Information Security News
I used my YARA rule PE_File_pyinstaller to scan for Python malware for some time now, and came across some interesting samples (after discarding false positives, PyInstaller is of course also used for benign software).
I use pyinstxtractor.py to extract the Python code from the EXE created by PyInstaller.
This creates a folder (sample filename + _extracted):
File implant contains the malicious Python code:
This turns out to be a Remote Access Tool (RAT) that uses Gmail as C" />
Armed with this information and with the help of Google, I found the code for this sample back on Github.
If you come across malicious PE file created with PyInstaller, dont use a disassembler like IDA Pro, but extract the Python code.