Static Unpacking for the Widespread NSIS-based Malicious Packer

May 28, 2024, 1:59 p.m.

Description

This article examines a malicious packer family based on the Nullsoft Scriptable Install System (NSIS) used by cybercriminals to protect various malware from detection. It describes the structure of packed samples, and presents an approach for creating a tool that automatically unpacks the encrypted payloads, enabling further analysis. The packer is widespread, used to deliver loaders, stealers, and Remote Access Trojans (RATs), suggesting it's likely a commodity sold on dark web markets. Developing automated unpacking tools facilitates analysis by providing access to unencrypted malware versions.

External References

https://research.checkpoint.com/2024/static-unpacking-for-the-widespread-nsis-based-malicious-packer-family/
https://otx.alienvault.com/pulse/6655dd01c186402f2245b043
Tags
2024-05-28
nsis

Date

  • Created: May 28, 2024, 1:32 p.m.
  • Published: May 28, 2024, 1:32 p.m.
  • Modified: May 28, 2024, 1:59 p.m.

Indicators

  • cd7976d9b8330c46d6117c3b398c61a9f9abd48daee97468689bbb616691429e
  • bb8e87b246b8477863d6ca14ab5a5ee1f955258f4cb5c83e9e198d08354bef13
  • a3e129f03707f517546c56c51ad94dea4c2a0b7f2bcacf6ccc1d4453b89be9f5
  • 80db5ced294160666619a79f0bdcd690ad925e7f882ce229afb9a70ead46dffa
  • 44e51d311fc72e8c8710e59c0e96b1523ce26cd637126b26f1280d3d35c10661
  • 178f977beaeb0470f4f4827a98ca4822f338d0caace283ed8d2ca259543df70e
  • 3f7771dd0f4546c6089d995726dc504186212e5245ff8bc974d884ed4f485c93
  • 160928216aafe9eb3f17336f597af0b00259a70e861c441a78708b9dd1ccba1b
  • 12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6
  • 090979bcb0f2aeca528771bb4a88c336aec3ca8eee1cef0dfa27a40a0a06615c
  • 00042ff7bcfa012a19f451cb23ab9bd2952d0324c76e034e7c0da8f8fc5698f8
Download all indicators here!

Attack Patterns

  • WarzoneRAT - S0670
  • 404 Keylogger
  • Ave Maria
  • Remcos
  • Xloader
  • Azorult
  • LokiBot
  • Agent Tesla
  • FormBook