Python-Packed Payload

Malware logic authored in Python, compiled to .pyc/.pyo, and bundled inside a Windows PE via PyInstaller, py2exe, or cx_Freeze. The outer PE is a stock bootloader; the actual IOCs, C2 logic, and evasion routines are hidden in the compressed overlay.

Detection / fingerprint

• strings shows _MEIPASS, PyInstaller, base_library.zip, Py_Initialize, PyMarshal_ReadObjectFromString
• Overlay entropy is high (zlib-compressed Python packages)
• Import table is benign (KERNEL32 + Python DLL imports only)
• No suspicious APIs in the outer binary despite malicious inner payload

Defensive countermeasures

• Run PyInstaller extraction tools (pyinstxtractor.py, pyi-archive_viewer) on suspect samples before concluding the binary is harmless.
• Endpoint telemetry: monitor %TEMP%\_MEI* directories for spawning python.exe or renamed payloads.
• Sigma: alert on Image paths matching %TEMP%\_MEI*\*.exe with parent cmd.exe or explorer.exe.

Pages where observed

• /intel/analyses/801fbba19b4d4828191e87e7311480deaf81e84482dab70adf38d61afd01c1fa.html