Free IDA Pro Binary Auditing Training Material for University Lectures (1) Hex-Rays Decompiler Enhanced View (1) HexRaysCodeXplorer (1) IDA Patcher (1) IDA Plugin:labeless (1) IDA Pro Book (1) IDA Pro Python Editor v2 (1) IDA search string plugin (with source) (1) IDA Stealth Plugin (1) IDA Stingray (1) IDA Tutorial… (1) IDA Tutorials (50) Cách dump PE file từ bộ nhớ bằng IDA (1) Cracking basic with IDA Pro (1) Dùng thử IDA 5.2 và HexRays (1) Hex-Rays Decompiler Video Demo for IDA (1) IDA Pro Advanced changes our lif3! (1) IDA Pro Advanced_N0w 0r N3v3r (1) Keypatch (1) Make IDA Sig (1) Manual Unpacking with IDA Pro (Simple case) (1) Phân tích RCA crackme bằng Olly và IDA+HexRays (1) Reversing C++ programs with IDA pro and Hex-rays (1) REVERSING WITH IDA FROM SCRATCH (P1) (1) REVERSING WITH IDA FROM SCRATCH (P10) (1) REVERSING WITH IDA FROM SCRATCH (P11) (1) REVERSING WITH IDA FROM SCRATCH (P12) (1) REVERSING WITH IDA FROM SCRATCH (P13) (1) REVERSING WITH IDA FROM SCRATCH (P14) (1) REVERSING WITH IDA FROM SCRATCH (P15) (1) REVERSING WITH IDA FROM SCRATCH (P16) (1) REVERSING WITH IDA FROM SCRATCH (P17) (1) REVERSING WITH IDA FROM SCRATCH (P18) (1) REVERSING WITH IDA FROM SCRATCH (P19) (1) REVERSING WITH IDA FROM SCRATCH (P2) (1) REVERSING WITH IDA FROM SCRATCH (P20) (1) REVERSING WITH IDA FROM SCRATCH (P21) (1) REVERSING WITH IDA FROM SCRATCH (P22) (1) REVERSING WITH IDA FROM SCRATCH (P23) (1) REVERSING WITH IDA FROM SCRATCH (P24) (1) REVERSING WITH IDA FROM SCRATCH (P25) (1) REVERSING WITH IDA FROM SCRATCH (P26) (1) REVERSING WITH IDA FROM SCRATCH (P27) (1) REVERSING WITH IDA FROM SCRATCH (P28) (1) REVERSING WITH IDA FROM SCRATCH (P29) (1) REVERSING WITH IDA FROM SCRATCH (P3) (1) REVERSING WITH IDA FROM SCRATCH (P30) (1) REVERSING WITH IDA FROM SCRATCH (P31) (1) REVERSING WITH IDA FROM SCRATCH (P32) (1) REVERSING WITH IDA FROM SCRATCH (P33) (1) REVERSING WITH IDA FROM SCRATCH (P34) (1) REVERSING WITH IDA FROM SCRATCH (P35) (1) REVERSING WITH IDA FROM SCRATCH (P36) (1) REVERSING WITH IDA FROM SCRATCH (P37) (1) REVERSING WITH IDA FROM SCRATCH (P4) (1) REVERSING WITH IDA FROM SCRATCH (P5) (1) REVERSING WITH IDA FROM SCRATCH (P6) (1) REVERSING WITH IDA FROM SCRATCH (P7) (1) REVERSING WITH IDA FROM SCRATCH (P8) (1) REVERSING WITH IDA FROM SCRATCH (P9) (1) Understanding Code (1) [Crackme]Find-the-flag-by-ExtremeCoders (1) IDA-Pro 6.x Lowercase ARM Instructions (1) IDASkins – advanced skinning for IDA Pro (1) Malwarebytes crackme writeup (1) RetDec — machine-code decompiler (1) REtypedef – Reverse typedef substitution for IDA Pro (1) [IDA Plugin] Snowman (1) [Plug-in]IDA Unicode strings v3.0 (1) Linux (11) Auto start vmware script (1) BackTrack 4 Beta is out (1) FluxBox cho BackTrack Beta 4 (2) Artwiz font (1) Hướng dẫn : Sử dụng chương trình Scuba để rà soát security cho Oracle Database (1) Hướng dẫn cài đặt BackTrack (1) Installing Oracle 9i on RHEL5. (1) Linux RCE Starting Guide from SilkCut (1) Some tutor about using BackTrack (2) 1.4 Netcat The Almighty (1) 1.5 Using Wireshark (Ethereal) (1) Truy vấn thông tin các Patch đã được apply vào OracleDB (1) Movie (10) Die For Metal – Manowar (1) Feeling about Prison Break SE01 (1) Fifa 09 Advanced Skills Tutorial (1) Fifa 09 Standard Skills Tutorial (1) FIFA 09 Tricks Tutorials For PS2 (1) Heart Of Steel – Manowar (1) Kings Of Metal (1) SheepWolf! (1) Music (4) Cat's in the Cradle !! (Nghe và cảm nhận) (1) Cây và Gió – The Sand (1) Dế mèn-TheWall (1) Forever autumn_Lake of Tears (1) MustangPanda – Enemy At The Gate (1) My Tutorials (63) A Deep Dive into Zloader – the Silent Night (1) Archived: All My Technical Articles from VinCSS (1) Command Line Plugin (1) Diving into a PlugX sample of Mustang Panda group (1) Empowering Malware Analysis with IDA AppCall Feature (1) Fix Foxit Reader (1) Fix Foxit Reader_Part2 (1) How to crack BlackBerry App! (1) Just another CVE-2017-0199 sample in the wild world! (1) Keygen Tutorials (5) Kĩ thuật Internal Keygen (1) Kĩ thuật Internal Keygen_Ví dụ 2 (1) Phân tích ASM và code Keygen (1) Xây dựng Keygen Form trong VC++ (1) Đưa ảnh vào Keygen Form (1) Malware analysis “KẾ HOẠCH, NHIỆM VỤ TRỌNG TÂM NĂM 2020.doc” (1) Manual Unpacking IcedID Write-up (1) PE Tutorials (1) Phát hiện DDE Attack bằng công cụ Profiler (1) Phân tích nhanh một sample… (1) Quick analysis CobaltStrike loader and shellcode (1) Quick analysis note about DealPly (Adware) (1) Quick analysis note about GuLoader (or CloudEyE) (1) Sample nhắm vào “Tập đoàn Dầu khí Việt Nam” (1) Sử dụng IceSword để Remove Rootkits (1) Solution for KeyGenMe_by_ZeroTen_#1 (1) Solution for KLiZMA's UnpackMe #1 (1) Solution for NrZ0e1's CrackMe #1 (1) Solution for Zart's mishka tribute (1) SomeCrypto~01 (1) SomeCrypto~02 (1) Sublime Text (The latest build: 3059) (1) Tìm hiểu PE file qua các ví dụ cơ bản (1) Uncovering Suspected Malware Distributed By Individuals from Vietnam (1) Unprotecting-the-crypter (2) Thực hành với NtPacker (1) Unveiling Qakbot: Exploring one of the Most Active Threat Actors (1) [Case study] Decrypt strings using Dumpulator (1) [Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc (1) [QuickNote.En] CobaltStrike SMB Beacon Analysis (1) [QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam (1) [QuickNote] Analysis of Pandora ransomware (1) [QuickNote] Another nice PlugX sample (1) [QuickNote] CobaltStrike SMB Beacon Analysis (1) [QuickNote] DarkGate – Make AutoIt Great Again (1) [QuickNote] Decrypting the C2 configuration of Warzone RAT (1) [QuickNote] Emotet epoch4 & epoch5 tactics (1) [QuickNote] Examining Formbook Campaign via Phishing Emails (1) [QuickNote] Phishing email distributes WarZone RAT via DBatLoader (1) [QuickNote] Qakbot 5.0 – Decrypt strings and configuration (1) [QuickNote] Retrieve unknown python stealer from PyInstaller (1) [QuickNote] Technical Analysis of recent Pikabot Core Module (1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] The Xworm malware is being spread through a phishing email (1) [QuickNote] VidarStealer Analysis (1) [Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg