Static Unpacking for the Widespread NSIS-based Malicious Packer
May 28, 2024, 1:59 p.m.
Tags
External References
Description
This article examines a malicious packer family based on the Nullsoft Scriptable Install System (NSIS) used by cybercriminals to protect various malware from detection. It describes the structure of packed samples, and presents an approach for creating a tool that automatically unpacks the encrypted payloads, enabling further analysis. The packer is widespread, used to deliver loaders, stealers, and Remote Access Trojans (RATs), suggesting it's likely a commodity sold on dark web markets. Developing automated unpacking tools facilitates analysis by providing access to unencrypted malware versions.
Date
Published: May 28, 2024, 1:32 p.m.
Created: May 28, 2024, 1:32 p.m.
Modified: May 28, 2024, 1:59 p.m.
Indicators
cd7976d9b8330c46d6117c3b398c61a9f9abd48daee97468689bbb616691429e
bb8e87b246b8477863d6ca14ab5a5ee1f955258f4cb5c83e9e198d08354bef13
a3e129f03707f517546c56c51ad94dea4c2a0b7f2bcacf6ccc1d4453b89be9f5
80db5ced294160666619a79f0bdcd690ad925e7f882ce229afb9a70ead46dffa
44e51d311fc72e8c8710e59c0e96b1523ce26cd637126b26f1280d3d35c10661
178f977beaeb0470f4f4827a98ca4822f338d0caace283ed8d2ca259543df70e
3f7771dd0f4546c6089d995726dc504186212e5245ff8bc974d884ed4f485c93
160928216aafe9eb3f17336f597af0b00259a70e861c441a78708b9dd1ccba1b
12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6
090979bcb0f2aeca528771bb4a88c336aec3ca8eee1cef0dfa27a40a0a06615c
00042ff7bcfa012a19f451cb23ab9bd2952d0324c76e034e7c0da8f8fc5698f8
Attack Patterns
WarzoneRAT - S0670
404 Keylogger
Ave Maria
Remcos
Xloader
Azorult
LokiBot
Agent Tesla
FormBook
T1574.002
T1059.003
T1059.001
T1497
T1573
T1574
T1105
T1083
T1055
T1134
T1204
T1027
T1059