MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679
SHA3-384 hash: a1ee7fd7501e7631821d43333db20e0fbc1f7bb80f4774b1d9c304bee5048e129cde907fa0af59ab8d22bbc5c371d082
SHA1 hash: 15764f67963a0e70f2b310510b95021d7e4aa27d
MD5 hash: d156b1ffd7d387927ee88491a26ccae6
humanhash: kansas-kilo-winter-uranus
File name:xzw.exe
Download: download sample
Signature Nitol
Create hunting rule
File size:892'928 bytes
First seen:2022-08-18 13:34:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a8897c84eb41f36b4bbabcc617408b8 (6 x FatalRAT, 3 x Nitol)
ssdeep 24576:8gC7+maMAjAERQqMHwfVh7OrvgE+FarjUyHWuXki:UihMHwfVhagE3RWuXki
Threatray 14'368 similar samples on MalwareBazaar
TLSH T16F150286CD282137D1B60970682B69DCE5B10DD22BB9C8BB03F573C6BA713F1A139597
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon ece0c4ce968cd8e4 (1 x Nitol)
Reporter r3dbU7z
Tags:exe Nitol

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xzw.exe
Verdict:
Malicious activity
Analysis date:
2022-08-18 13:34:24 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/3dc91fc8-cfd2-4cf6-b7e4-29f0ef15497c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299599/
Detection(s):
SecuriteInfo.com.Trojan.Heur2.2uW@rXZWn2ibC.25902.8516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62fe3fd0eb0bf1e2c6e906aa/reports/beb66ff1-c23e-4236-b3e9-28e90356ae00/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28db82c4-039d-4b44-b0fa-c4f3a0300ac4
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053827
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 13:35:08 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbcz5kljxzcjm3fzxxmnmxmt3eo4ey25suxqflxgtvxc5lwcyz4q._file
Verdict:
malicious
Similar samples:
5f9a6c0b4bdd4bf26f9b8907914cbf0e88a3d780275a4e5738bf1f2ef02ce37e
Nitol
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
Nitol
8ec16e4c4fd0a80322418ea661e4dd3b427f7369078d85f64069588624752bdc
Nitol
9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
Nitol
9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9
Nitol
ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc
Nitol
df50e9ae62a46bda93ff03d76b707d574a3803754a782e21e4b9ef547f7ca32e
Nitol
ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca
Nitol
+ 14'358 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:chinese_generic_botnet family:gh0strat botnet persistence rat upx
Link:
https://tria.ge/reports/220818-qt4w1aaba4/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
UPX packed file
Chinese Botnet payload
Generic Chinese Botnet
Gh0st RAT payload
Gh0strat
Unpacked files
SH256 hash:
6e232b5b984dc8a18c6328a1d4f62b6d4283114b01cec3304b86b5307f107492
MD5 hash:
207c700d7856992056cb78a8096ad439
SHA1 hash:
5141eed71856f1a9c5f6cf441343cfc5e491d0a3
Link:
https://www.unpac.me/results/33543926-24ca-4d03-ba36-4d1c6502fdad/
SH256 hash:
18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679
MD5 hash:
d156b1ffd7d387927ee88491a26ccae6
SHA1 hash:
15764f67963a0e70f2b310510b95021d7e4aa27d
Link:
https://www.unpac.me/results/33543926-24ca-4d03-ba36-4d1c6502fdad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Backdoor_Nitol_Jun17
Create hunting rule
Author:Florian Roth
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:Backdoor_Nitol_Jun17_RID2E8F
Create hunting rule
Author:Florian Roth
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:MAL_Nitol_Malware_Jan19_1
Create hunting rule
Author:Florian Roth
Description:Detects Nitol Malware
Reference:https://twitter.com/shotgunner101/status/1084602413691166721
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

Executable exe 18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299599/

Comments