As usual, the Excel document contains a macro which downloads and executes another payload. In this case, the second payload was a VBS file stored at
(One thing to note here is, that the attackers blocked IP addresses from countries outside their current target area for example the download worked from germany but did not work from several other european countries.)
The VBS looks pretty simple and only has one job to do, to download and store the final payload :
The final payload is quite large (13-14MB) and after looking for strings it became clear that it is a malware written in Python with lots of different external modules.
When running Pyinstaller Extractor, you will see quite a lot of useful information in the log for example the used Pyinstaller version, the used Python version and most important, the possible entry point.
As also described on the PyInstaller Extractor Github page, we now can try to decompile the pyc files. Since tx.pyc is the suggested entry point, we will start with that. Before decompiling the pyc file we need to fix the header because PyInstaller removed those bytes. In order to do so, we just add the following bytes at the beginning of the file 42 0d 0d 0a 00 00 00 00 e4 b9 18 5d 00 00 00 00.
For decompiling python byte code, there are different tools available like Uncompyle6 or decompyle3. However, none of them in the latest version worked for me for whatever reason. Maybe it’s because I used the latest version, because Uncompyle6 version 2.7 seems to work (thanks @bbaskin for the hint). I ended up using unpyc3 to decompile the pyc file which gave me beautiful round about 12.000 lines of python code.
I just analyzed a small portion of the sample because when scrolling through the code, it was quite obvious that this must be stealer. There are tons of functions searching for credentials for different tools/services, even KeeThief is included.
My interest was in how the data is exfiltrated. After searching around a little bit, I could spot a list, containing two dictionaries with smtp credentials (I renamed the variable for better readability).
Following this list I could spot the function sending emails which takes the harvested credentials as input. Similar to AgentTesla, this stealer is exfiltrating stolen data via sending emails to specific hard-coded accounts.
There is currently no official name for the malware and it does not appear to be widespread. James flagged it as Eightaliuim because of some strings inside the sample.
If anyone has more samples or more details about this campaign, please let me know.