Hello, todays analysis I came across this file with low detection rates on VirusTotal and seems to be fresh. Let’s get started.

Here is our sample.

DIE identifies the file as a Nullsoft Scriptable Install System executable.

Next, I used 7zip to extract the contents out of the exe.

Now that is done, I opened NSIS.nsi in notepad++

We have a ton of code. This static analysis of the script confirms that the NSIS file is a loader. You can find the code to this file **Here**

Now, we are going to the %PLUGINSDIR folder.

I extracted app-64.7z

Now we know what exactly what we are dealing with. Electron malware. So, I opened the resoureces folder.

We see app.asar. I ran a quick command to unpack it since 7zip does not work on it.

Inside unpacked_app I inspect package.json

And just like that, we can already say that this is an info stealer.

@primno/dpapi : . DPAPI (Data Protection API) is a Windows built in encryption system. Web browsers use DPAPI to encrypt your saved passwords and cookies on your hard drive. The malware uses this package to decrypt and steal those credentials.

sqlite3 : Web browsers store your history, auto fill data, cookies, and passwords in SQLite files. This package allows the malware to query those databases and extract the data.

node-telegram-bot-api, telegraf This tells us exactly where the stolen data is going. The malware author has set up a Telegram bot to act as their Command and Control server.

Next, I went here.