MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 13


Intelligence 13 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
SHA3-384 hash: a4629eebd38b04eb4586323e4880dcf7bbef27d5dfe27f0cf22198d45fcb043c7a2c5f1b5c7dafca6f4d9062430ee049
SHA1 hash: 2a47e9a17fb32387930e5e47e8e5df58fb23603a
MD5 hash: 147651e9d91cc64967ef278afa9926cd
humanhash: one-hotel-wisconsin-mirror
File name:letslavpnX64.exe
Download: download sample
Signature Nitol
Create hunting rule
File size:19'022'305 bytes
First seen:2025-05-21 19:56:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 393216:jFREXpzmzGnkfV8tfGWcSWNKQ/kg/bZzvtMA63NiSA/:jFRqhmSkOtfGWcSWJZzlAiv
Threatray 52 similar samples on MalwareBazaar
TLSH T120173312B39189B1E9AE12B454A6B362D7B4FC6147A0D2C35FC9B93D1F3D3C09A32635
TrID 27.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
27.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
16.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10522/11/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter aachum
Tags:exe Nitol


Avatar
iamaachum
https://www.renhekangda.com/ => https://www.xunyaosoft.com/letslavpnX64.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
468
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
letslavpnX64.exe
Verdict:
Malicious activity
Analysis date:
2025-05-21 19:59:41 UTC
Tags:
upx lua auto-reg websocket antivm
Link:
https://app.any.run/tasks/27e809ba-b99b-43e1-9191-11cf30dd9e2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682e31132f280a98fb42f44b
Tags:
shellcode dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm blackhole fingerprint installer invalid-signature microsoft_visual_cc obfuscated overlay overlay packed packed packed signed xor-pe zero
Link:
https://www.filescan.io/uploads/682e3027171e01f959299294/reports/8ce5bf94-5a37-48cc-8ce8-5ad8b6b9cdd3/overview
Verdict:
Suspicious
Labled as:
Malware_47.7
Link:
https://www.hybrid-analysis.com/sample/a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
Result
Threat name:
Nitol
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/1696272
Signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to modify Windows User Account Control (UAC) settings
Creates multiple autostart registry keys
Detected potential unwanted application
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspect Svchost Activity
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696272 Sample: letslavpnX64.exe Startdate: 21/05/2025 Architecture: WINDOWS Score: 90 135 yandex.com 2->135 137 www.yandex.com 2->137 139 12 other IPs or domains 2->139 167 Malicious sample detected (through community Yara rule) 2->167 169 Multi AV Scanner detection for submitted file 2->169 171 Yara detected Nitol 2->171 173 10 other signatures 2->173 12 letslavpnX64.exe 4 2->12         started        15 svchost.exe 2->15         started        17 iusb3mon.exe 2->17         started        20 9 other processes 2->20 signatures3 process4 file5 117 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 12->117 dropped 119 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 12->119 dropped 22 irsetup.exe 16 12->22         started        25 drvinst.exe 15->25         started        27 drvinst.exe 15->27         started        161 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->161 163 Modifies the DNS server 20->163 29 LetsPRO.exe 20->29         started        signatures6 process7 file8 101 C:\Users\user\AppData\Local\...\ziliao.jpg, DOS 22->101 dropped 103 C:\Users\user\AppData\...\vcruntime140.dll, PE32 22->103 dropped 105 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 22->105 dropped 115 6 other files (4 malicious) 22->115 dropped 31 letsvpn-latest.exe 22->31         started        35 iusb3mon.exe 22->35         started        38 powershell.exe 11 22->38         started        40 6 other processes 22->40 107 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 25->107 dropped 109 C:\Windows\System32\...\SETFC9.tmp, PE32+ 25->109 dropped 111 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 27->111 dropped 113 C:\Windows\System32\drivers\SET2572.tmp, PE32+ 27->113 dropped process9 dnsIp10 125 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 31->125 dropped 127 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 31->127 dropped 129 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 31->129 dropped 133 219 other malicious files 31->133 dropped 149 Sample is not signed and drops a device driver 31->149 42 LetsPRO.exe 31->42         started        44 tapinstall.exe 31->44         started        47 powershell.exe 31->47         started        58 8 other processes 31->58 141 jjiiee.com 27.124.34.146, 25448, 49697, 49698 BCPL-SGBGPNETGlobalASNSG Singapore 35->141 131 C:\Users\user\AppData\Local\...\5695046_t.xml, XML 35->131 dropped 151 Suspicious powershell command line found 35->151 153 Creates multiple autostart registry keys 35->153 155 Contains functionality to capture and log keystrokes 35->155 159 8 other signatures 35->159 50 cmd.exe 35->50         started        52 powershell.exe 35->52         started        54 svchost.exe 35->54         started        157 Found suspicious powershell code related to unpacking or dynamic code loading 38->157 56 conhost.exe 38->56         started        60 6 other processes 40->60 file11 signatures12 process13 file14 62 LetsPRO.exe 42->62         started        121 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 44->121 dropped 123 C:\Users\user\AppData\Local\...\SET9BD9.tmp, PE32+ 44->123 dropped 66 conhost.exe 44->66         started        175 Loading BitLocker PowerShell Module 47->175 68 conhost.exe 47->68         started        70 WmiPrvSE.exe 47->70         started        177 Uses schtasks.exe or at.exe to add and modify task schedules 50->177 179 Uses netsh to modify the Windows network and firewall settings 50->179 181 Uses ipconfig to lookup or modify the Windows network settings 50->181 183 Performs a network lookup / discovery via ARP 50->183 72 conhost.exe 50->72         started        74 schtasks.exe 50->74         started        76 conhost.exe 52->76         started        78 SecEdit.exe 52->78         started        80 13 other processes 58->80 signatures15 process16 dnsIp17 143 yandex.com 77.88.44.55, 443, 49716 YANDEXRU Russian Federation 62->143 145 23.98.101.155, 443, 49724, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 62->145 147 13 other IPs or domains 62->147 185 Creates multiple autostart registry keys 62->185 82 cmd.exe 62->82         started        85 cmd.exe 62->85         started        87 cmd.exe 62->87         started        signatures18 process19 signatures20 165 Performs a network lookup / discovery via ARP 82->165 89 conhost.exe 82->89         started        91 ARP.EXE 82->91         started        93 conhost.exe 85->93         started        95 ipconfig.exe 85->95         started        97 conhost.exe 87->97         started        99 ROUTE.EXE 87->99         started        process21
Score:
49%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-21 19:57:27 UTC
File Type:
PE (Exe)
Extracted files:
855
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqlq7ihupk4i4772kuu4tzaer4vbt2kvziljkpt2rncf2huxpklq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc
Nitol
583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
Nitol
7ce3b6378d4515a232cdbc3ed69c80f05236ae72ce868ea49dfa1353fd1da53d
Nitol
8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
Nitol
ba26e8891650d628be2c1ecba0da7c5f73623818da427da719d566dea725f546
Nitol
d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad
Nitol
e8f7213b8db88b5d7cb00b83ad46b2c9497d1c4c030e1dff28f846a2bf79b67a
Nitol
error
Nitol
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence privilege_escalation trojan upx
Link:
https://tria.ge/reports/250521-ypfbvabp6v/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Modifies Windows Firewall
UAC bypass
Unpacked files
SH256 hash:
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
MD5 hash:
147651e9d91cc64967ef278afa9926cd
SHA1 hash:
2a47e9a17fb32387930e5e47e8e5df58fb23603a
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
df0d2d09c82e999fb7b04dd419b695110b48fcc09ceb572725be9794b3574368
MD5 hash:
795ae9591ec6d78a81a15564ef087912
SHA1 hash:
48f30cac46f5d25c5ff1c4f8823d210c7051f316
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
a454cc5113cad626f06083cc65a6af686a3c4e4369a68494a6f58258d4d042a4
MD5 hash:
21ca0e21d0806204f32de110a8403ca0
SHA1 hash:
01ad6ba8715b1280adaa14b625095f5f97a7e462
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
d65c9751c9f79b191b49692c73519f30816c5666348881539e1f43e484c6ec71
MD5 hash:
ea9f3aa3f0492a8f98330b2b8af4f167
SHA1 hash:
1d05b32e1b35d4e713a4f89d1b4c37a74ddad494
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
2240beab74c07425de7d682e557e991aff58258a1342376c49e8d21056b9f927
MD5 hash:
53be4c9dd730292ad5db78f3768c36ac
SHA1 hash:
709657dbecdd8fd24180047067873e3f18abd1f7
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
a4f81702c4b2a9dbdbe287a6b4944103885a347226f0afd47a063dd8ada43290
MD5 hash:
46d61890864ea8980a13684ab7c5def2
SHA1 hash:
b98c6f22300bc9225d15fb8433825edca9efb94a
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
9d0c4fdb2f4c854b7ad352c403011a253af113b378d675c2a9948b9c3d09455a
MD5 hash:
3fd61c554e355bfc25dbd8b84001576f
SHA1 hash:
1b91953a807344575ccc61805d33ad335f0ea805
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
b2a03125a6b6dc9b631301f705285a0ab8f2e343b15181524777f566bde5e2cb
MD5 hash:
edfa71bcc125565e31d3605fc009996f
SHA1 hash:
3265c4bdc3939b68f9e7bb58b0f49bacde156175
Detections:
SUSP_NullSoftInst_Combo_Oct20_1
Create hunting rule
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
9a17d1e756e87ca8dbd4220cb25e938e6506a516ec62670c0ebd56ff5f5a8b73
MD5 hash:
31ec6b975d2979d020f5d4aea2ce1115
SHA1 hash:
45e50d87205b95af054b7ddc646c69692700cebe
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
8450f78cf5efbe1f4aabe9c2d444484182aa7709c8ec381e5d7a6149a82bf016
MD5 hash:
685c5701e9f90f69cade2c260730f913
SHA1 hash:
8fdb70720173b9aa03fd8b4e91623da088c28d2a
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
60ede8acf2d900b0fbd7163bdc9bf1a75045be4ad4ca9b9e676b89e3a6fcf11e
MD5 hash:
27d7c826f8850d3ea131e6165c38e3cb
SHA1 hash:
d24e496ace9bef59db5caee2cee4aedb5266c630
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
96534c59ce0fe469f7531fea7547017d5f213861c71aebcf4c49235f38be142b
MD5 hash:
413be7ac0b1facb480ed85eaed7f2dc3
SHA1 hash:
3de6866a7282d7221173ce4a367d1c2aaca43e5d
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
283cdc29e14fd20db0817ecc49bd1398ce524f3d5d6f8872544044b5994d891f
MD5 hash:
e6a841a243504be4df186fe310b307d6
SHA1 hash:
53e85f3a63ef252099d780122aae3825176f08ed
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
826f8908b0d6adcad57730270d2ced43a942815b07cd00206e08f12cb465a84d
MD5 hash:
b2035002b91331f8731796492d85d573
SHA1 hash:
eea77cb4422710d6818e46ba71578b14d6ef323a
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
c6a73c19fc2d9065380e617b135813a9aa9253e2583d3c5ece8017badf6e29b3
MD5 hash:
5cff40977318984e0f7c8bd102990dc4
SHA1 hash:
a1b820e16b601ef0285fb01ae1375f68bb51894f
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
b40d4f9676af9ab282044b6378da1f7474e416f10f3658b075b3fa49b4a402fb
MD5 hash:
d8f7942a132f38db2b7071b11fed68c3
SHA1 hash:
d1c72ed7c2239347bb839379859b33fc5146bd6e
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
c90934a6166523341cd7431e54081c5dd6eb6767538c256dc9f8229194dfae8b
MD5 hash:
39e0aa37609f00cfff1e90e58af87c02
SHA1 hash:
4055a7f49381ad0bbfcd5c167f17e1e37c6010e9
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
e7d0029e9efe3b05c68087b065676cc9cb4955af6092519b1c26bad12d921405
MD5 hash:
bb5e1ed1de466016059fc0b810b68671
SHA1 hash:
ab948100b9ce59cc5631c7fe0b1ce2293d82f63c
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
bb5f77b44272c2a440409b860a607ce9bc3649ccfb7ba576e0aaf86c750c151d
MD5 hash:
5a880f3e3385c81737409eb1c7a05d35
SHA1 hash:
d947162f96805da453116309b007800aa580613d
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
1202a4ae6949ccb5f0637d0d9bd0940628a7277718d498077660ebfe1e1e5e24
MD5 hash:
0dfbee6c019a8e0d6890b142903a15a0
SHA1 hash:
af099da8c05c0d425fc3a4acfcb3061968916740
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
96a09332b1e9711a8e8d24efc122b172fc8d26ab9c2fc6991ab0ff5766ea6aa8
MD5 hash:
cad992e5f81ace5062843424ae343dcd
SHA1 hash:
c34db6cd365b3a3ee6c6f3000de6dc04116af509
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
5ab2561fddd3b109695f67ee9e17eb7cc2321216f14d927420b5f0bc83675342
MD5 hash:
67f6f9082ff585f73676f8777638a07f
SHA1 hash:
3be07d18fb9fc1297d5f1e9fd3b8764351c0b047
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
460a73b96fe8b908ff09aa1f94a6e1281d16977423fb2d8ea1a9b0b600c04348
MD5 hash:
4a571063a56e3d1213ea4c20f71ff719
SHA1 hash:
b4053f572b8653292644f43c046c9055fc83967e
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
9d34c9a6d1e517a04685722c696c64531be133b071bc274c4da551e33b1d5769
MD5 hash:
726fffc95b57a86123b4aa838f95a9c0
SHA1 hash:
98a4ff919221b04f4729593926740cdb56ef9e24
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
dfb3bb98cfe620841fbf2a15aa67c1614d4746a2ea0e5925211de1fee7138b38
MD5 hash:
bf2bbecd323865428aa9c919c81def68
SHA1 hash:
b74c6ef70d5ec4f28eaa706e55aaf852059b6077
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
68cb6afdeb65a16a62604d6b9ac0c140733d0ad63fe80eff44d6eba050c4ace2
MD5 hash:
6bd76a0a8062956fb717ccf36f74ea31
SHA1 hash:
88ea909b3a0d5d6154fc621a2c8dd28c05f25b85
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
f528502962c07c3193668b598b52e6705cbe9ce8ec7ccc762eeaca476ff7cf51
MD5 hash:
aacabeec08a9e03a974b6cb649bb5d2b
SHA1 hash:
355e873fba17b9be2a932aba92b5cd9272eab21f
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
329bcbdd665fa9b246a53e711539647588eb66246802fc14763d0ee9982dc01c
MD5 hash:
6d08566b733b57301592e1c43acbe8ce
SHA1 hash:
c3d1a7e3400ebeccf1545773f061c19da9b02b13
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
Parent samples :
683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800
SH256 hash:
b2ed4a73872319c325d05930b3aa66fdfe181847faaa0929c2628b3e1d794b60
MD5 hash:
e56952961ca7db602ce5cd0dc9b9f988
SHA1 hash:
c28288da6289f1f7625639045cdc45b2a7166f8c
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
ca351cbf85c706c6a346bd6eeb05b242b70285ec99e968ca3b9bfdb113048e6f
MD5 hash:
f99587385e1cc51f43d23688a809e87d
SHA1 hash:
bf1e33788254388c0def6edff9f435c9ecdb070e
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
b5a366aa1068e2088969812f17f25e0db98dc681bad2a7bb834331629ff24dd6
MD5 hash:
3bf17b43d820b7c38136a0c2a572424f
SHA1 hash:
76513c94d749e1d78f31f6f082d1e8112dd6c2e8
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
f8f290063052cbddf302fb722f983a5c01815c0d710737b9efc6d2dca42af28b
MD5 hash:
14930ae6b509f73f7da98a1374efc139
SHA1 hash:
f1e0b7c322455400143f2c5ac9b425b4d79aa243
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
7836313fb5f6ce68e77034b65a11d20f598bb8f62694342f3fd80f110cafb125
MD5 hash:
3dc6800310abc175beb34900397b197f
SHA1 hash:
43a36279045baf26de3650620bc345fca017fcc2
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
a45bc7d6ab850bab640aa3f6c0b7841d57aa14a726e92fb247144c886b36a436
MD5 hash:
890e867294580343ef642631644d0e23
SHA1 hash:
fc18613f5f245717a351c21598281970642d91e6
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
cf339d703de08366fec41cd4d44e22285fda78189c39002bfa352bafbb7b0058
MD5 hash:
d357bd1656344ae27254c701f1a46625
SHA1 hash:
96e0af30168295d7d2465eff588d48180465ca6b
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
3b444d74033d792e0e8bdc46eb897041cf09a3d409343a0325c0787a4ca7eada
MD5 hash:
a246b305070d5220eaf9950cb43b7f73
SHA1 hash:
7d3e17cef61e1c40f05a65e4466082a1b33ff3ec
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
2e7dcc74aac2c04c000ad32f1249662f0d9e6d4543c71130b5e02a11869cf2da
MD5 hash:
b8c0d43517f818e6b7a08a36d9bb0540
SHA1 hash:
e289352c52866118d031c4648f9f47d8eeb6fddd
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
4572cac392fdf0fb08c1fa786e0184a66163ce4696a426cb1e3009b952c86284
MD5 hash:
f647a0ec9b3aea4d355dc5cec2f2a271
SHA1 hash:
73b666f8e13694df6e29fc7b741a8a5c602486a0
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
205472e569a82d16680747c67e891f3fc5061b2e87e23a294d1b26e179566c6c
MD5 hash:
43b77bcf679a4ef26cb650e5c36ad1e5
SHA1 hash:
a02ef9cd9a23e93049c83bc7032b19b35755a8fc
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
d081198b0b8d8d6750ae316a057d1c2d28c2eedbc66e3908d0c53242799dc558
MD5 hash:
dd373c6f14de246310cc88800f3bc668
SHA1 hash:
2311aa1556ab2511831ab3190b96a7870554d874
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
ea120fb3ff403ca1a0961db9007849980dbaf78b0098e44690d9331f1f8f1b1d
MD5 hash:
b523ff49156a445e6945bb5421d2becb
SHA1 hash:
7de32bcdebddd0abe48f0e292b3070e250856c77
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
80c8a4bf67ed1488bc8b75bfc265f62bbcbf59ba085a0b1f2d73f71fcdcdf751
MD5 hash:
1b6cb28d5e67c18adcc155967f5d90ae
SHA1 hash:
3d74dc82e466b37b1fd76bd293acce5a47ad3177
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
Parent samples :
683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800
SH256 hash:
234af9baa9d9541f2156f96afcf7b5686c50e2874f34d0341d8727964ec1db1e
MD5 hash:
b8a3adc6bad892fc4167af29ddd08c4a
SHA1 hash:
cee1efe8668cec6204d17673f5357aab6a5e4514
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
57a15bcbe336cce485e00dde7e6385d550db8d3a0006ef18766e332ab370c416
MD5 hash:
18e288fed9d103d01f5cfa687176dd97
SHA1 hash:
5f701ac1be3c8237ff9550a42f98c6bc767062de
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
71ca6db6923e3f5249ac4b7d518755bd7103e9e77c33e05ef3eb75570f54eaab
MD5 hash:
f89e81ccf226d43877d61ea7362c0339
SHA1 hash:
ed9aa9cd61e794a63ff81a4773f40f48e156ec17
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
5a930930cfff5e80e34fb7d7d46ce3f7ac8fc153f43f3f6969fd80b2872c9492
MD5 hash:
0ed4825daa557a64c8f7ac3bc59ddfa1
SHA1 hash:
b3cca8d6621baad4126206d1aa5cd37e6acca5e3
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
24c4e3a4e05d67cde9ea739470256a7ccc12ceda92e0085b392ecc9d573529de
MD5 hash:
ad5724c7fd0be9cc94a8959bc51314ca
SHA1 hash:
511ec59782682693e6dfa2e68b936ad568d81a7a
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
52cd7f70823a67beebf8a7d8e8d8fee19547cec79c711469c3be41976756f831
MD5 hash:
6b87a495441b34a17a809f4a3b1d193d
SHA1 hash:
1406746147bade4afeb3e178618ad8c6c1f18340
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
c8ca2987904febc8e6b92fb13e2e725f76102c60922c9c10865b711b7413d63c
MD5 hash:
0d9dccc60b117de300ab8829f208d66a
SHA1 hash:
7f0cf323e7f178ff6d00e0284fa00a73092e8186
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
3bd44bf46f53a5183440fcb5d7681830bb01aaa16caf4ddaa245684c786ea577
MD5 hash:
c3450e9fbe84e1ca25870e6f9bbe4630
SHA1 hash:
e41d29b6cac1c6eea127613b5e140dcb752d4713
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
bb513b7e1456f498eccb9389fc58bb044b17f2cd43f92fe3723354fdad4ae9ac
MD5 hash:
c45c69a436a1930d69f10913d64c5d6f
SHA1 hash:
99d0c57108890e75d97ba2ad19cf1675e118a3cc
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
2f7404587cd0e8e55b1dba5be9e019559d2bbb8c66f0ac85d72e9f3d1ffee8cd
MD5 hash:
3c282c4d060e4401a5e8703e3c20e6ee
SHA1 hash:
44c303f66dccc74673826717d809c61e5fee5970
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
3b18f28fda4f79ced239ee2b6685e6cac26e71563cededfafbd698e1be4795b5
MD5 hash:
12c96f55fb26c778140d15de57c16a85
SHA1 hash:
9f35d3f819713faf54c757d6f3f1a9f49615e036
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
bacff60379748bf748af43b3052bcc189847e5f673a8689ce8d7d25b59ebe7a3
MD5 hash:
485c788824affd363ec34a9a7b444ea4
SHA1 hash:
0d0e8a2c4e4671d85b51333414f892708e9ff2a7
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
5df58f9ba2b784da05554caa5ad29492c79038640bf90019c54ca31099511906
MD5 hash:
b31de0702f8e70667ff69d74a35aed22
SHA1 hash:
8ee3c4ef29f55a46113c0d1b55c4cdce33fb748b
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
SH256 hash:
08c9e03e5d4211e3f51dbadb1bf270e13946150d22d4598a7e6e4df4f60a87d2
MD5 hash:
854a1fe4de94065446e6451ee192ac26
SHA1 hash:
788987518cf0488b3322f9b4e150bc0ea18b7459
Detections:
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
Parent samples :
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
SH256 hash:
5c3bfcc1c2aa9685bdff6104340899107a664f49691fcc6a4f4b09cb4300f8bc
MD5 hash:
7e427cff7375ad399863855eb0aab3d7
SHA1 hash:
358cd62416b0288db40b161d873b796b6c9b1add
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e2550c2-2f3c-416e-8118-eb9ef89e8e55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

Executable exe a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97

(this sample)

  
Link
https://tria.ge/250521-yae3ja1nx7/behavioral2
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
KERNEL32.dll::GetTempPathA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments