PyInstaller

Malware Analysis and Triage : DeathNote Infostealer

1. Executive Summary A. Fingerprinting MD5: 459aad8cc95d9fe2bd1d3199966289f7 SHA256: eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba VirusTotal Report: https://www.virustotal.com/gui/file/eb22d542b3b6e69a98801ff7843fa6981b13ca8628a5382cfdc0f713cdb72cba B. Classification Infostealer, used to harvest stored credentials and session objects from browsers installed on the machine. C. Behavioral Summary The malware is a PyInstaller packed executable, with slight obfuscation. When the sample is executed, it extracts the packed Python bytecode, and required libraries into a temporary folder. It then proceeds to spawn a child process by executing itself again, sets/adds the temporary folder into its DLL directories, unpacks and unmarshall the Python bytecode on the fly in the memory.