neonprimetime security , just trying to help: nymaim sample

Friday, April 6, 2018

nymaim sample

found by My Online Security @dvk01uk
https://twitter.com/dvk01uk/status/981918736729899009
Fake HSBC “Action needed: Activity confirmation” delivers Nymaim 
https://myonlinesecurity.co.uk/fake-hsbc-action-needed-activity-confirmation-delivers-nymaim/

https://www.hybrid-analysis.com/sample/49bdb07f05725b4de83c08c42100a5d9ce505685e5d040821de2cefe66d3fee6?environmentId=100

terminates quickly

----------

----------
interesting api calls
----------
RPCRT4.dll RegOpenKeyExA ( HKEY_LOCAL_MACHINE, "Software\Microsoft\Rpc", 0, KEY_READ, 0x0012f574 ) 
SspiCli.dll RtlInitUnicodeString ( 0x0012f4d4, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED" )
SspiCli.dll RpcBindingFromStringBindingW ( "ncalrpc:[lsasspirpc]", 0x0012f444 )


PDB: c:\Cold\Property\Best\key\Stood\Wide\SecondEarly.pdb

neonprimetime security , just trying to help

Friday, April 6, 2018

nymaim sample

No comments:

Post a Comment