MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e7072f1cafe3fc7ddc0e2dbb1e40b997b3824d606572ead26c33fefb20f153. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitro


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e7072f1cafe3fc7ddc0e2dbb1e40b997b3824d606572ead26c33fefb20f153
SHA3-384 hash: 259f3e1f39310c4f570b937665dac0b53ee81651c9cb71170cf0827612c0ad39d083b921d9205c07070d11f93c3729ff
SHA1 hash: dd1e73f1d4539abf7f70c6cae16d8466093cf99b
MD5 hash: 101b558457868065952e67ed8db39e07
humanhash: stream-thirteen-lamp-artist
File name:101b558457868065952e67ed8db39e07
Download: download sample
Signature Nitro
Create hunting rule
File size:204'288 bytes
First seen:2021-08-12 11:20:41 UTC
Last seen:2021-08-12 11:52:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 3072:FJsyAT6sLPy3bY3ylNpFCJKZMlrREFwazl1V/ILnElcbTytIFuqlyyCfPH6Zxs/5:gyAT/D2Y3y/uSMxR4pbEA2ixpIf
Threatray 1'173 similar samples on MalwareBazaar
TLSH T1A814487E36D58F11D65828B5C2E7A57403E7A987B732D7863F0812DA1E023E8CD9A7C4
Reporter JAMESWT_WT
Tags:exe Nitro NitroRansomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
101b558457868065952e67ed8db39e07
Verdict:
Suspicious activity
Analysis date:
2021-08-12 13:08:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65266563-d1ec-43e0-8750-64bed64e05d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178649/
Detection(s):
SecuriteInfo.com.Heur.Ransom.MSIL.1.359.8264.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fef90e54-454e-43a5-9840-6c27afea5d51
Result
Threat name:
NitroRansomware
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/831916
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Nitro Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6e7072f1cafe3fc7ddc0e2dbb1e40b997b3824d606572ead26c33fefb20f153/
Threat name:
ByteCode-MSIL.Ransomware.Nitro
Create hunting rule
Status:
Malicious
First seen:
2021-06-06 11:15:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3tqoly4v7r7y7o4byw3whsaxgl3hasnmbsxf2wsnqz756za6fjq._file
Verdict:
unknown
Similar samples:
45d8a91be1d071837969fc7801a224b06e918bdc813e7ec14348abf8d0810312
Nitro
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
Nitro
596a1c5715dc377f51c2f905f8d80302f1c6e3ea9352da6f1760061b09361d2b
Nitro
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
Nitro
8506352e60dea0ee05bff79a9408f910850735939399bdf040c40ffdead19d61
Nitro
9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c
Nitro
972d8fcd3083eb6c81e2dc704d8e0ec1b097e43b7ef5576cf8cccc4e8fc85925
Nitro
9b67caf9dccb8672273f6b0715292e69f323510f09dbfd7dbf3bca8522bcdfe0
Nitro
bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7
Nitro
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
Nitro
+ 1'163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/210812-kr6pa6wvhs/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Modifies extensions of user files
Unpacked files
SH256 hash:
b6e7072f1cafe3fc7ddc0e2dbb1e40b997b3824d606572ead26c33fefb20f153
MD5 hash:
101b558457868065952e67ed8db39e07
SHA1 hash:
dd1e73f1d4539abf7f70c6cae16d8466093cf99b
Link:
https://www.unpac.me/results/2c64b5f6-4c7f-425c-b1f9-d868032e5f5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6e7072f1cafe3fc7ddc0e2dbb1e40b997b3824d606572ead26c33fefb20f153

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178649/

Comments