nikzbi[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

nikzbi.exe
Size

5.2MB
MD5

fb699986ee1185bbea9a8783fedabc13
SHA1

67199f7207914d220e18e1799ae6d89a74908cdd
SHA256

70eb843e2b39bacb0b6622b67a69a8488be7182d98b1fe6d41b5275d55f55176
SHA512

33560481d2060e866f68a56bdfd03f268be71a7246d693454847a60f17d252464237aa4ab4adf710e3944c29a9f432299587cecc1b0231d1ba22f2aa56b7596c
SSDEEP

49152:GCCMjpXs+/8C1pz/GYuj0Q8kF7GLnrNOjMQeZoOL7E17zEnakKrdKIOJpBlSihx0:G5epOmFkFML8BkKrxogwqqBQAmzg

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
nikzbi.exe

Files

nikzbi.exe
.exe windows:6 windows x64 arch:x64

fd4dc58fdf7f3e35e38f5b7095df3943

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

rust_stealer_xss.pdb

Imports

api-ms-win-core-synch-l1-2-0

WaitOnAddress
WakeByAddressAll
WakeByAddressSingle

bcryptprimitives

ProcessPrng

ntdll

RtlNtStatusToDosError
NtDeviceIoControlFile
RtlPcToFileHeader
NtCancelIoFileEx
RtlUnwindEx
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtReadFile
NtWriteFile
NtCreateFile

kernel32

GetFileInformationByHandle
GetStdHandle
GetConsoleMode
MultiByteToWideChar
WriteConsoleW
GetModuleHandleA
CreateWaitableTimerExW
SetWaitableTimer
Sleep
QueryPerformanceFrequency
FormatMessageW
lstrlenW
GetEnvironmentVariableW
GetTempPathW
GetFileInformationByHandleEx
GetFullPathNameW
FlushFileBuffers
GetExitCodeProcess
FindNextFileW
CreateDirectoryW
FindFirstFileW
WaitForSingleObject
GetModuleHandleW
SetFileCompletionNotificationModes
CreateIoCompletionPort
SetHandleInformation
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
GetCurrentProcess
DuplicateHandle
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
GetCurrentProcessId
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
WaitForMultipleObjects
GetOverlappedResult
CreateEventW
CancelIo
ReadFile
ExitProcess
GetProcAddress
GetProcessHeap
GetCurrentDirectoryW
WaitForSingleObjectEx
AddVectoredExceptionHandler
CreateMutexA
ReleaseMutex
WideCharToMultiByte
DeleteFileW
CopyFileExW
PostQueuedCompletionStatus
GetQueuedCompletionStatusEx
UnhandledExceptionFilter
GetLastError
GetFinalPathNameByHandleW
SetLastError
GetSystemInfo
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
SwitchToThread
SetFileInformationByHandle
GetModuleFileNameW
GetSystemTimePreciseAsFileTime
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
GetSystemTimeAsFileTime
FreeLibrary
SystemTimeToFileTime
GetFileSize
LockFileEx
LocalFree
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
CreateFileW
InitializeSListHead
HeapReAlloc
FindClose
SetThreadStackGuarantee
CloseHandle
IsDebuggerPresent
HeapAlloc
HeapFree
QueryPerformanceCounter
EncodePointer
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryA
GetCurrentThread
SetFilePointerEx
LoadLibraryExW

oleaut32

SafeArrayUnaccessData
SysFreeString
SysAllocStringLen
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
VariantClear
SafeArrayDestroy

user32

EnumDisplaySettingsExW
GetMonitorInfoW
EnumDisplayMonitors

ws2_32

connect
getsockopt
WSAIoctl
bind
ioctlsocket
select
setsockopt
socket
getsockname
WSAGetLastError
getpeername
accept
getaddrinfo
freeaddrinfo
WSAStartup
WSACleanup
recv
send
WSASend
shutdown
WSASocketW
closesocket
listen

bcrypt

BCryptGenRandom

advapi32

SystemFunction036
CheckTokenMembership
RegOpenKeyExW
AllocateAndInitializeSid
RegCloseKey
RegQueryValueExW
FreeSid

secur32

DecryptMessage
DeleteSecurityContext
FreeCredentialsHandle
AcquireCredentialsHandleA
AcceptSecurityContext
ApplyControlToken
EncryptMessage
FreeContextBuffer
QueryContextAttributesW
InitializeSecurityContextW

crypt32

CertDuplicateCertificateContext
CryptUnprotectData
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertDuplicateCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertOpenStore
CertDuplicateStore
CertFreeCertificateContext
CertCloseStore

ole32

CoInitializeEx
CoSetProxyBlanket
CoCreateInstance
CoInitializeSecurity

gdi32

SelectObject
DeleteDC
GetDeviceCaps
CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
DeleteObject
SetStretchBltMode
StretchBlt
GetDIBits
GetObjectW

rstrtmgr

RmRegisterResources
RmGetList
RmStartSession

api-ms-win-crt-math-l1-1-0

log
pow
ceil
exp2f
roundf
__setusermatherr
truncf
_dclass

api-ms-win-crt-string-l1-1-0

strlen
strcmp
wcsncmp
strncmp
strcpy_s
strcspn

api-ms-win-crt-heap-l1-1-0

calloc
_msize
realloc
malloc
_set_new_mode
free

api-ms-win-crt-utility-l1-1-0

qsort
_rotl64

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_get_initial_narrow_environment
_set_app_type
_endthreadex
_initterm
_initterm_e
exit
terminate
_exit
_beginthreadex
abort
_initialize_onexit_table
__p___argc
__p___argv
_register_onexit_function
_crt_atexit
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_configure_narrow_argv
_seh_filter_exe

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 3.7MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fd4dc58fdf7f3e35e38f5b7095df3943

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-synch-l1-2-0

bcryptprimitives

ntdll

kernel32

oleaut32

user32

ws2_32

bcrypt

advapi32

secur32

crypt32

ole32

gdi32

rstrtmgr

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 3.7MB - Virtual size: 3.7MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 24KB - Virtual size: 28KB

.pdata Size: 82KB - Virtual size: 82KB

.reloc Size: 32KB - Virtual size: 32KB

.text
Size: 3.7MB - Virtual size: 3.7MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 24KB - Virtual size: 28KB

.pdata
Size: 82KB - Virtual size: 82KB

.reloc
Size: 32KB - Virtual size: 32KB