I found a Python script that implements a funny anti-analysis trick. The script has a low score on VT (4/59) (SHA256:d716c2edbcdb76c6a6d31b21f154fee7e0f8613617078b69da69c8f4867c9534)[1]. This sample attracted my attention because it uses the tkinter[2] library. This library is used to create graphical user interfaces (GUIs). It provides tools to create windows, dialogs, buttons, labels, text fields, and other interactive elements, allowing developers to build desktop applications with visual interfaces in Python. Most Python scripts are intended to be executed from a command line. That's why I consider this library as a good sign of suspicious behavior (It does not mean that all Python scripts using this library are malicious!)
Fake BSOD Delivered by Malicious Python Script, (Fri, Feb 14th)
This article has been indexed from SANS Internet Storm Center, InfoCON: green