MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fea51e5f0edc8a339d3c82ad87f4b9a1daa3cdc8e8de7f7195ff56ee89f761f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Nitol

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	7fea51e5f0edc8a339d3c82ad87f4b9a1daa3cdc8e8de7f7195ff56ee89f761f
SHA3-384 hash:	1473793cb0ea13846de9dfea88c7cb3eb03ed9f48dc74cf0c9fe1638db90c9bfa93f5ec37d34853020394dcaf079914d
SHA1 hash:	262220313c3212127c82aa28bfe538cfcd944b5e
MD5 hash:	67328bd72a33266e40b7d8d8102b7ef2
humanhash:	grey-low-fillet-seventeen
File name:	LisectAVT_2403002B_307.exe
Download:	download sample
Signature	Nitol Create hunting rule
File size:	134'144 bytes
First seen:	2024-07-25 01:13:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	589c0bdf42dee20f23c52b00531a1653 (1 x Nitol)
ssdeep	3072:0K7GqnchCdS2swmYTikFyDbp7mFHsGTayqFyqyCKKAdyAl9aYjyDGCH:JCqcoqFkgDbp0MGT7eySfAjaf6
TLSH	T1F0D312FB4F4089BFC9873B360729348B4E964556FDAA652F49E6CE387C388D08C46D40
TrID	28.6% (.EXE) UPX compressed Win32 Executable (27066/9/6) 28.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 17.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 6.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	Anonymous
Tags:	exe Nitol

Anonymous

this malware sample is very nasty!

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Wapomi-10020301-0

Win.Trojan.Farfli-9949619-0

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Changing an executable file

Creating a window

Connection attempt to an infection source

Sending an HTTP GET request to an infection source

Сreating synchronization primitives

Connection attempt

Modifying an executable file

DNS request

Sending a custom TCP request

Query of malicious DNS domain

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Infecting executable files

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin microsoft_visual_cc packed packed packed shell32 upx

Link:

https://www.filescan.io/uploads/66a1a6dddfa8b2fced4e3cfb/reports/f1e100f7-28b6-41f4-af94-796861748341/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Gh0st RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed017dfc-77e0-470b-bbce-069bdf567aa2

Result

Threat name:

Bdaejec, GhostRat, Nitol

Detection:

malicious

Classification:

spre.bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1481823

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7fea51e5f0edc8a339d3c82ad87f4b9a1daa3cdc8e8de7f7195ff56ee89f761f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fea51e5f0edc8a339d3c82ad87f4b9a1daa3cdc8e8de7f7195ff56ee89f761f/

Threat name:

Win32.Virus.Jadtre

Status:

Malicious

First seen:

2024-07-25 01:14:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 38 (94.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p7vfdzpq5xekgootzavnq72ltio2upg4r2g6p5yzl72w52e7oypq._file

Verdict:

malicious

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat aspackv2 discovery persistence rat upx

Link:

https://tria.ge/reports/240725-bk68fasbkg/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in System32 directory

Adds Run key to start application

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Gh0st RAT payload

Gh0strat

Malware Config

C2 Extraction:

qq442267767.e1.luyouxia.net

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c7fb44fc-4d3a-4af4-a790-46b52c893d2d

Unpacked files

SH256 hash:

cece1d1a6f4b2482e5174abece4b3761e7ca5c1d9bc8eaa34fa45d4811f1019a

MD5 hash:

07343a310df037511d8684a98c3fb635

SHA1 hash:

0eb314eddabef8c91619ac09a0302fec04ee6e2b

Detections:

Gh0stRAT_Variant

Link:

https://www.unpac.me/results/cac927ca-2e8a-413f-b93b-2535ff4847a3/

SH256 hash:

2b3805f86b5094a6591a739f064bd3e1e2a0f25fc26c643fe4033262630a5487

MD5 hash:

cc0d74de0e770823c45ec9b82a73a0b3

SHA1 hash:

288345bd2ba62b42d7349f27948aaf0529541fb0

Link:

https://www.unpac.me/results/cac927ca-2e8a-413f-b93b-2535ff4847a3/

SH256 hash:

0177dffa3ea2528dfeb08b9e678bad024e37be730ea52bf059487bd02cee7b41

MD5 hash:

21a4f55b7e729d00a0dfe31636684a47

SHA1 hash:

ca58f1f57dfd331e5ad570eb10467f7c06f12e27

Detections:

win_unidentified_045_auto

win_unidentified_045_g0

Link:

https://www.unpac.me/results/cac927ca-2e8a-413f-b93b-2535ff4847a3/

SH256 hash:

7fea51e5f0edc8a339d3c82ad87f4b9a1daa3cdc8e8de7f7195ff56ee89f761f

MD5 hash:

67328bd72a33266e40b7d8d8102b7ef2

SHA1 hash:

262220313c3212127c82aa28bfe538cfcd944b5e

Link:

https://www.unpac.me/results/cac927ca-2e8a-413f-b93b-2535ff4847a3/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	UPX20030XMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Nitol

exe 7fea51e5f0edc8a339d3c82ad87f4b9a1daa3cdc8e8de7f7195ff56ee89f761f

(this sample)

Link

https://bbs.kafan.cn/forum-31-1.html

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::URLDownloadToFileA
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample