4ada609d908afd3bb171ab8287cd2ada2cf112c80c9786e10441d68d979caa4c
|
struppigel
|
medium
|
|
Deobfuscate the sample.
How does the domain name generation work?
How does this sample receive and execute code from the attacker?
|
—
|
|
0
|
19 Jun 2026
|
361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
|
struppigel
|
medium
|
|
LICENSE.txt was run via > %ALLUSERSPROFILE%\Microsoft\AppUpdate\SystemInfo\UsbService86.exe LICENSE.txt
UsbService86.exe has the signer **Python Software Foundation**
Decompile the code, then create a binary refinery pipeline to unpack the next layers.
(CyberChef might be an alternative, but I did not check if it has all necessary algorithms)
|
1
|
|
1
|
23 Jan 2026
|
94237eac80fd2a20880180cab19b94e8760f0d1f06715ff42a6f60aef84f4adf
|
humpty_tony
|
medium
|
|
This post’s goal is to show how you reverse a “boring” stealer by treating the loader chain as the real specimen.
Peel multi-stage Python loaders safely:
- Identify and undo container transforms (reverse bytes + zlib).
- Recognize when crypto code is “almost right” but relies on a modified library (the PyAES GCM mismatch), then swap in a compatible implementation to decrypt without executing.
- Deal with Python marshalled bytecode.
- Reduce obfuscation to primitives (base64 aliasing, rot13, marshal.loads, LZMA/XZ payloads, BlankOBF patterns), so you can turn “giant blob soup” into discrete stages you can write to disk, identify with file, and decompile.
So the analysis goal is basically: build a repeatable methodology for unpacking + staging + version-correct decompilation of Python malware—because that workflow applies to tons of commodity stealers and loaders.
|
1
|
|
1
|
04 Jan 2026
|
3c086e76942fb9fd3d1e4384e9c1228c227c00c78dc29fca512ed95ee919ee5e
|
struppigel
|
medium
|
|
This application consists of almost 3000 files. Find proof that the sample is malicious by finding the malicious code. A weird filename with homoglyphs is not enough, nor is behavioral analysis in a sandbox.
|
1
|
|
0
|
26 Dec 2025
|