MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79a72a4ecd40dc06db04c402f2c5881af3918bb42236922f5838f820acea64cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Nitol

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	79a72a4ecd40dc06db04c402f2c5881af3918bb42236922f5838f820acea64cf
SHA3-384 hash:	849a460a64aa73703ea3c20eb316fc04da85466df2f90a9d059e2d959a934a5f0021ff58ae3c0f13a2c28c28ee72051c
SHA1 hash:	7bdfc9a2fbf9d9641042b4e73531e6d1a59ba7c6
MD5 hash:	1ddd311d15ec27748af56e1af037e878
humanhash:	victor-romeo-white-golf
File name:	Server.exe
Download:	download sample
Signature	Nitol Create hunting rule
File size:	372'224 bytes
First seen:	2021-02-11 09:19:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5fbb0f5ebba6cd0b3a0281d9b81784b (1 x Nitol)
ssdeep	6144:KEUu2DSB42meMYUDE1SPpH8IFsheERD/5uaxzLQJwjwuANHlA:KY2DU42UDE1SP5XFshND/5uaxzLQJwjt
Threatray	2 similar samples on MalwareBazaar
TLSH	97840802D7415098E2AEB276CCE63266171C6D159770C9FF338BEDCF293A5E2A53D209
Reporter	r3dbU7z
Tags:	exe Nitol

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Server.exe

Verdict:

No threats detected

Analysis date:

2021-02-11 09:24:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d334abdc-a5bc-422d-b3b3-049a6a988305

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nitol

Link:

https://www.capesandbox.com/analysis/116744/

Detection(s):

Win.Trojan.Gh0stRAT-7603864-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

GhostRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/605562

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to modify windows services which are used for security filtering and protection

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Yara detected GhostRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/79a72a4ecd40dc06db04c402f2c5881af3918bb42236922f5838f820acea64cf/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-07-10 15:26:57 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pgtsutwnidoanwyeyqbpfrmidlzzdc5uei3jel2yhd4cblhkmthq._file

Verdict:

malicious

Nitol

a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d

Nitol

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210211-a2eafjr7me/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

ca7752df2543e64468c443612853b444d16d1433bee0d8b9213d51910ffdbee1

MD5 hash:

3c8b4f6fd52150b33ef1a1a8055ceb56

SHA1 hash:

91047109e525a9f9773c22b0fba6dd39e46d6a36

Detections:

win_rincux_auto

Link:

https://www.unpac.me/results/51868edf-b6e9-42ee-9e7a-af1a9dc9397b/

SH256 hash:

92c452a7bd9f6d6e962885c4277471da5a57db49a97a281d07c7a48b49e8aef6

MD5 hash:

bc7857ec48111aa02c9e4235abdf183c

SHA1 hash:

c8326b3ba3fde00c20fe2a5b8a7825b070123c8c

Detections:

win_rincux_auto

Link:

https://www.unpac.me/results/51868edf-b6e9-42ee-9e7a-af1a9dc9397b/

SH256 hash:

79a72a4ecd40dc06db04c402f2c5881af3918bb42236922f5838f820acea64cf

MD5 hash:

1ddd311d15ec27748af56e1af037e878

SHA1 hash:

7bdfc9a2fbf9d9641042b4e73531e6d1a59ba7c6

Link:

https://www.unpac.me/results/51868edf-b6e9-42ee-9e7a-af1a9dc9397b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/79a72a4ecd40dc06db04c402f2c5881af3918bb42236922f5838f820acea64cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Backdoor_Nitol_Jun17 Create hunting rule
Author:	Florian Roth
Description:	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:	https://goo.gl/OOB3mH

Rule name:	GhostDragon_Gh0stRAT Create hunting rule
Author:	Florian Roth
Description:	Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:	https://blog.cylance.com/the-ghost-dragon

Rule name:	MALWARE_Win_Nitol Create hunting rule
Author:	ditekSHen
Description:	Detects Nitol backdoor

Rule name:	MAL_Nitol_Malware_Jan19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nitol Malware
Reference:	https://twitter.com/shotgunner101/status/1084602413691166721

Rule name:	win_rincux_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/116744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample