Hello World!
I've been looking at some PYC samples lately, and decided to do a deep dive into the sample on this x post : https://x.com/malmoeb/status/1853723915723350526
Specifically, I'm looking at sample SHA256: de195ebb0f1cf3762d73f956b9d21b63de1a5bbe9626a78af623ed9f59ed760f
The first thing I did when looking at this sample was run pycdas: We get a look at the disassembled code here.
The first few bytes ""\xfd7zXZ"" suggest LZMA XZ Compressed. Using the following simple script you can output this to a file
I ran an output to decodedfile.txt here. Analyzing this file we can see variables with names like "___", "_____" etc.... We can see some of the decode logic, such as charcode 98, 54, 52, 100, 101, 99, 111, 100, 101 for b64decode, b64decode("cm90MTM=") for ROT13, and [::-1] for string reverse.
We also cans see that it concatenates the decoded variables together to one final output. Using this guide as a guide, we can decode this down further using this script pycstealer-decode.py. This gets us yet another PYC file, a large one with a lot of text that can be read.
Example:
running strings is an easier view:
we can again run a PYC disassembler on this also, to further break down some details.
We know we're dealing with BlankGrabber at this point, we can extract multiple URLs, we can infer a password for a RAR file, we know wallets, Minecraft, and other data is being read for data theft. There is a lot to unpack and understand here.
The goal of this post isn't to provide an exhaustive list of IOCs, but rather to demonstrate the steps to reasonably extract further information from this malware.
On a final note, I've been working on a PYC analyzer tool, something to extract interesting bits of information from a PYC file and attempt to show some decoding steps. It needs a lot of work still, but it does give plenty of output for this final PYC file.
The tool can be found here: pyc-analyer
Adding base64 decode of one interesting part:
Comments
Post a Comment