MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42525e109fc534ac972d74fcb8c628528ddecc7c124ff1c0a5059139444f4165. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Nitol

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	42525e109fc534ac972d74fcb8c628528ddecc7c124ff1c0a5059139444f4165
SHA3-384 hash:	99d93acdb9970e2d631521ffe2d3e6efeb4bea8b386595bb156578d718690c32a7b84ea8471252afcb2a549236417b1d
SHA1 hash:	e03b6b4d0690d66e323868e1243b32e2af947b0a
MD5 hash:	f85b93364a678d47d4b54675dda1abc3
humanhash:	nineteen-early-mobile-coffee
File name:	mixazed_20210816-155711
Download:	download sample
Signature	Nitol Create hunting rule
File size:	289'792 bytes
First seen:	2021-08-16 17:10:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	894d0e2453b674d7fa4cc3ff89ddc063 (3 x DanaBot, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep	6144:OKrLgPF8Q6JOI8WCjYd2XGSa/oZrUf0c/mH8M:OqkPaQ6JqVY2aAS1C8
Threatray	4'507 similar samples on MalwareBazaar
TLSH	T1B854E01D799FE875C3963230447387AC46799F10EA5305BB2F482AAE6F30FF1522635A
dhash icon	4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter	benkow_
Tags:	exe Nitol

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

mixazed_20210816-155711

Verdict:

Malicious activity

Analysis date:

2021-08-16 17:12:10 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/ec254b65-99b4-49a8-8897-15bb9f5c1c84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/179635/

Detection(s):

Win.Dropper.Jaik-9886409-0

Win.Malware.Filerepmalware-9886452-0

Win.Malware.Generic-9886453-0

Win.Malware.Filerepmalware-9886465-0

Win.Malware.Filerepmalware-9886466-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Connection attempt

Sending a custom TCP request

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e9c12b4b-cf01-45ae-9029-e0f39c8bd7e0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/833723

Signature

Antivirus detection for URL or domain

Checks if browser processes are running

Contains functionality to capture and log keystrokes

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42525e109fc534ac972d74fcb8c628528ddecc7c124ff1c0a5059139444f4165/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2021-08-16 17:11:13 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijjf4ee7yu2kzfznot6lrrrikkg55td4cjh7dqffawitsrcpifsq._file

Verdict:

malicious

Nitol

4486d008b7f67db604b8ed1bb3a5fae6004a9f6b75777c85fdeb5ecde7e63e73

Nitol

69d7973f1002d543c7e1935b95a4493ec29d0c21d3dc5e50d2f477868a914f70

Nitol

7c78c02656d4340d21600a6cba719d2c7cb2d52c7ec4cb02275a350b0e48bfc5

Nitol

7c988c0dc20f342070bd94e6704ddfd05be4cd5c8bf6a2814b0dfa53a36d78ad

Nitol

92a80b053f4276ced8cdd30ef3e2e38026cb69ae081b24faf5a69a909074bb39

Nitol

ab2a7fbeb63227168b92cbff7e4b11e5bfe4d0f4efac6dd818d2c2b62ad0021b

Nitol

aff635f2d8d4ebb7a65f076f9dc1f61e6b8ed7610d5b99170cc305ac1f4537ff

Nitol

c2a2aaca2d8fd293bcaf00fc35be7c828fd2733be3805bfac24e0d6f4c52c3b9

Nitol

+ 4'497 additional samples on MalwareBazaar

Result

Malware family:

chinese_generic_botnet

Score:

10/10

Tags:

family:chinese_generic_botnet botnet persistence

Link:

https://tria.ge/reports/210816-376x7qe32n/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in System32 directory

Adds Run key to start application

Enumerates connected drives

Executes dropped EXE

Chinese Botnet Payload

Generic Chinese Botnet

Unpacked files

SH256 hash:

bbbd06504c3339ebb1c6b4cf369f6dd00fbe6c6b7cc270e031362308a8b597f8

MD5 hash:

b547e4c8efda7f306c48c7a6baf88c9d

SHA1 hash:

dbe10f2357ddd6675cc2d56fcd3c232be1c69e7c

Detections:

win_younglotus_auto

Link:

https://www.unpac.me/results/b3ea85e3-7175-4fe4-a2fc-d03f918df329/

SH256 hash:

399fb8705fa389291ed06cbf56bcc5296a61dce1a107c7e27c9b171c8247cb52

MD5 hash:

c2aca384d6b6a814d0bec7be5280eece

SHA1 hash:

5d1938608147046fd719e55fd7a972a2caee76e5

Link:

https://www.unpac.me/results/b3ea85e3-7175-4fe4-a2fc-d03f918df329/

SH256 hash:

42525e109fc534ac972d74fcb8c628528ddecc7c124ff1c0a5059139444f4165

MD5 hash:

f85b93364a678d47d4b54675dda1abc3

SHA1 hash:

e03b6b4d0690d66e323868e1243b32e2af947b0a

Link:

https://www.unpac.me/results/b3ea85e3-7175-4fe4-a2fc-d03f918df329/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42525e109fc534ac972d74fcb8c628528ddecc7c124ff1c0a5059139444f4165

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Backdoor_Nitol_Jun17 Create hunting rule
Author:	Florian Roth
Description:	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:	https://goo.gl/OOB3mH

Rule name:	MALWARE_Win_Nitol Create hunting rule
Author:	ditekSHen
Description:	Detects Nitol backdoor

Rule name:	MAL_Nitol_Malware_Jan19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nitol Malware
Reference:	https://twitter.com/shotgunner101/status/1084602413691166721

Rule name:	win_younglotus_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.younglotus.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

GCleaner

Cape

https://www.capesandbox.com/analysis/179635/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample