There is more and more malware wrapped by pyinstaller trying to evasive detection. This sample in the virustotal, only has 4 positives, detection seems pretty low.
Sample
MD5: badaf975e204d21d74c521a7de7f5939
SHA-1: 3f5f7c0a1a5bf6bfa516e4c1e4d69d5eb06a08be
SHA-256: f5a4c38e147134bd8c98af89686f7ceeff05440eda7974fef43b66af3f4bff32
Analysis
First, by using Detect it Easy, take a look at the basic information, then you could see this sample was created by PyInstaller, one of the popular tools for compiling python language to an executable file.
To analyze a kind of this binary, we need some tools like below:
- pyinstxtractor: PyInstaller Extractor is a Python script to extract the contents of a PyInstaller generated executable file.
https://github.com/extremecoders-re/pyinstxtractor - pycdc : pycdc is a C++ python bytecode disassembler and decompiler
https://github.com/zrax/pycdc
And we need a python3 environment, in this case, I installed the python3.10 version on my machine. But, sometimes it depends on what version that malware developer used. If you encountered some issues of decompiling failure, install another version of python3, then give it a try.
I download pyinstxtractor to my windows machine and install pycdc on my Linux machine. Then, use pyinstxtractor to extract the binary.
After running, it created a folder [the sample filename]_extracted, the pyinstxtractor information will show you what version of python it uses, and which file (.pyc) would possibly be the main program. In this case, we have a main.pyc.
Next, let’s try to recover the pyc file to python code with pycdc. Because I installed pycdc on a Linux machine, I archive the whole extracted folder and move it to my Linux machine.
In the above picture, you might notice some code decompile was incomplete, because there are some opcodes unsupported. It usually happens on the newer version of python3. Although we can’t see the complete code, there is a key point at the last line. Go back to the extracted folder, and check if there was aTelegramRAT.zip.
That’s interesting, we can see a main.zip and a TelegramRAT.exe on the inside. When I try to unzip it, it’s password protected. Due to our decompile being incomplete. So, let’s try to find something in the main.pyc by using the hex editor.
That string was the password, and TelegramRAT.execould be unzipped successfully.
TelegramRAT also called ToxicEye, which is a program for remote control of windows computers via telegram bot. Written in C#. You could use dnspy debugger to analyze the dot Net malware.
In the config class, there are TelegramToken and ChatID, and the default install path is C:\\Users\\ToxicEye\rat.exe.
Wrapping the malware by PyInstaller and password-protected zip seems an effective evasion technique.
