MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 670cbec5ce5da74626a778fcff3bc15b62fc0608750eaa512c5ac8ba4c5d7a87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 670cbec5ce5da74626a778fcff3bc15b62fc0608750eaa512c5ac8ba4c5d7a87
SHA3-384 hash: 1101d2b40c219932b249569f0e8407e509c2eea8bd70cf46328daa61b4d9caf603877545e904fb3ac9d96add9c69838c
SHA1 hash: 431f7cffb31ea416c41e266b728097641b19cba4
MD5 hash: 0a4542a1f003c4a5ebd4e010adf96fb6
humanhash: illinois-hawaii-bacon-uranus
File name:0a4542a1f003c4a5ebd4e010adf96fb6.dll
Download: download sample
Signature Nitol
Create hunting rule
File size:1'714'176 bytes
First seen:2021-04-12 08:02:46 UTC
Last seen:2021-04-12 08:56:09 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 35e5deef8315e036b994d2511693a429 (1 x Nitol)
ssdeep 49152:5FWI+EBuUpxaTeaKs1hTCxeX5birtOj+msBiuVTUxsk40XuruYO:rIUpcdb3TBX5biZU+7o7zpuC
Threatray 3 similar samples on MalwareBazaar
TLSH C4853385A393501AC5F9A3735F0FC0BA95A35039342CEEDF5E3CAA069739115BD089DB
Reporter abuse_ch
Tags:dll Nitol

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nitol
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133697/
Detection(s):
SecuriteInfo.com.Variant.Bulz.429311.8686.14522.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/672734
Signature
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Creates an autostart registry key pointing to binary in C:\Windows
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385316 Sample: GfOxIvX4cu.dll Startdate: 12/04/2021 Architecture: WINDOWS Score: 68 25 Multi AV Scanner detection for submitted file 2->25 7 loaddll32.exe 1 2->7         started        9 rundll32.exe 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 rundll32.exe 4 7->13         started        17 cmd.exe 1 7->17         started        19 rundll32.exe 7->19         started        dnsIp5 23 27.124.10.236, 17472, 49706, 49711 BCPL-SGBGPNETGlobalASNSG Singapore 13->23 27 System process connects to network (likely due to code injection or exploit) 13->27 29 Checks if browser processes are running 13->29 31 Contains functionality to capture and log keystrokes 13->31 33 Creates an autostart registry key pointing to binary in C:\Windows 13->33 21 rundll32.exe 17->21         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/670cbec5ce5da74626a778fcff3bc15b62fc0608750eaa512c5ac8ba4c5d7a87/
Threat name:
Win32.Packed.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 08:03:11 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4gl5roolwtumjvhpd6p6o6blnrpybqiouhkuujmllelutc5pkdq._file
Verdict:
malicious
Similar samples:
68a6ab54f77021a6a44b373a321331d2880d575db5727c803b695936f7b4f3a2
Nitol
7523febf9a1f3c596bb1b81044d5deba4c3869eda1e947e08747d18c97858cca
Nitol
9c58a562338701fa9906ea25c07133a0cf4c64868cb543286dbb1afda263b413
Nitol
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210412-zq6aqtx6vn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Enumerates connected drives
Blocklisted process makes network request
Unpacked files
SH256 hash:
387eae366caa16374527b3940cd7114e5069ab5b105a368b7c018edb96057c85
MD5 hash:
61ea520fe0745f50e731321107943032
SHA1 hash:
05af1074f22a7d90147bfea6f235c73b4d067a9f
Link:
https://www.unpac.me/results/d2408730-0feb-4583-8107-89e56918d8f4/
SH256 hash:
c53dfb075124caf5eb23d10959a48c3536223e5542b7bb1bd91fbb5d87c3b01c
MD5 hash:
470b92cdd3be9a6967393d3d77afc78c
SHA1 hash:
79e35cf53fdc5c960c6c768dc6a3c77f32264985
Link:
https://www.unpac.me/results/d2408730-0feb-4583-8107-89e56918d8f4/
SH256 hash:
670cbec5ce5da74626a778fcff3bc15b62fc0608750eaa512c5ac8ba4c5d7a87
MD5 hash:
0a4542a1f003c4a5ebd4e010adf96fb6
SHA1 hash:
431f7cffb31ea416c41e266b728097641b19cba4
Link:
https://www.unpac.me/results/d2408730-0feb-4583-8107-89e56918d8f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/670cbec5ce5da74626a778fcff3bc15b62fc0608750eaa512c5ac8ba4c5d7a87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

DLL dll 670cbec5ce5da74626a778fcff3bc15b62fc0608750eaa512c5ac8ba4c5d7a87

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1106100/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133697/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 15:45:33 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [F0001.008] Anti-Behavioral Analysis::UPX
2) [C0026.002] Data Micro-objective::XOR::Encode Data