Analysis of vzlom_vk (Failed)

Malware obtained from It’s an unknown executable which unpacks itself, fails to run update.exe and prints out some russian.

File TypePortable Executable 32
File InfoMicrosoft Visual C++ 8

First run

When run, it prints out the following text:

The system cannot find the file update.exe
Вас приветствует программа взлома ВК аккаунтов!
Благодарим за приобретение лицензии нашей программы!
Вы уверенны, что хотите начать? (да/нет):

Using the trusty google translator, that turns into:

You are welcomed by the program for hacking VK accounts!
Thank you for purchasing our software license!
Are you sure you want to start? (yes / no):

This appears to be a tool for hacking VK accounts, which is “the largest social network in Russia and the CIS”. This is also a cracked version, seeing how I definitely don’t own a license.

When I enter y, the following shows up:

Введите id жертвы:

Translated, that means:

Enter victim id:

So, here is a hacking tool for VK accounts and it asks for a victim ID, now who do I not like in Russia… I’ll just put 0.

Now it prints out


which means


Next is a progress bar, which gets up to 25%, followed by a python error:

Traceback (most recent call last):
  File "", line 21, in <module>
FileNotFoundError: [WinError 2] The system cannot find the file specified 'update.exe'
[1548] Failed to execute script vzlom_vk

Later I’ll focuse on trying to extracting this python script.


Detect It Easy provides very useful information about how the executable is packed:

ProtectorENIGMA(4.0 build 2020.5.17 10:10:13)[-]
LinkerMicrosoft Linker(8.0*)[Console32,console]
Overlayzlib archive(-)[-]

To dump this, I will quite simply run the malware and use Process Dump, pointing it to the process ID of the child of the malware.

Dumped executable initial analysis

Just from looking at strings, there are multiple things we can infer:

Py_*Python C api used
inflate 1.2.11 Copyright 1995-2017 Mark AdlerZlib compression used
Fls*Fiber Local Storage (FLS) used
Software\Borland\Delphi\RTLDelphi (Locales) used
RIJNDAELAES encryption used
Yarrow has not been reseededYarrow pseudorandom number generator used
EP_*Engima Protector keys are validated
9iCCPPhotoshop ICC profilePhotoshop colour profiles are referenced
IEUser MSEDGEWIN10Dumps are fingerprinted

It’s very likely that most of these details are related to the ENIGMA packer.

Files dynamically written

The unpacked exe extracts resources into C:\Users\IEUser\AppData\Local\Temp\_MEI5562, where there are: python extension modules, library dlls, locale files and tkinter. However, the script is missing.

Near the end of the procmon log, I find the following entry:

vzlom_vk.exe 994 CreateFile C:\Users\IEUser\AppData\Local\Temp\_MEI5562\

However, this file is never written to, therefore this is not in fact the location of the python script, but rather the location the python process thinks its at because in reality the script was loaded in dynamically through the python C api.

Python extraction

Based off the python C api documentation, the following used methods are of interest for finding the code which is dynamically executed:

All of these imports are referenced at least once in the same function.


         |  |
+------+ |  | +-------+
| Fail <-+  +-+>Import|
+------+      +--+--+-+
                 |  |
        +------+ |  | +------+
        | Fail <-+  +->Import|
        +------+      +-+--+-+
                        |  |
               +------+ |  | +------+
               | Fail <-+  +->Import|
               +------+      +-+--+-+
                               |  |
                      +------+ |  | +------+
                      | Fail <-+  +->Import|
                      +------+      +-+--+-+
                                      |  |
                             +------+ |  | +------+
                             | Fail <-+  +->Import|
                             +------+      +-+--+-+
                                             |  |
                                    +------+ |  | +-------+
                                    | Fail <-+  +-+>Import|
                                    +------+      +--+--+-+
                                                     |  |
                                            +------+ |  |
                                            | Fail <-+  +->.......

This function simply populates all of the python imports.

Here are the xrefs to PyEval_EvalCode:

rpython_executor+160call ds:PyEval_EvalCode
wget_python_imports+4DBmov ds:PyEval_EvalCode, eax
o.nicuew:013F3420dd rva PyEval_EvalCode; Import Address Table

Based off this, we can identify that python_executor is responsible for python code calling at least partially.


I spotted the string _MEIPASS2, which after some googling turns out is an environment variable for PyInstaller. Therefore, let’s see if this can be extracted using the PyInstaller Extractor

struct.error: unpack requires a buffer of 4 bytes

Always worthy a try to use pre-existing tools, even if they don’t often work out.

PyInstaller files

Let’s take a look again at the files which were dynamically written.

The .pyd files are simply dlls.


I ran strings to try to find where __main__ could possibly be. Debugging didn’t reveal what the script actually is. Python dumpers don’t seem to exist.

Therefore, until I learn more about python reverse engineering through more reverse engineering, this project will be put on hold.