2018-04-05 My Online Security @dvk01uk Nymaim

1. found by My Online Security @dvk01uk
2. https://twitter.com/dvk01uk/status/981918736729899009
3. Fake HSBC “Action needed: Activity confirmation” delivers Nymaim
4. https://myonlinesecurity.co.uk/fake-hsbc-action-needed-activity-confirmation-delivers-nymaim/
5.  
6. https://www.hybrid-analysis.com/sample/49bdb07f05725b4de83c08c42100a5d9ce505685e5d040821de2cefe66d3fee6?environmentId=100
7.  
8. terminates quickly
9.  
10. ----------
11.  
12. ----------
13. interesting api calls
14. ----------
15. RPCRT4.dll RegOpenKeyExA ( HKEY_LOCAL_MACHINE, "Software\Microsoft\Rpc", 0, KEY_READ, 0x0012f574 )
16. SspiCli.dll RtlInitUnicodeString ( 0x0012f4d4, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED" )
17. SspiCli.dll RpcBindingFromStringBindingW ( "ncalrpc:[lsasspirpc]", 0x0012f444 )
18.  
19.  
20. PDB: c:\Cold\Property\Best\key\Stood\Wide\SecondEarly.pdb