Back

Static Unpacking for the Widespread NSIS-based Malicious Packer

May 28, 2024, 1:59 p.m.

Tags

2024-05-28
nsis

External References

https://research.checkpoint.com/

https://otx.alienvault.com/

Description

This article examines a malicious packer family based on the Nullsoft Scriptable Install System (NSIS) used by cybercriminals to protect various malware from detection. It describes the structure of packed samples, and presents an approach for creating a tool that automatically unpacks the encrypted payloads, enabling further analysis. The packer is widespread, used to deliver loaders, stealers, and Remote Access Trojans (RATs), suggesting it's likely a commodity sold on dark web markets. Developing automated unpacking tools facilitates analysis by providing access to unencrypted malware versions.

Date

Published Created Modified
May 28, 2024, 1:32 p.m. May 28, 2024, 1:32 p.m. May 28, 2024, 1:59 p.m.

Indicators

cd7976d9b8330c46d6117c3b398c61a9f9abd48daee97468689bbb616691429e

bb8e87b246b8477863d6ca14ab5a5ee1f955258f4cb5c83e9e198d08354bef13

a3e129f03707f517546c56c51ad94dea4c2a0b7f2bcacf6ccc1d4453b89be9f5

80db5ced294160666619a79f0bdcd690ad925e7f882ce229afb9a70ead46dffa

44e51d311fc72e8c8710e59c0e96b1523ce26cd637126b26f1280d3d35c10661

178f977beaeb0470f4f4827a98ca4822f338d0caace283ed8d2ca259543df70e

3f7771dd0f4546c6089d995726dc504186212e5245ff8bc974d884ed4f485c93

160928216aafe9eb3f17336f597af0b00259a70e861c441a78708b9dd1ccba1b

12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6

090979bcb0f2aeca528771bb4a88c336aec3ca8eee1cef0dfa27a40a0a06615c

00042ff7bcfa012a19f451cb23ab9bd2952d0324c76e034e7c0da8f8fc5698f8

Attack Patterns

WarzoneRAT - S0670

404 Keylogger

Ave Maria

Remcos

Xloader

Azorult

LokiBot

Agent Tesla

FormBook

T1574.002

T1059.003

T1059.001

T1497

T1573

T1574

T1105

T1083

T1055

T1134

T1204

T1027

T1059