MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 12


Intelligence 12 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
SHA3-384 hash: 4f3fcdf5076153ec8fb9359cecb300a9a3a9d63b8a36a56878dd4ec0f93f0eed94880ba0e2424632cd465bbc2092defa
SHA1 hash: 04feb77d8166599d360df1302e39b3c16ac71b8b
MD5 hash: da64883698fbc3d8c8ab60a7386e8058
humanhash: don-idaho-sixteen-lithium
File name:letspro-5.2.9.zip.exe
Download: download sample
Signature Nitol
Create hunting rule
File size:19'022'305 bytes
First seen:2025-05-31 20:14:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 393216:jFREXpzmzGnkfV8tfGWcSWNKQ/kg/bZzvtMA63NiSAa:jFRqhmSkOtfGWcSWJZzlAiK
Threatray 59 similar samples on MalwareBazaar
TLSH T1BB173312B39189B1E9AE12B454A6B362D7B4FC6147A0D2C35FC9B93D1F3D3C09A32635
TrID 27.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
27.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
16.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10522/11/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter aachum
Tags:exe jjiiee-com Nitol


Avatar
iamaachum
https://www.kuaimevpn.com/download/letspro-5.2.9.zip

C2: jjiiee.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
letspro-5.2.9.zip.exe
Verdict:
Malicious activity
Analysis date:
2025-05-31 20:16:29 UTC
Tags:
upx lua auto-reg antivm
Link:
https://app.any.run/tasks/5351811e-acce-4b25-8b42-8492478571d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6589/
Detection(s):
PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Trojan.Winlock-6629293-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683b6979668438e362e9261a
Tags:
dropper virus shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Running batch commands
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Multiple_detections
Link:
https://www.hybrid-analysis.com/sample/11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
Result
Threat name:
Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1703076
Signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to modify Windows User Account Control (UAC) settings
Creates multiple autostart registry keys
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspect Svchost Activity
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703076 Sample: letspro-5.2.9.zip.exe Startdate: 31/05/2025 Architecture: WINDOWS Score: 88 121 yandex.com 2->121 123 www.yandex.com 2->123 125 12 other IPs or domains 2->125 139 Multi AV Scanner detection for dropped file 2->139 141 Multi AV Scanner detection for submitted file 2->141 143 Yara detected Nitol 2->143 145 10 other signatures 2->145 10 letspro-5.2.9.zip.exe 4 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        18 12 other processes 2->18 signatures3 process4 dnsIp5 99 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 10->99 dropped 101 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 10->101 dropped 21 irsetup.exe 16 10->21         started        24 drvinst.exe 13->24         started        26 drvinst.exe 13->26         started        147 Changes security center settings (notifications, updates, antivirus, firewall) 15->147 28 MpCmdRun.exe 15->28         started        127 127.0.0.1 unknown unknown 18->127 149 Modifies the DNS server 18->149 151 Uses threadpools to delay analysis 18->151 file6 signatures7 process8 file9 83 C:\Users\user\AppData\Local\...\ziliao.jpg, DOS 21->83 dropped 85 C:\Users\user\AppData\...\vcruntime140.dll, PE32 21->85 dropped 87 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 21->87 dropped 97 6 other files (4 malicious) 21->97 dropped 30 letsvpn-latest.exe 21->30         started        34 iusb3mon.exe 21->34         started        37 powershell.exe 11 21->37         started        41 6 other processes 21->41 89 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 24->89 dropped 91 C:\Windows\System32\...