![]() What is more interesting are the files in the main directory. It is the first component of the archive to be loaded. The System.dll is a DLL typical for any NSIS installer, responsible for executing the commands from the script. Once we unpack the file, we can see several elements, as well as directories typical for NSIS: Unfortunately, in the newer releases script extraction is no longer supported. 15.05) were also able to extract the NSIS script. Like every NSIS-based installer, this executable is an archive that can be unpacked with the help of 7zip. This analysis is based on the following samples: With time their internal structure has evolved, so we decided to revisit them and describe the inside again using samples from some of the Formbook stealer campaigns. We wrote about unpacking them in the past, i.e. ![]() ![]() The flexibility of the installer allows to implement various ideas for obfuscating malicious elements. The outer layer made of a popular and legitimate tool makes for a perfect cover. Unfortunately, its qualities are known not only to legitimate developers but also to malware distributors.įor several years we have been observing malware distributed via NSIS-based crypters. It is a free and powerful tool, making distribution of software easier. the main executable, used DLLs, configs), along with a script that controls where are they going to be extracted, and what their execution order is. It allows to bundle various elements of an application together (i.e. NSIS (Nullsoft Scriptable Install System) is a framework dedicated to creating software installers. This blog post was authored by hasherezade
0 Comments
Leave a Reply. |