guloader type error #2
Description
period@D5DZ5WT2 ~/src/Malware_Scripts/guloader $ apt-cache policy python3-pefile python3-yara
python3-pefile:
Installed: 2021.9.3-1
Candidate: 2021.9.3-1
Version table:
*** 2021.9.3-1 500
500 https://http.kali.org/kali kali-rolling/main amd64 Packages
500 https://http.kali.org/kali kali-rolling/main i386 Packages
100 /var/lib/dpkg/status
python3-yara:
Installed: 4.0.4-1+b1
Candidate: 4.0.4-1+b1
Version table:
*** 4.0.4-1+b1 500
500 https://http.kali.org/kali kali-rolling/main amd64 Packages
100 /var/lib/dpkg/status
$ python3 -V
Python 3.9.2
$ ./unpacker.py New\ Order\ SO0006473\ .exe
Traceback (most recent call last):
File "/home/period/src/Malware_Scripts/guloader/./unpacker.py", line 60, in <module>
data = brute_it(data)
File "/home/period/src/Malware_Scripts/guloader/./unpacker.py", line 37, in brute_it
needle = struct.unpack('<I', '\x81\xec\x00\x02')[0]
TypeError: a bytes-like object is required, not 'str'
For python2 it seemed to work on an older known sample.
Installing collected packages: yara, pefile
Successfully installed pefile-2019.4.18 yara-1.7.7
order ~/malware # python2 -V
Python 2.7.17
order ~/malware # python2 Malware_Scripts/guloader/unpacker.py known.exe
https://drive.google.com/uc?export=download&id=1THD-itP7iOm05w_6SQSb-C3tgd3cLMzO
But on this more recent sample:
# python2 Malware_Scripts/guloader/unpacker.py New\ Order\ SO0006473\ .exe
Traceback (most recent call last):
File "Malware_Scripts/guloader/unpacker.py", line 59, in <module>
data = brute_it(data)
File "Malware_Scripts/guloader/unpacker.py", line 40, in brute_it
key = struct.unpack('<I', key)[0]
struct.error: unpack requires a string argument of length 4
If you cannot download from vt, please reply and I can host it somewhere else for you to fetch for testing purposes, but it appears to be a vb6 exe containing shellcode and closely behaves like guloader if not directly is.