\SET832C.tmp, PE32+ 24->91 dropped 93 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 26->93 dropped 95 C:\Windows\System32\drivers\SET8B29.tmp, PE32+ 26->95 dropped 39 conhost.exe 28->39         started        process10 dnsIp11 107 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 30->107 dropped 109 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 30->109 dropped 111 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 30->111 dropped 113 219 other malicious files 30->113 dropped 153 Sample is not signed and drops a device driver 30->153 43 tapinstall.exe 30->43         started        46 LetsPRO.exe 30->46         started        48 powershell.exe 30->48         started        59 8 other processes 30->59 129 jjiiee.com 27.124.34.146, 25448, 49690, 49696 BCPL-SGBGPNETGlobalASNSG Singapore 34->129 155 Suspicious powershell command line found 34->155 157 Creates multiple autostart registry keys 34->157 159 Contains functionality to capture and log keystrokes 34->159 163 7 other signatures 34->163 51 cmd.exe 34->51         started        53 powershell.exe 34->53         started        55 svchost.exe 34->55         started        161 Found suspicious powershell code related to unpacking or dynamic code loading 37->161 57 conhost.exe 37->57         started        61 6 other processes 41->61 file12 signatures13 process14 file15 103 C:\Users\user~1\...\tap0901.sys (copy), PE32+ 43->103 dropped 105 C:\Users\user\AppData\Local\...\SET8196.tmp, PE32+ 43->105 dropped 63 conhost.exe 43->63         started        65 LetsPRO.exe 46->65         started        131 Loading BitLocker PowerShell Module 48->131 69 conhost.exe 48->69         started        133 Uses schtasks.exe or at.exe to add and modify task schedules 51->133 135 Uses netsh to modify the Windows network and firewall settings 51->135 71 conhost.exe 51->71         started        73 schtasks.exe 51->73         started        75 conhost.exe 53->75         started        77 SecEdit.exe 53->77         started        79 conhost.exe 59->79         started        81 12 other processes 59->81 signatures16 process17 dnsIp18 115 yandex.com 5.255.255.77, 443, 49706 YANDEXRU Russian Federation 65->115 117 23.98.101.155, 443, 49714, 49728 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 65->117 119 12 other IPs or domains 65->119 137 Creates multiple autostart registry keys 65->137 signatures19
Score:
49%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-18 18:41:37 UTC
File Type:
PE (Exe)
Extracted files:
855
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cfkavehr3rv22twbx6rugmst2cuj3i23cgk2qkckyjrk7gienthq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
24612d672e37bb6e47a89202b9a442b94eb7a353aa899746621c0c15389ab4f5
Nitol
5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc
Nitol
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
Nitol
ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
Nitol
d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad
Nitol
e8f7213b8db88b5d7cb00b83ad46b2c9497d1c4c030e1dff28f846a2bf79b67a
Nitol
error
Nitol
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx
Link:
https://tria.ge/reports/250531-y1vkxazpw6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in Drivers directory
Modifies Windows Firewall
UAC bypass
Verdict:
Malicious
Tags:
Win.Dropper.Gh0stRAT-7696262-0
YARA:
n/a
Link:
https://app.threat.zone/submission/178ad83f-3c97-4676-a4b4-788f16d5526a
Unpacked files
SH256 hash:
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
MD5 hash:
da64883698fbc3d8c8ab60a7386e8058
SHA1 hash:
04feb77d8166599d360df1302e39b3c16ac71b8b
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
edd7406ce2007f1fece376376b0a20553a3495dc9b04dae3ffeb59a8b69d262d
MD5 hash:
96a510a4a10bd3d8a4d4e2688defed09
SHA1 hash:
889bf15d67a42944d50880fe7e8dd51296d7f645
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
a4f81702c4b2a9dbdbe287a6b4944103885a347226f0afd47a063dd8ada43290
MD5 hash:
46d61890864ea8980a13684ab7c5def2
SHA1 hash:
b98c6f22300bc9225d15fb8433825edca9efb94a
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
b40d4f9676af9ab282044b6378da1f7474e416f10f3658b075b3fa49b4a402fb
MD5 hash:
d8f7942a132f38db2b7071b11fed68c3
SHA1 hash:
d1c72ed7c2239347bb839379859b33fc5146bd6e
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
e7d0029e9efe3b05c68087b065676cc9cb4955af6092519b1c26bad12d921405
MD5 hash:
bb5e1ed1de466016059fc0b810b68671
SHA1 hash:
ab948100b9ce59cc5631c7fe0b1ce2293d82f63c
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
bb5f77b44272c2a440409b860a607ce9bc3649ccfb7ba576e0aaf86c750c151d
MD5 hash:
5a880f3e3385c81737409eb1c7a05d35
SHA1 hash:
d947162f96805da453116309b007800aa580613d
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
dfb3bb98cfe620841fbf2a15aa67c1614d4746a2ea0e5925211de1fee7138b38
MD5 hash:
bf2bbecd323865428aa9c919c81def68
SHA1 hash:
b74c6ef70d5ec4f28eaa706e55aaf852059b6077
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
68cb6afdeb65a16a62604d6b9ac0c140733d0ad63fe80eff44d6eba050c4ace2
MD5 hash:
6bd76a0a8062956fb717ccf36f74ea31
SHA1 hash:
88ea909b3a0d5d6154fc621a2c8dd28c05f25b85
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
f528502962c07c3193668b598b52e6705cbe9ce8ec7ccc762eeaca476ff7cf51
MD5 hash:
aacabeec08a9e03a974b6cb649bb5d2b
SHA1 hash:
355e873fba17b9be2a932aba92b5cd9272eab21f
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
329bcbdd665fa9b246a53e711539647588eb66246802fc14763d0ee9982dc01c
MD5 hash:
6d08566b733b57301592e1c43acbe8ce
SHA1 hash:
c3d1a7e3400ebeccf1545773f061c19da9b02b13
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
Parent samples :
683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800
SH256 hash:
b2ed4a73872319c325d05930b3aa66fdfe181847faaa0929c2628b3e1d794b60
MD5 hash:
e56952961ca7db602ce5cd0dc9b9f988
SHA1 hash:
c28288da6289f1f7625639045cdc45b2a7166f8c
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
f8f290063052cbddf302fb722f983a5c01815c0d710737b9efc6d2dca42af28b
MD5 hash:
14930ae6b509f73f7da98a1374efc139
SHA1 hash:
f1e0b7c322455400143f2c5ac9b425b4d79aa243
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
7836313fb5f6ce68e77034b65a11d20f598bb8f62694342f3fd80f110cafb125
MD5 hash:
3dc6800310abc175beb34900397b197f
SHA1 hash:
43a36279045baf26de3650620bc345fca017fcc2
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
a45bc7d6ab850bab640aa3f6c0b7841d57aa14a726e92fb247144c886b36a436
MD5 hash:
890e867294580343ef642631644d0e23
SHA1 hash:
fc18613f5f245717a351c21598281970642d91e6
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
cf339d703de08366fec41cd4d44e22285fda78189c39002bfa352bafbb7b0058
MD5 hash:
d357bd1656344ae27254c701f1a46625
SHA1 hash:
96e0af30168295d7d2465eff588d48180465ca6b
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
3b444d74033d792e0e8bdc46eb897041cf09a3d409343a0325c0787a4ca7eada
MD5 hash:
a246b305070d5220eaf9950cb43b7f73
SHA1 hash:
7d3e17cef61e1c40f05a65e4466082a1b33ff3ec
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
2e7dcc74aac2c04c000ad32f1249662f0d9e6d4543c71130b5e02a11869cf2da
MD5 hash:
b8c0d43517f818e6b7a08a36d9bb0540
SHA1 hash:
e289352c52866118d031c4648f9f47d8eeb6fddd
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
4572cac392fdf0fb08c1fa786e0184a66163ce4696a426cb1e3009b952c86284
MD5 hash:
f647a0ec9b3aea4d355dc5cec2f2a271
SHA1 hash:
73b666f8e13694df6e29fc7b741a8a5c602486a0
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
205472e569a82d16680747c67e891f3fc5061b2e87e23a294d1b26e179566c6c
MD5 hash:
43b77bcf679a4ef26cb650e5c36ad1e5
SHA1 hash:
a02ef9cd9a23e93049c83bc7032b19b35755a8fc
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
d081198b0b8d8d6750ae316a057d1c2d28c2eedbc66e3908d0c53242799dc558
MD5 hash:
dd373c6f14de246310cc88800f3bc668
SHA1 hash:
2311aa1556ab2511831ab3190b96a7870554d874
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
ea120fb3ff403ca1a0961db9007849980dbaf78b0098e44690d9331f1f8f1b1d
MD5 hash:
b523ff49156a445e6945bb5421d2becb
SHA1 hash:
7de32bcdebddd0abe48f0e292b3070e250856c77
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
80c8a4bf67ed1488bc8b75bfc265f62bbcbf59ba085a0b1f2d73f71fcdcdf751
MD5 hash:
1b6cb28d5e67c18adcc155967f5d90ae
SHA1 hash:
3d74dc82e466b37b1fd76bd293acce5a47ad3177
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
Parent samples :
683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800
SH256 hash:
234af9baa9d9541f2156f96afcf7b5686c50e2874f34d0341d8727964ec1db1e
MD5 hash:
b8a3adc6bad892fc4167af29ddd08c4a
SHA1 hash:
cee1efe8668cec6204d17673f5357aab6a5e4514
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
57a15bcbe336cce485e00dde7e6385d550db8d3a0006ef18766e332ab370c416
MD5 hash:
18e288fed9d103d01f5cfa687176dd97
SHA1 hash:
5f701ac1be3c8237ff9550a42f98c6bc767062de
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
71ca6db6923e3f5249ac4b7d518755bd7103e9e77c33e05ef3eb75570f54eaab
MD5 hash:
f89e81ccf226d43877d61ea7362c0339
SHA1 hash:
ed9aa9cd61e794a63ff81a4773f40f48e156ec17
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
5a930930cfff5e80e34fb7d7d46ce3f7ac8fc153f43f3f6969fd80b2872c9492
MD5 hash:
0ed4825daa557a64c8f7ac3bc59ddfa1
SHA1 hash:
b3cca8d6621baad4126206d1aa5cd37e6acca5e3
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
24c4e3a4e05d67cde9ea739470256a7ccc12ceda92e0085b392ecc9d573529de
MD5 hash:
ad5724c7fd0be9cc94a8959bc51314ca
SHA1 hash:
511ec59782682693e6dfa2e68b936ad568d81a7a
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
52cd7f70823a67beebf8a7d8e8d8fee19547cec79c711469c3be41976756f831
MD5 hash:
6b87a495441b34a17a809f4a3b1d193d
SHA1 hash:
1406746147bade4afeb3e178618ad8c6c1f18340
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
96534c59ce0fe469f7531fea7547017d5f213861c71aebcf4c49235f38be142b
MD5 hash:
413be7ac0b1facb480ed85eaed7f2dc3
SHA1 hash:
3de6866a7282d7221173ce4a367d1c2aaca43e5d
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
c8ca2987904febc8e6b92fb13e2e725f76102c60922c9c10865b711b7413d63c
MD5 hash:
0d9dccc60b117de300ab8829f208d66a
SHA1 hash:
7f0cf323e7f178ff6d00e0284fa00a73092e8186
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
3bd44bf46f53a5183440fcb5d7681830bb01aaa16caf4ddaa245684c786ea577
MD5 hash:
c3450e9fbe84e1ca25870e6f9bbe4630
SHA1 hash:
e41d29b6cac1c6eea127613b5e140dcb752d4713
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
bb513b7e1456f498eccb9389fc58bb044b17f2cd43f92fe3723354fdad4ae9ac
MD5 hash:
c45c69a436a1930d69f10913d64c5d6f
SHA1 hash:
99d0c57108890e75d97ba2ad19cf1675e118a3cc
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
2f7404587cd0e8e55b1dba5be9e019559d2bbb8c66f0ac85d72e9f3d1ffee8cd
MD5 hash:
3c282c4d060e4401a5e8703e3c20e6ee
SHA1 hash:
44c303f66dccc74673826717d809c61e5fee5970
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
3b18f28fda4f79ced239ee2b6685e6cac26e71563cededfafbd698e1be4795b5
MD5 hash:
12c96f55fb26c778140d15de57c16a85
SHA1 hash:
9f35d3f819713faf54c757d6f3f1a9f49615e036
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
6bdae93cb6f8680963c60a9a5dc6da0ff9bc30e2c46c5677fc121b3d6d1bba71
MD5 hash:
6f41971d108677275201cd4c5b88d607
SHA1 hash:
8d972a40290845d69961ef933f28ff705b5bfb99
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
3025c8d8b85e57f08db8856d0c1395b975578bb3944b56ab0b926d14f74209d3
MD5 hash:
9b8ccf5024e9a396fb8188c615f49ee0
SHA1 hash:
3eb43ef940e99f297775f562e106e0cbc7bbae39
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
a3133495e1e793165b4fa32c2c6c9757660ee81792d307b11a431962a243ad7c
MD5 hash:
f656c0ebebc0db6dc0fee64f22c4c95b
SHA1 hash:
af7a3ecb339ce739b453be7209f87f0f9540e483
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
955e0f7b9bdaac221451761d1ab8a15417a8aaf7bf8101183344592b8593a2ae
MD5 hash:
5ec27cba4836042aa1cef5565944cf02
SHA1 hash:
152f5e2cd948ffd28d92856200ac0dfa577e3d70
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
6178c391543ff7cca0454c5d72c405cbb3bfae6de1667d55325fb24b0dd105d9
MD5 hash:
21d7ac43d71bed781cead6b46ad16ca6
SHA1 hash:
ad5fae106af6e15bbe84d421f06e34632962e4df
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
f57b2257aa78005d5c5c6c23e036d1c7de43cb840b121fd01f3d4d2c753811a6
MD5 hash:
aa9e4cb043939f4e043221b7eb8825de
SHA1 hash:
c040b75bb107dcfd219c41b084de93b76109fd4d
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
eab6f546269220200d31cf691c1c63fe37042bd23f5a7f2fdfa849049d821c50
MD5 hash:
75b352234694fd4c17e168bce86b36fd
SHA1 hash:
e94ea5a2445d5d622318a2a03f19f89db4af5508
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
d5da1eed85146374e5c339ede25aa6fb02837f523ceac59f4a60d292c85d907d
MD5 hash:
457324783315cd1f67dfc69030542997
SHA1 hash:
85e85f849a9cb8fec724b3a8a92a7f06b3f213f7
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
deb052f3722bf51d70ae18fb07fde87d33423b046b1351121121b13d26b694a9
MD5 hash:
1d9b58f2093351d5ca6b2e858a2d1efa
SHA1 hash:
54a4805544dc8b2a861caf193231dd144cf0d640
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
56319f4f67ccc147839a93944e69567becec8976e7bf57069da232eb25135b36
MD5 hash:
cd341486cb2604f9732ec0aad036c8e9
SHA1 hash:
fbea2b0cdbff970c915408bfe919dd1684e249a6
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
05aace1f40e6cf5a41ac703301a3f783e88b16599c6cfffac755ccf536aa4a57
MD5 hash:
e9a268f16ffd094f19ba731d2d99f649
SHA1 hash:
1069a873d2d79bc28293887d69fb8cfd38f798f5
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
1801fae26444da6fefc0c75332bdf2ca201ab8f77a6a0dd17261cba8b2fa1e4d
MD5 hash:
50133d83b2d1c2dcc1ed5f65178610ce
SHA1 hash:
5d1daad1e30ab03895e7f66c91ded44efbf438a2
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
7ac7e51fc8b2889b7178ce3b2d01e1329bee7fcf87f723d380d0eff6fdc00339
MD5 hash:
6acd2bdad40912c887ead9affa18a26b
SHA1 hash:
7fb44a8acdb6e9e91d20beedf734a513f4d858d7
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
c15bed24ea2e74b7e5b61d39973c5fe8b678f82fda0261d22bf779117dc76d9c
MD5 hash:
0201dd7ab903e3db776f58f0828c4264
SHA1 hash:
fabce42e45788e58473bf373bcb70f4eaf7aad4b
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
e8b986b8d471c8dbeb4e4c151b3813ae6f9e687065f2b801ea1f3c6a07b5f9da
MD5 hash:
31527bed5bc4f8192d3f5e6b7bdc389b
SHA1 hash:
013b3fda4df44c8b1e7ca96ec907a3384bf6fa92
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
1f7097545061fcd37f9d56f4b06ea1c6ed722da48dbc15cac8d94a6f6f192e55
MD5 hash:
005c7bbc1cbaec78a96fea3c6f230c84
SHA1 hash:
2418b9cacf2bf7f46ffb100cfae51f7bb36b09a4
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
5c89b1c91a56019ab771034ec0ad702d4972ccb26f9638a5faed88d599915f43
MD5 hash:
35a5e7f977b791656eab5593c1e1cd54
SHA1 hash:
c0d24fea12c7d1ab0be38b6290914a8259111713
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
4afc84c93f3e874a720206936d543d6cb0c414bc084967937f9b4647bfae25eb
MD5 hash:
13323fc7cdc40b9c294462f1689484cf
SHA1 hash:
ef4bd7c65ea6fc21edb6d37684e06e46808afdc9
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
5df58f9ba2b784da05554caa5ad29492c79038640bf90019c54ca31099511906
MD5 hash:
b31de0702f8e70667ff69d74a35aed22
SHA1 hash:
8ee3c4ef29f55a46113c0d1b55c4cdce33fb748b
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
SH256 hash:
08c9e03e5d4211e3f51dbadb1bf270e13946150d22d4598a7e6e4df4f60a87d2
MD5 hash:
854a1fe4de94065446e6451ee192ac26
SHA1 hash:
788987518cf0488b3322f9b4e150bc0ea18b7459
Detections:
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
Parent samples :
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
SH256 hash:
78c21810289c3cbd22cbc4613de18c76712976fa0bcb94cb46d7d1ab78c170af
MD5 hash:
397b135572504d4d666f81d96829bb44
SHA1 hash:
4a4bcbea9bfe920235fd947838c5a557e307fb62
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/c15fc375-abcc-47c8-91b4-e7539abe8441/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

Executable exe 11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf

(this sample)

  
Link
https://tria.ge/250531-x9qgwagq3t/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6589/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
KERNEL32.dll::GetTempPathA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments