Analysis of Noblis In-dev Ransomware
Noblis is in-development ransomware which is built in Python and packed by PyInstaller. You can refer to my previous blog to learn how to identify and reverse Python-built executables. We have the following sample: Hash : 3BEEE8D7F55CD8298FCB009AA6EF6AAE [App.Any] The sample is UPX packed; after unpacking we get the following sample. Hash : A886E7FAB4A2F1B1B048C217B4969762 The binary has many Python reference strings and a zlib archive appended to it as an overlay. You can use the PyExtractor tool to extract the Python code from the binary. ...