Analyzing Python Malware

While most malware is written in C/C++ or Assembly, there is a growing trend of authors using Python and converting it to standalone executables. Today, we triage Vbucks.exe to see how these "compiled" Python threats operate.

MD5: c8506405462fe678a64ba3d346138cd8
Sample: Download via Hybrid Analysis

Full Video Analysis



Initial Inspection

The sample, Vbucks.exe, masquerades as a "free currency" generator for Fortnite. Clocking in at 9MB, it initially raises eyebrows. In the malware world, large file sizes are often used to:

  1. Bypass AV: Many scanners ignore files over a specific size (e.g., 50MB+) to save resources.
  2. Evade Sandboxes: Upload limits on free analysis platforms often block large binaries.

However, 9MB is relatively small for "junk padding." A quick check of the imports shows only 3 DLLs—strikingly low for a file of this size. This tells us the program is likely packed or a bundled runtime.

Binary Imports Inspection


Why Python for Malware?

Python is an interpreted language, meaning the target machine usually needs Python installed to run it. Tools like PyInstaller or Py2Exe solve this by bundling the Python interpreter, necessary DLLs, and the script into a single EXE.

This explains our 9MB file size—you aren't just looking at malware; you're looking at an entire Python environment wrapped in a Windows executable "wrapper."



Extraction: Reversing the Bundle

To see the actual code, we must peel back the wrapper. The workflow for triaging these files follows a specific path:

PyInstaller → pyinstxtractor.pyUncompyle6
Py2Exe → python-exe-unpackerUncompyle6

Running pyinstxtractor.py on Vbucks.exe dumps the internal files, including several compiled Python files (.pyc). One stands out: token_grabber.pyc.

Extracted Files from PyInstaller


Decompiling to Source

Using uncompyle6, we can attempt to turn the .pyc back into human-readable Python code. While malware authors sometimes sabotage this process, we often get enough to identify the family.

In this case, we've uncovered a variant of AnarchyGrabber. This malware is designed to steal Discord credentials and billing info, then exfiltrate them via a Discord Webhook.

Malware Webhook Found in Source


Anti-Analysis Techniques

Despite being written in a high-level language, this sample employs basic anti-analysis. It performs DNS lookups for pastebin.com, api.ipify.org, and discordapp.com.

If these resolve to localhost or loopback (common in isolated malware labs using tools like FakeNet-NG), the malware simply exits to avoid being monitored.



Conclusion

The era of tiny, 10KB Assembly malware is giving way to 10MB Python bundles. For analysts, this means shifting focus from registers and stacks to extraction scripts and bytecode decompilers. Development speed is now the malware author's greatest asset—and Python is their tool of choice.

Happy Hunting.