tut_11 (1) OllyDbg tut_12 (1) OllyDbg tut_13 (1) OllyDbg tut_14 (1) OllyDbg tut_15 (1) OllyDbg tut_2 (1) OllyDbg tut_3 (1) OllyDbg tut_4 (1) OllyDbg tut_5 (1) OllyDbg tut_6 (1) OllyDbg tut_7 (1) OllyDbg tut_8 (1) OllyDbg tut_9 (1) OllyDBg_tut16 (1) OllyDbg_tut17 (1) OllyDbg_tut18 (1) OllyDbg_tut19 (1) OllyDbg_tut20 (1) OllyDbg_tut21 (1) OllyDbg_tut22 (1) OllyDbg_tut23 (1) OllyDBG_tut24 (1) OllyDBG_tut25 (1) OllyDbg_tut26 (1) OllyDbg_tut27 (1) OllyDbg_tut28 (1) OllyDbg_tut29 (1) OllyDbg_tut30 (1) OllyDbg_tut31 (1) OllyDbg_tut32 (1) Other Tutorials (76) A Method for Detecting Obfuscated Calls in Malicious Binaries (1) Advanced Windows Debugging – Part 1 (1) Advanced Windows Debugging – Part 2 (1) An Exercise in RSA Reversal (RSA128 + MD5) (1) Anti-Reverse Engineering Guide (1) Anti-Unpacker Tricks 2 – Part 8 (1) Armadillo – ECDSA Patching (1) Armadillo 5.xx – 8.xx (Password Patcher) (1) Armadillo 7.00 (CopyMem2 + Import Elimination + Strategic Code Splicing) (1) Automatic Binary Deobfuscation (1) Basic of Reversing by c0lo!! (1) Basic types of software of protection (1) Code Obfuscation and Malware Detection (1) CodeBreakers Magazine Collections (1) CRACKING BẰNG PHƯƠNG PHÁP DÙNG POINT-H (1) Debug tutorial (1) Decompilers and Beyond (1) Discovering Variables in Executables (1) ExeCryptor 2.4.x (Tips and Tricks) (1) IDA Pro Demo Video (1) Inference and Analysis of Formal Models of Botnet (1) Introduction to File Infection Techniques (1) Java Reversing (1) Kernel Malware – The Attack from Within (1) Keygenning GameShield (1) Lần đầu với software của android OS (1) Malicious Software and its Underground Economy (1) Mass Malware Analysis – A Do It Yourself Kit (1) Olly Schemes-Căn chỉnh màu cho Olly (1) OllyEye plug-in (1) Primer on Android OS Reversing (1) Private exe Protector unpacking (1) Results of Bad Protection Implementation (1) Reverse Engineering of the Android File System (1) Reverse Engineering Technqiues (1) Reverse Engineering with OllySocketTrace (1) REVERSING GENERALS – PART III (1) REVERSING-GENERALS (Phần I) (1) REVERSING-GENERALS (Phần II) (1) RLPack 1.21 + WinLicense 2.0x (Unpacking) (1) Run TTProtect v1.05 in OllyDbg! (1) Silence's Unpacking Tour: The Enigma Protector (vol.1) (1) Theories and Methods of Code-Caves (1) TLS Callback in VC++ (1) Underhood on Armadillo License Removal (1) Unofficial Reversing On The S40 Revealed (Part 1) (1) Watch Your Hack V6.1 (1) Yahoo Archive Decode (1) [ARTUT] Manual Unpack and Fix of PECompact 2xx-3xx (1) [QuickNote] MountLocker – Some pseudo-code snippets (1) Practical Malware Analysis (1) RE Tools (65) Arma Raider 3.3 (1) Armadillo v6.xx Finger-Print-Patcher V0.1 (1) BitDiffer 1.3.0.13 – most cattle DLL Library comparison tool! (1) CodeWalker: Another AntiRootkit Tool (1) Delphi Decompiler 1.1.0.194 (1) Exeinfo for Win32 by A.S.L (1) FileAlyzer 1.6.0.4 (1) Msieve 1.39 + GUI 1.1 (1) OllyDbg – EvO_DBG (1) OllyDbg 2.0.1.1 (Final) (1) OllyDbg 2.01 (1) OllyDbg 2.01 alpha 4 (1) Ollydbg moded for Execryptor & THEMIDA (1) OllyDBG v2 (1) Oreans UnVirtualizer 1.3 (1) Oreans UnVirtualizer ODBG Plug-in (1) Overaly type detector/Extractor/Viewer (PEiD Plugin), Under SEH TM (1) P32Dasm (1) PatchDiff2 (1) PEiD v0.95 Build date: Oct 21, 2008 (1) PeStudio 8.01 (1) Phantom 1.45 (1) PROTECTiON iD v6.1.3 (1) ResEdit 1.4.4.16 (1) StrongOD v0.18 [2008.09.18] (1) Stud_PE 2.6.0.6 (1) Trial-Reset 3.4 Final (1) Universal Import Fixer (UIF) v1.2 (FINAL) (1) VB Decompiler (1) WinHex (1) x64 SEH & Explorer Suite Update (1) [Leaked]Hiew v8.40 (1) REA's Tutorials Archive (5) Palm Cracking Beginner (1) REA_Books (3) REA Unpacking Ebook (1) REA-cRaCkErTeAm Tutorials (1) Reverse Engineering of Object Oriented Code (1) Reversing.Kr {Some write-ups) (15) Chal1. Easy Crack Challenge (1) Chal10. CSHOP Challenge (1) Chal11. Direct3D_FPS Challenge (1) Chal12. Twist1 Challenge (1) Chal13. AutoHotkey1 Challenge (1) Chal14. HateIntel Challenge (1) Chal15. CSharp (1) Chal2. Easy Unpack Challenge (1) Chal3. Replace Challenge (1) Chal4. Easy Keygen Challenge (1) Chal5. Music Player Challenge (1) Chal6. ImagePrc Challenge (1) Chal7. Position Challenge (1) Chal8. Easy ELF Challenge (1) Chal9. Ransomware Challenge (1) Sysinternals (1) System Security and Binary Code Analysis (1) Things to REMEMBER… (1) Trà đá hacking #02 (1) Uncategorized (99) Dây rock! (1) Watch Your Hack (bản dịch Tiếng Việt) (1) [Note] Conditional BreakPoint with OllyDbg v1 & v2 (1) [x64dbg plugin] SlothBP (1) [x64dbg plugin] xAnalyzer (1) Đào tạo tại Sài Gòn (Trà_Đá_Hacking#7) (1) peonimusha Bl0g An error has occurred; the feed is probably down. Try again later. Top Posts [QuickNote] Decrypting the C2 configuration of Warzone RAT REVERSING WITH IDA FROM SCRATCH (P1) Diving into a PlugX sample of Mustang Panda group Cracking basic with IDA Pro Unpacking Themida 2.x by Ivinson PE.Explorer.v1.99.R4 Armadillo - ECDSA Patching VB.Decompiler.Pro.v8.3.RETAIL.INCL_KEYGEN+PATCH-FFF Tutorial #3: Using OllyDBG, Part 1 Tutorial #17: Working With Delphi Binaries Các bài đã đăng January 2026 (1) November 2025 (1) September 2025 (1) October 2024 (1) September 2024 (1) August 2024 (1) June 2024 (1) April 2024 (2) January 2024 (1) September 2023 (1) July 2023 (1) May 2023 (1) April 2023 (1) March 2023 (1) January 2023 (1) December 2022 (3) September 2022 (1) June 2022 (2) April 2022 (1) March 2022 (1) February 2022 (1) January 2022 (2) December 2021 (1) September 2021 (1) August 2021 (1) July 2021 (1) May 2021 (2) February 2021 (1) December 2020 (1) October 2020 (4) September 2020 (1) August 2020 (1) July 2020 (1) June 2020 (4) April 2020 (1) March 2020 (1) February 2020 (2) December 2019 (3) November 2019 (2) October 2019 (3) September 2019 (1) August 2019 (2) July 2019 (3) June 2019 (2) May 2019 (2) April 2019 (2) March 2019 (7) February 2019 (4) January 2019 (2) December 2018 (1) November 2018 (2) October 2018 (1) September 2018 (1) August 2018 (1) July 2018 (1) June 2018 (1) March 2018 (1) January 2018 (1) December 2017 (3) November 2017 (1) October 2017 (3) July 2017 (1) May 2017 (2) April 2017 (1) February 2017 (2) November 2016 (2) October 2016 (1) September 2016 (1) August 2016 (1) July 2016 (1) May 2016 (3) April 2016 (1) January 2016 (13) December 2015 (1) November 2015 (1) October 2015 (4) September 2015 (3) August 2015 (2) May 2015 (4) April 2015 (2) March 2015 (1) February 2015 (1) December 2014 (7) November 2014 (7) October 2014 (4) August 2014 (1) July 2014 (8) May 2014 (1) April 2014 (2) March 2014 (2) February 2014 (3) January 2014 (5) December 2013 (4) November 2013 (2) October 2013 (2) September 2013 (2) August 2013 (2) July 2013 (6) June 2013 (2) February 2013 (1) November 2012 (1) June 2012 (1) April 2012 (3) March 2012 (6) February 2012 (1) January 2012 (5) December 2011 (3) October 2011 (1) September 2011 (2) August 2011 (2) July 2011 (3) May 2011 (4) January 2011 (1) December 2010 (1) October 2010 (1) September 2010 (3) August 2010 (3) July 2010 (1) June 2010 (4) May 2010 (1) April 2010 (5) March 2010 (4) February 2010 (5) January 2010 (19) December 2009 (8) November 2009 (1) August 2009 (1) July 2009 (1) May 2009 (2) April 2009 (6) March 2009 (17) February 2009 (10) January 2009 (13) December 2008 (11) November 2008 (12) October 2008 (17) September 2008 (51) Blogroll Benina Blog Levis's Bl0g ML(l4w) Blog Quyle's Bl0g RE Team TrietPTM's Blog Vic's Bl0g Yêu chim sẻ Statistics - Lượt truy cập 897,627 hits [QuickNote] Retrieve unknown python stealer from PyInstaller Posted: August 10, 2024 in My Tutorials , [QuickNote] Retrieve unknown python stealer from PyInstaller Tags: Malware Analysis , pycdas , pycdc , PyInstaller , pyinstxtractor-ng , Stealer 3 1. Context During my participating in a Discord community, I noticed a member made the following offer of assistance: 2. Sample hash Zip: b66d615fa0288229f8cc514bb01b29e6d5e9d05f41099974b9dd117b2a6f9a68 ( MalShare ) Exe: 2a19ba63e85ce75d5f2d884011dfc94f616b176ed89a67c1acc0fe2179e8b591 ( Triage ) ( VT ) 3. Analysis 3.1. Extract contents of PyInstaller generated executable The file was found to be packaged with PyInstaller when analyzed with DiE. The Strings data suggests that Python 3.11 was used to write this code sample: Leveraging the provided information, I used pyinstxtractor-ng to extract all content. The result is as follows: 3.2. Retrieve the python source code Based on the log provided by pyinstxtractor-ng above, we know that the main entry point is mPSCzi.pyc . Since pyc is a pre-compiled bytecode file of a .py file, I will try using pycdc and pycdas tools to decompile and disassemble the code of the mPSCzi.pyc file to see if it works. With pycdc, this tool crashed during the decompilation process, suggesting that the code within mPSCzi.pyc might have been significantly obfuscated to hinder analysis: While pycdas can retrieve bytecode, the resulting code is often excessively long and extremely time-consuming to reverse engineer. Following the tips on this page and the advice of @struppigel after some discussions, I used the PyLingual website to try and recover the source code from