MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b8d7429294fb18f4c40b1ee6d772a180564c8e18942d879aa4e8a189b053a13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b8d7429294fb18f4c40b1ee6d772a180564c8e18942d879aa4e8a189b053a13
SHA3-384 hash: 7111f07f3cc37192e6a8eadb9e2db696a34bec7886abd87e2c8d9e1442389cb79b41a8e45c233911c204661510e9ee9e
SHA1 hash: 9c255187dcef33128c837fbf74afc6bc59dceb2c
MD5 hash: ed36d70c2f95c1f5cc7c59e5172e0b21
humanhash: stairway-lithium-carpet-september
File name:Server.exe
Download: download sample
Signature Nitol
Create hunting rule
File size:116'736 bytes
First seen:2022-09-30 23:53:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e58ab46f2a279ded0846d81bf0fa21f7 (7 x Nitol, 5 x Gh0stRAT, 3 x ZeuS)
ssdeep 3072:/yIpG2/iDbYN5IGGDtb6pddxCrtMrOUKKCKnXJ29AGC:qIposItwPxmMrLKuXJ2GGC
TLSH T11FB312A757492059C5F89C78FE2F4AC938D32E6D9E432C240D5F784B19BC4BD15886CC
TrID 29.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
28.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
17.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter r3dbU7z
Tags:exe Nitol

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315318/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Packed.Zeus-9942823-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed zeus
Link:
https://www.filescan.io/uploads/6337819b0d3d21420cc98bfb/reports/0df095fa-26ea-4083-be9b-326fba57f3ac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/540b6e11-9a3d-4ec5-8f80-743e7a67e816
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081278
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b8d7429294fb18f4c40b1ee6d772a180564c8e18942d879aa4e8a189b053a13/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 13:01:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=logxikjjj6yy6tcawhxg25zkdacwjshbrfbnq6nkj2fbrgyfhijq._file
Verdict:
malicious
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat persistence rat upx
Link:
https://tria.ge/reports/220930-3xvtqafbd5/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
UPX packed file
Gh0st RAT payload
Gh0strat
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bf80586a-44a9-4a24-a01c-1a49627e2b4b
Unpacked files
SH256 hash:
a6a2f2f4ac7d9e20db53e3ee5d525af1acc4a37102166ccce8092f50b111ac27
MD5 hash:
ea8281ceddb60e7f920098b8c82c600b
SHA1 hash:
b6e6316a44d342bff80f4be808c6a8fd64b829b1
Link:
https://www.unpac.me/results/2e15ee64-8722-49dd-8330-7a062bf0b69b/
SH256 hash:
c67ef77da363cfbde44476f7224f8092d1fe1df7f6acf514d8480fc6a8d5ad40
MD5 hash:
05f00d88c3a33f6d37f5170de2351b40
SHA1 hash:
97aca0dfa67e541d7a6a9653935a3aae18cbcc87
Link:
https://www.unpac.me/results/2e15ee64-8722-49dd-8330-7a062bf0b69b/
SH256 hash:
5b8d7429294fb18f4c40b1ee6d772a180564c8e18942d879aa4e8a189b053a13
MD5 hash:
ed36d70c2f95c1f5cc7c59e5172e0b21
SHA1 hash:
9c255187dcef33128c837fbf74afc6bc59dceb2c
Link:
https://www.unpac.me/results/2e15ee64-8722-49dd-8330-7a062bf0b69b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/5b8d7429294fb18f4c40b1ee6d772a180564c8e18942d879aa4e8a189b053a13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

Executable exe 5b8d7429294fb18f4c40b1ee6d772a180564c8e18942d879aa4e8a189b053a13

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/315318/

Comments