MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e016ae7a6e986c9c57284c8677d455ca29d71c01e9e9bb2c9d99f6b8ef97a2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e016ae7a6e986c9c57284c8677d455ca29d71c01e9e9bb2c9d99f6b8ef97a2a
SHA3-384 hash: c8c2baabdefbc8b39824582275ae102290942be0bb1db813853939a6695b9741923e09c7b280831d8bf95fd5d2d1aaac
SHA1 hash: 85fe30dda2bffc4cee09112039a62aa213c45ea7
MD5 hash: f8679f43fd59185c80ed2a33c578bfdc
humanhash: alanine-wisconsin-coffee-seventeen
File name:Server.zp.exe
Download: download sample
Signature Nitol
Create hunting rule
File size:651'264 bytes
First seen:2022-08-18 13:51:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55edea4682d9a85fd0ebd7309f56b3de (1 x Nitol)
ssdeep 12288:qQ9ge7xEIov+RLhJXCdCg22r/HoFN6WtljaElIaY:qk7GI0+R95Cgg5/HoFN6WtljaEyaY
Threatray 309 similar samples on MalwareBazaar
TLSH T16ED46CDB7F375A08D694653235699B4B17613EBE0A3101D931F9BE060ABBDD02D3AC0D
TrID 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.6% (.EXE) Win32 Executable (generic) (4505/5/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.4% (.EXE) Clipper DOS Executable (2018/12)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 00a2be9082828200 (4 x Nitol)
Reporter r3dbU7z
Tags:exe Nitol

Intelligence

File Origin
# of uploads :
1
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Server.zp.exe
Verdict:
Malicious activity
Analysis date:
2022-08-18 13:52:54 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/8c5e5bb5-a4ba-4a41-a001-aa7c395eb57e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299603/
Detection(s):
Win.Dropper.Ramnit-7076132-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62fe44038adad7d7739f32d9/reports/ae86a641-4841-4b29-a63d-2a3fa46f29e9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedGambler
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af9fa5e8-5d7b-48a2-8acb-1ffcad522e29
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053841
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e016ae7a6e986c9c57284c8677d455ca29d71c01e9e9bb2c9d99f6b8ef97a2a/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 13:52:09 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryawvz5g5gdmtrlsqtego7kflsrj24oad2pjxmwj3gpwxdxzpiva._file
Verdict:
malicious
Similar samples:
1cebb1153264ff7d706895a8a17411f4f037ee4854756ce90ee0506af73d5fe7
Nitol
231994c79a1fafe117deeb111a6ba3c026afa18a1e89522b8f81cc2f68dfd10a
Nitol
238057ab39a12934ed501e0c9b1a895a7e80c40db43f5f5787edc088997d773d
Nitol
7c988c0dc20f342070bd94e6704ddfd05be4cd5c8bf6a2814b0dfa53a36d78ad
Nitol
8aa0c0d3d0fbb72a3f19886f93efcdfe2438880294c627eeb1f295097e67cf58
Nitol
923dec45c173d8b56592b19aab3f84b6aa094b7e0a17def69e098ea9049b1a84
Nitol
92a80b053f4276ced8cdd30ef3e2e38026cb69ae081b24faf5a69a909074bb39
Nitol
afa039970dda1afcdacd878f5fd125dd6ed37b80e8d7cbe37ec91871f4ab8eb0
Nitol
c8605992ffb507e5f35424921c2efb8a3234005e559398637fd8104f6f0373c5
Nitol
+ 299 additional samples on MalwareBazaar
Result
Malware family:
chinese_generic_botnet
Create hunting rule
Score:
  10/10
Tags:
family:chinese_generic_botnet botnet
Link:
https://tria.ge/reports/220818-q6dkksacf3/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Enumerates connected drives
Chinese Botnet payload
Generic Chinese Botnet
Unpacked files
SH256 hash:
c8fde48134f811c48c4da21779b0d697c2ee492b45242160039da62b33f5129b
MD5 hash:
e4512ebe7aa8ebaa8cd91210c20b09f9
SHA1 hash:
ced56f5fcec88ec75237e29854b8ee3fa67af849
Link:
https://www.unpac.me/results/9c4cc44f-d7bb-4127-91e2-2906127b84f2/
SH256 hash:
aadb6551b3866c4eea05960d813a232e07389fa4c6a36e1a38639c03107a4b1c
MD5 hash:
1d3d3598b55d0692a04d24832d001617
SHA1 hash:
64f9d950e046267d9494b1ff2d87ba46d413fd0a
Link:
https://www.unpac.me/results/9c4cc44f-d7bb-4127-91e2-2906127b84f2/
SH256 hash:
cdd6359957c7420a2b282c44e229f03260b70fef222bb8679e0b6b2715c0b8a5
MD5 hash:
319b509e33ae6df2dc8c7147bdd87c19
SHA1 hash:
20b99231d8dbe0d5ef3489e8ce53c259895a4ec8
Link:
https://www.unpac.me/results/9c4cc44f-d7bb-4127-91e2-2906127b84f2/
SH256 hash:
8e016ae7a6e986c9c57284c8677d455ca29d71c01e9e9bb2c9d99f6b8ef97a2a
MD5 hash:
f8679f43fd59185c80ed2a33c578bfdc
SHA1 hash:
85fe30dda2bffc4cee09112039a62aa213c45ea7
Link:
https://www.unpac.me/results/9c4cc44f-d7bb-4127-91e2-2906127b84f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8e016ae7a6e986c9c57284c8677d455ca29d71c01e9e9bb2c9d99f6b8ef97a2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Backdoor_Nitol_Jun17
Create hunting rule
Author:Florian Roth
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:Backdoor_Nitol_Jun17_RID2E8F
Create hunting rule
Author:Florian Roth
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:MAL_Nitol_Malware_Jan19_1
Create hunting rule
Author:Florian Roth
Description:Detects Nitol Malware
Reference:https://twitter.com/shotgunner101/status/1084602413691166721
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

Executable exe 8e016ae7a6e986c9c57284c8677d455ca29d71c01e9e9bb2c9d99f6b8ef97a2a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299603/

Comments