Nsis decompiler3/12/2024 ![]() So let us fetch the file and have a look at the installer. But this time, we don't get a DBatLoader instance, but a NSIS installer instead. hxxp://103.153.79.104/windows10/csrss.exeĪt the time of the analysis, the file is still online.The exploit is again a downloader, downloading from the following url: We won't go through the exploit shellcode extraction and decryption process again since the procedure is exactly the same (see here, shellcode offset is also 0x50). The same author is most likely behind this document as well, they just updated the bait picture: Figure 1: Excel sheet baiting the user to deactivate safe mode The malicious document is very similar to the one we did analyze in our previous blog post: an encrypted OpenXML Excel document embedding an Equation object exploiting CVE-2018-0798. The sample we are about to dissect today is an OpenXML Excel document which came as email attachment. Sample: e850f3849ea82980cf23844ad3caadf73856b2d5b0c4179847d82ce4016e80ee ( Bazaar, VT) Infection chain: Excel stylesheet -> Office equation -> Shellcode (downloader) -> NSIS installer -> Shellcode (stage 1) -> Shellcode (stage 2) -> Lokibot Tools used: Malcat, Speakeasy emulator Difficulty: Easy The Excel document
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |