Malware Analysis: TelegramRAT wrapped by pyinstaller

Sample

MD5: badaf975e204d21d74c521a7de7f5939
SHA-1: 3f5f7c0a1a5bf6bfa516e4c1e4d69d5eb06a08be
SHA-256: f5a4c38e147134bd8c98af89686f7ceeff05440eda7974fef43b66af3f4bff32
VirusTotal information

Analysis

First, by using Detect it Easy, take a look at the basic information, then you could see this sample was created by PyInstaller, one of the popular tools for compiling python language to an executable file.

DetectItEasy shows the Packer is PyInstaller
pyinstxtractor information
Using pycdc to recover the python code
main.zip contains a TelegramRAT.exe
Find a string that possible password in main.pyc
Basic information of TelegramRAT.exe
ToxicEye config information

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store