the .pyc file. The website generated mPSCzi.pyc_Source_Patcher.py as shown below: 3.3. Source code analysis and retrieve the second stage At the very beginning of the mPSCzi.pyc_Source_Patcher.py file, a base64-encoded string is decoded. Decoding this string reveals: Continuing to decode each Base64 string as shown in the figure, we obtain the following results: So, the main goal of that initial base64-encoded string was to import Python modules. To recap, here’s what I’ve got: from random import randint as lzsootuwkf from cryptography.hazmat.primitives.ciphers import algorithms as vchanbrisf, modes as gldfnxjjmq, Cipher as vbkqsedciq from cryptography.hazmat.backends import default_backend as nbpulimqtg from cryptography.hazmat.primitives import padding as thtgizfsfm from base64 import b64decode as bmurybzixs from sys import exit as yoyjlhcnqi Further analysis of mPSCzi.pyc_Source_Patcher.py reveals numerous junk functions. These functions have randomly generated names, perform calculations internally, and then are immediately invoked. These garbage functions are designed to obfuscate the analysis process. Upon closer inspection, I noted the following variable: Based on this variable, aukqdqsxsj , I tracked down the relevant code parts and cleaned up the unnecessary bits. The resulting code snippet is used to decrypt the second stage of the data, and it looks like this: from random import randint as lzsootuwkf from cryptography.hazmat.primitives.ciphers import algorithms as vchanbrisf, modes as gldfnxjjmq, Cipher as vbkqsedciq from cryptography.hazmat.backends import default_backend as nbpulimqtg from cryptography.hazmat.primitives import padding as thtgizfsfm from base64 import b64decode as bmurybzixs from sys import exit as yoyjlhcnqi try: zxrtirbpom = bmurybzixs(b'l6i7wclE+B6Yhr8JJ3vffQ==') njaxetfshn = b'\x93\xf9\xd3\n\xf4\x1b4l\xaa\xba\xbf\xc1\xb3\x05\xa1i\x8e\x8fI`?Y\xb2\xd6O\x0ed\xb5\xd2\x02u\x1e\xba\x0ehH\x8c\xf2\xdf#+a\x14\xba,\x0e\x03w' except Exception: pass def omtlsfxpwx(mtszwudwam, tuhebphwuf): try: xffgufhvvi = vbkqsedciq(vchanbrisf.AES(tuhebphwuf), gldfnxjjmq.CBC(mtszwudwam[:16]), backend=nbpulimqtg()) ioiymamfcp = xffgufhvvi.decryptor() uzuyzymspb = ioiymamfcp.update(mtszwudwam[16:]) + ioiymamfcp.finalize() return jmhshdpgdy(uzuyzymspb) except Exception: return None def jmhshdpgdy(fapayormxp): try: lgowebtzvy = thtgizfsfm.PKCS7(128).unpadder() mtszwudwam = lgowebtzvy.update(fapayormxp) mtszwudwam += lgowebtzvy.finalize() return mtszwudwam except Exception: return None try: dpvkmmjzlv = omtlsfxpwx(njaxetfshn, zxrtirbpom) ptrnyfhyex = b"\xed8f\xd3q\x0f'>\x15\x08ntK4u\xf7\x99X\xdcNS\x86\xabn\x045\xff\xde\x11b\xe7\xcb" except Exception: pass try: viwoyxfprz = omtlsfxpwx(ptrnyfhyex, dpvkmmjzlv) except Exception: pass def quwsvtaara(mtszwudwam, tuhebphwuf): return bytes((b ^ tuhebphwuf for b in mtszwudwam)) iltzxihvvr = int.from_bytes(viwoyxfprz, "big") #iltzxihvvr = 4 try: aukqdqsxsj = b'mitkvp$fewa20\t\x0ea|ag,fewa20*f20`agk`a,f#^jNrfWFngjhs`C=jgiBseLoqeCB2fSB4HjF}eS5t`Ch6^\\Iq]6hseCR}g}Ftf\\FrgjUc]S|jf7Nt`Clpg}Flg}FFUiB|fLBofj^lHGFpf6Vhg}Flg}FmeiRUSjB|PQV4HGF@e\\Fk^\\Mc]\\IcPQRMPQ^mVi1oeUtigi=pMCJ}a\\F4f6`}]\\FkaW1k]\\tp]\\Uq]iBne6Rq^LIceS5sf7N4MCVh^iB5fLVb]iBne6Rq^GFlg}FkWABWgQJ}gi=PGi^}f64cg7h~MChpgC=}`GFhaCh4MCB~MA=u`C=jeohQVoMO^jNrfWFrg}Ftf\\FrgjUc`\\NlfiVrfWFlg}FiQL^5Wot^VQtuGi^}f64cai|t]mFtf\\FrgjUc^CRnf65sgiR~g}Flg}FjPC5Ieil1SS56Gi^}...redacted...gatp$A|gatpmkj>\t\x0e$$$$$$$$teww\t\x0e\t\x0ea||jpwbueoh`wg,-\t\x0e$$$$\t\x0e' txkehbuplc = bytes(aukqdqsxsj) except: pass xored_blob = quwsvtaara(txkehbuplc, iltzxihvvr) with open('dumped_stage2.py', "wb") as f: f.write(xored_blob) print("OK!") After running the script, I obtained the following dumped_stage2.py : 3.4. 2 nd stage analysis and retrieve the final stage Similarly to the previous stage, I decoded the base64 string related to importing Python libraries. Analyzing the code, we encounter another variable, bwUUvaBGuq , which stores a large blob of data. Using this variable as a starting point, I reverse-engineered the code to find the section that decodes the final stage. This is the code snippet I extracted: from cryptography.hazmat.primitives.ciphers import algorithms as ABaqlqdnva, modes as bjePZqqMDt, Cipher as MEHMFbFndi from cryptography.hazmat.backends import default_backend as hHARqCrroS from sys import exit as OjtogjITFB from os import urandom as fPvuJJYEJj from zlib import decompress as gLmLjhyYmv from base64 import b64decode as OAZCpnHWlb, b64encode as dJnAfRTmEv def bmfZuPhAUd(JTsYycfBQh): try: return JTsYycfBQh[:-ord(JTsYycfBQh[-1:])] except Exception: pass def nsmYLYUczz(JTsYycfBQh): try: rlqheWzXxT = 16 - (len(JTsYycfBQh) % 16) return JTsYycfBQh + (chr(rlqheWzXxT) * rlqheWzXxT).encode() except Exception: pass def hXPMlIWQCn(vvTHHCEOGs, QZwvIGUeVD): try: EIrzLuQRsS = hHARqCrroS() QZwvIGUeVD = OAZCpnHWlb(QZwvIGUeVD.encode('utf-8')) pbLqTHrOyv = QZwvIGUeVD[:16] fjfiiNMXUq = QZwvIGUeVD[16:] DPACsoxRPA = ABaqlqdnva.AES(vvTHHCEOGs) nNLBqunLLV = MEHMFbFndi(DPACsoxRPA, bjePZqqMDt.CBC(pbLqTHrOyv), backend=EIrzLuQRsS) SsIadmZVoR = nNLBqunLLV.decryptor() return bmfZuPhAUd(SsIadmZVoR.update(fjfiiNMXUq) + SsIadmZVoR.finalize()).decode('utf-8') except Exception: pass def eARiHgOnvx(vvTHHCEOGs, JTsYycfBQh): try: EIrzLuQRsS = hHARqCrroS() DPACsoxRPA = ABaqlqdnva.AES(vvTHHCEOGs) pbLqTHrOyv = fPvuJJYEJj(16) nNLBqunLLV = MEHMFbFndi(DPACsoxRPA, bjePZqqMDt.CBC(pbLqTHrOyv), backend=EIrzLuQRsS) fMKENYcOTF = nNLBqunLLV.encryptor() fjfiiNMXUq = fMKENYcOTF.update(nsmYLYUczz(JTsYycfBQh)) + fMKENYcOTF.finalize() return dJnAfRTmEv(pbLqTHrOyv + fjfiiNMXUq).decode('utf-8') except Exception: pass try: LvXmVMzoGq = "/aWwTzKHi08=" KUoYacjxpH = "UR/2CNnzXG0=" kHwYAPSzre = OAZCpnHWlb(LvXmVMzoGq.encode('utf-8')) #b64decode PZHzhrfrSM = OAZCpnHWlb(KUoYacjxpH.encode('utf-8')) #b64decode UCNnmcZiYq = kHwYAPSzre + PZHzhrfrSM except Exception: pass try: bwUUvaBGuq = "MQOCLE3tioNVF0gHD0/vGbWKW7i/HXgIcWkuzqdxSlrGnbSTp/0LnWiLgi4JgwCN/ZACl+O/9BHLDWEut+7bjnvGUinNIHs4WsaINV4p1xli1uKn3MguRZsL7rOvkD/BQk4gYI//j1qgJbTKEz4zJay+Tq3dNUHt5OzyxT3U9d0G9gbYyHV31fo97e8V3kMAZv+6btmCUi9qt5is8Q6fIG7ZodBYmew/Zn+wenPuzWtJUdQhv0nA0jLaUM5KjIJpu5w+JZv9jgLa4b3e7sv8E+GHIJzLGvdZOQeShW1VVoP50S11P0MQ9h3DBLefC0VVAfh6+DPsj+Y/sZP17Z3vYNTMX42aHg3JcFHpf+CeuoYxuqJ2xxtaxrioDIu6l4rNhOiNoKYY9/r373TKpS9z+fg8MzU0CyoPYqnpqCestcNeSfL/EX8sGq8tyDPPEcdCXQv9MejeKIPo/taS/ewc+ …redacted… HGMMtNZ1nxVUgecA/Ih651+Rpo67HROrw4/p+A7r9+vTes5iTKC81kHbpqAdZRvjG/Oy+TpxzU5LCQ0RArkx2qn67+7SxBZ3NvKOYfoU4do/CRQwo+Y9Ws23FnOO49AC8WXXmprDBKkBbbkn9qtrAJ9QCBbPniah82EprE=" nQrQVmqDVm = hXPMlIWQCn(UCNnmcZiYq, bwUUvaBGuq) nQrQVmqDVm = OAZCpnHWlb(nQrQVmqDVm) nQrQVmqDVm = gLmLjhyYmv(nQrQVmqDVm) zmkEwHDgbQ = fPvuJJYEJj(16) bwUUvaBGuq = eARiHgOnvx(zmkEwHDgbQ, nQrQVmqDVm) nQrQVmqDVm = hXPMlIWQCn(zmkEwHDgbQ, bwUUvaBGuq) except Exception: pass try: wexsLJswss = OAZCpnHWlb('ZXhlYyhuUXJRVm1xRFZtKQ==').decode() #'exec(nQrQVmqDVm)' except Exception: pass #try: #eval(wexsLJswss) #except Exception: #pass with open('dumped_final_stage.py', "wb") as f: f.write(nQrQVmqDVm.encode()) print("OK!") Upon execution of the script, the output file dumped_final_stage.py was generated. Its contents are as follows: By searching with the “requests” library, we can find out the exact URL where the data will be posted. The related code perform decoding the domain: ZWHmjDkfVvkVdclV = 'bWdzdHN0dWRpby5zaG9w' RYBTeAeZbiUOxeloi = base64.b64decode(ZWHmjDkfVvkVdclV).decode() By decoding, we obtained this domain: 4. Refs Python Malware Triage – Creal Stealer | OALABS Research (openanalysis.net) CPython Bytecode End! Share this: Share Share on Facebook (Opens in new window) Facebook Share on X (Opens in new window) X Print (Opens in new window) Print Email a link to a friend (Opens in new window) Email Like Loading... Related Comments [QuickNote] Retrieve unknown python stealer from PyInstaller - TQT Group says: August 10, 2024 at 4:56 PM […] Article Link: [QuickNote] Retrieve unknown python stealer from PyInstaller | 0day in {REA_TEAM} […] [QuickNote] Retrieve unknown python stealer from PyInstaller - F1TYM1 says: August 10, 2024 at 6:09 PM […] Article Link: [QuickNote] Retrieve unknown python stealer from PyInstaller | 0day in {REA_TEAM} […] Week 32 – 2024 – This Week In 4n6 says: August 11, 2024 at 8:03 PM […] 0day in {REA_TEAM}[QuickNote] Retrieve unknown python stealer from PyInstaller […] Leave a comment Δ This site uses Akismet to reduce spam. Learn how your comment data is processed. [QuickNote] DarkGate – Make AutoIt Great Again [QuickNote] The Xworm malware is being spread through a phishing email Create a free website or blog at WordPress.com. Comment Reblog Subscribe Subscribed 0day in {REA_TEAM} Join 173 other subscribers Sign me up Already have a WordPress.com account? Log in now. Privacy 0day in {REA_TEAM} Subscribe Subscribed Sign up Log in Copy shortlink Report this content View post in Reader Manage subscriptions Collapse this bar Loading Comments... Write a Comment... Email (Required) Name (Required) Website %d Design a site like this with WordPress.com Get started