MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87930e435af99eda9ad298493193b5ca78d4c3aeba7747158f2e983e8ee4445f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Nitol

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	87930e435af99eda9ad298493193b5ca78d4c3aeba7747158f2e983e8ee4445f
SHA3-384 hash:	48309e7cb9fc4a9cc22e2c8830514a332b72408ca4a3bf165fc26155549f79f6ca78dc53c124a8c483378125fe02763d
SHA1 hash:	59469daf99f9fbc0b83d9fc1128af4e313f89b1b
MD5 hash:	9ae32ad159d126278d9f7fc94f96adfa
humanhash:	sad-fillet-hot-lamp
File name:	“赌博就像溺水，让你喊不出救命。”专盯年轻女性下手！.cmd
Download:	download sample
Signature	Nitol Create hunting rule
File size:	3'428'352 bytes
First seen:	2021-07-27 20:22:32 UTC
Last seen:	2021-07-27 20:24:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	35c2f642097f5b6e1cfa60f847ecb5f0 (1 x Nitol)
ssdeep	49152:2jH5mJX9IvGtO0j8DlojeoQcXiG7e26q/+M:2jH5mJywKyZLF
Threatray	22 similar samples on MalwareBazaar
TLSH	T11BF57C1BF594C175FDB214F4D82D66F6546E6F60CBBA80E39740FEAD38302E2813661A
dhash icon	15998b0553134d4c (1 x Nitol)
Reporter	ActorExpose
Tags:	exe Nitol

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

“赌博就像溺水，让你喊不出救命。”专盯年轻女性下手！.cmd

Verdict:

No threats detected

Analysis date:

2021-07-27 20:26:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/20e1e444-4dcf-448c-9d66-3f5aca5f5293

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nitol

Link:

https://www.capesandbox.com/analysis/174512/

Detection(s):

Win.Malware.Deepscan-6824107-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/56773cb8-3ac0-46ee-81cf-57b6116f7d91

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.spyw.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/822737

Signature

Checks if browser processes are running

Contains functionality to capture and log keystrokes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to evade analysis by execution special instruction which cause usermode exception

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Graftor

Status:

Malicious

First seen:

2021-07-26 10:16:00 UTC

AV detection:

10 of 27 (37.04%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q6jq4q227gpnvgwstbetde5vzj4njq5oxj3uofmpf2md5dxeirpq._file

Verdict:

malicious

Nitol

1cebb1153264ff7d706895a8a17411f4f037ee4854756ce90ee0506af73d5fe7

Nitol

1f7ec9ca2d023ebd99e86693932bf90d24efae626bc7510f1751a2b7c4599af1

Nitol

231994c79a1fafe117deeb111a6ba3c026afa18a1e89522b8f81cc2f68dfd10a

Nitol

5e4b70fa595cb17cba9e674ec3fa574d830b43d3a4b6b3417d8c8c243880e93c

Nitol

afa039970dda1afcdacd878f5fd125dd6ed37b80e8d7cbe37ec91871f4ab8eb0

Nitol

c44ad28fc848a4ce9345b127f0bf84909539fb8cfaf14091190a46417107be76

Nitol

c8605992ffb507e5f35424921c2efb8a3234005e559398637fd8104f6f0373c5

Nitol

ce10ba646288c5d971b29dea47dddf38a2ed848ffd9e734c02e17a9cc5fc6055

Nitol

+ 12 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/210727-9gkq9wybye/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Drops file in Program Files directory

Adds Run key to start application

Enumerates connected drives

Unpacked files

SH256 hash:

241f752b8482bd7003eb7da00d918734671b8d7930f4c346d2510cd911ca1928

MD5 hash:

0b1b69ab83e85a8e86e00c4bbc2c4ae2

SHA1 hash:

bac962e9929a4e857d0d84227765c3f888d3d1ce

Detections:

win_younglotus_auto

Link:

https://www.unpac.me/results/fa769b44-b7ca-4e2a-93b5-e240d4fbba79/

SH256 hash:

87930e435af99eda9ad298493193b5ca78d4c3aeba7747158f2e983e8ee4445f

MD5 hash:

9ae32ad159d126278d9f7fc94f96adfa

SHA1 hash:

59469daf99f9fbc0b83d9fc1128af4e313f89b1b

Link:

https://www.unpac.me/results/fa769b44-b7ca-4e2a-93b5-e240d4fbba79/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/87930e435af99eda9ad298493193b5ca78d4c3aeba7747158f2e983e8ee4445f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Backdoor_Nitol_Jun17 Create hunting rule
Author:	Florian Roth
Description:	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:	https://goo.gl/OOB3mH

Rule name:	MALWARE_Win_Nitol Create hunting rule
Author:	ditekSHen
Description:	Detects Nitol backdoor

Rule name:	MAL_Nitol_Malware_Jan19_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nitol Malware
Reference:	https://twitter.com/shotgunner101/status/1084602413691166721

Rule name:	win_younglotus_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.younglotus.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174512/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample