MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d
SHA3-384 hash: 9af0a672e840c38778f9d0c47269b51cab43a6ec4e12f7c32fc07fa3745bb65d1fc07d07a740fd70254a8dbcfc58d323
SHA1 hash: 7f20f8505de4365608ed8da02b34ef11dfbf445b
MD5 hash: 4f12e10d619947731099ede3b8feeaca
humanhash: mountain-item-july-william
File name:64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d
Download: download sample
Signature Nitol
Create hunting rule
File size:49'152 bytes
First seen:2022-11-05 20:33:29 UTC
Last seen:2022-11-06 03:32:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dc5d42e22a726751b4fbc8147791da7f (1 x Nitol)
ssdeep 768:fGblh20D9cYwvGMELoYwglhNgBMXB40XJyGWU0UBIVTWgP3YJ0vRYLQq4lZpwQGo:fyXavvGpbNlfQ0B/YGWnP3SkMQqijwQ5
Threatray 48 similar samples on MalwareBazaar
TLSH T16A23E0522B944EACD082E37044F7EF95AF7EFC70E278DF4D89460C5508A8435FA856A9
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f1f8ece470f0b0b2 (7 x NanoCore, 2 x RemcosRAT, 2 x HawkEye)
Reporter DesdinovaOsint
Tags:exe Nitol

Intelligence

File Origin
# of uploads :
3
# of downloads :
160
Origin country :
PT PT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d
Verdict:
Suspicious activity
Analysis date:
2022-11-05 20:36:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b0cc1d2a-24a0-44f8-b611-c95664b3c7c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Dropper.Gh0stRAT-9964493-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
Creating a service
Launching a service
Creating a process from a recently created file
Sending a custom TCP request
Searching for synchronization primitives
Сreating synchronization primitives
DNS request
Running batch commands
Creating a process with a hidden window
Enabling autorun for a service
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49042/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6366c8bc15611f8d8bf91028/reports/f24bebdf-d53e-4d5d-ba6a-8191a7b93bd7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dinwod
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ac177bd-c1d0-463a-a80d-2a2355b5d0ef
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1106294
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d/
Threat name:
Win32.Trojan.ServStart
Create hunting rule
Status:
Malicious
First seen:
2018-03-30 16:29:50 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtsmtrbu73nqqwtmw6kqtoupib3svqpwftwsx3i5uqobmft2k56q._file
Verdict:
malicious
Similar samples:
444ccb4a0c24e38f61ba9722d095fc8487aeacf0d16b322f019b9547af2f423a
Nitol
5221a9886df44c6e76d7a6d770ffe811d68cb8e6b96267e5ef40393ac675f6ff
Nitol
738ff1b734f45db5f96fcf7cf44bc19be88ae922ef08a4b1952bdc3b12e86090
Nitol
b8b21296f1e5a2a76078e41a0ed2479e7c3e1ad03df9117008074716da7b84a9
Nitol
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
Nitol
bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31
Nitol
cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
Nitol
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
Nitol
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
aspackv2
Link:
https://tria.ge/reports/221105-zcep8aheg3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Deletes itself
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1a136d1e-fd10-423a-8e84-0e300e426dc9
Unpacked files
SH256 hash:
ecedbf2976afe744078fa815df9e678f7c2925b72e6407ba673f112c342b0f75
MD5 hash:
53baf2298bc590426a9333dc696b016f
SHA1 hash:
29de9f0c12014bec6ddc1d21cedf3107948ccc40
Detections:
win_yoddos_auto
Create hunting rule
win_konni_auto
Create hunting rule
Link:
https://www.unpac.me/results/001d421e-1d22-45e2-98b0-04cdb2e96a61/
SH256 hash:
64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d
MD5 hash:
4f12e10d619947731099ede3b8feeaca
SHA1 hash:
7f20f8505de4365608ed8da02b34ef11dfbf445b
Detections:
win_konni_auto
Create hunting rule
Link:
https://www.unpac.me/results/001d421e-1d22-45e2-98b0-04cdb2e96a61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/64e4c9c434fedb085a6cb79509ba8f40772ac1f62ced2bed1da41c16167a577d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Backdoor_Nitol_Jun17
Create hunting rule
Author:Florian Roth
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:Backdoor_Nitol_Jun17_RID2E8F
Create hunting rule
Author:Florian Roth
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:win_konni_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.konni.
Rule name:win_yoddos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.yoddos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/329216/

Comments