MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1
SHA3-384 hash: e2e8afa9ee5839f96f98effaf8f9ef4b426ea80f52a3ae849c472140afbe6d2e9e9a431bc9c420bd47f74d375400de0c
SHA1 hash: f32dd3e711e5fc24c3e525ab835c83588cbc1558
MD5 hash: 53460de37325b4979177f832ae51f9de
humanhash: edward-fanta-kentucky-paris
File name:53460de37325b4979177f832ae51f9de.exe
Download: download sample
Signature Nitol
Create hunting rule
File size:901'632 bytes
First seen:2022-10-10 07:24:28 UTC
Last seen:2022-10-10 08:21:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 320ffb3ead7d13ea9d4a4b7814c6523f (3 x Nitol)
ssdeep 24576:7stUx5NK+HjoSIIJ2thqogNSNOKt5apf7xesN7:gtIS+dJgRkSNO0Qpow
Threatray 15'323 similar samples on MalwareBazaar
TLSH T1E21502C1ED79127AE0B70970641796CDEAF148F21E3CC4BA03F607D9BA722796576283
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 75757575757592b2 (6 x Nitol, 1 x Nloader, 1 x Gh0stRAT)
Reporter abuse_ch
Tags:exe Nitol

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318223/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.3334.17340.18460.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Searching for the window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/6343c8d01ddf36bcc3f43098/reports/3774b355-1217-45ba-9809-6b0cb59781b9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8166fde4-adf7-459e-9a99-cf30c4bdd383
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086729
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Detected unpacking (changes PE section rights)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719286 Sample: qtnz4M2BZx.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 8 other signatures 2->39 7 qtnz4M2BZx.exe 3 13 2->7         started        11 qtnz4M2BZx.exe 13 2->11         started        13 qtnz4M2BZx.exe 13 2->13         started        process3 dnsIp4 27 121.4.98.100, 10086, 49712 ONQ-AS-APOnQAU China 7->27 29 106.52.15.123, 49711, 49718, 49721 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 7->29 31 47.93.60.63, 49710, 49716, 49720 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 7->31 41 Detected unpacking (changes PE section rights) 7->41 43 Found stalling execution ending in API Sleep call 7->43 45 Checks if browser processes are running 7->45 49 2 other signatures 7->49 15 cmd.exe 2 7->15         started        47 Hides threads from debuggers 11->47 17 cmd.exe 2 11->17         started        19 cmd.exe 2 13->19         started        signatures5 process6 process7 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 04:24:34 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmindb3ckwwfy67ls4nzyp3urf3o554am5uqhextnzuysojtdlaq._file
Verdict:
malicious
Similar samples:
06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f
Nitol
37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402
Nitol
7e0bd7043b674f37a6c086fcd8aa5ddb0ec4ba675e4860e30f88abe3cfe4b879
Nitol
a2c0021ab33c99034a3783dbbf6cf4aa92311bfdfbbf38cea06aee1e0f9f1f86
Nitol
a7e29a0a274f353c1472741fb4db1881989011ae3d76a9904c78ab42ffa2a82d
Nitol
df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee
Nitol
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
Nitol
ef95c0b829c2aad4eca365fb9b37719b51f5d8ab518a2ccac920ef65852982d1
Nitol
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
Nitol
+ 15'313 additional samples on MalwareBazaar
Result
Malware family:
chinese_generic_botnet
Create hunting rule
Score:
  10/10
Tags:
family:chinese_generic_botnet botnet
Link:
https://tria.ge/reports/221010-h8za3abab6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Executes dropped EXE
Chinese Botnet payload
Generic Chinese Botnet
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5f200cfd-b4fd-4509-9ac0-d78136741483
Unpacked files
SH256 hash:
984a1a647bfcfdc59ea5a84efea4e35375fe72226aeb05540048912dd3dc9987
MD5 hash:
6531687a306d488c38d3475a73049282
SHA1 hash:
e0bbebf1431dae011f3ec5dfd007bb135f96331e
Link:
https://www.unpac.me/results/c031c565-7bec-4683-89ef-a2491673e1fa/
SH256 hash:
bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1
MD5 hash:
53460de37325b4979177f832ae51f9de
SHA1 hash:
f32dd3e711e5fc24c3e525ab835c83588cbc1558
Link:
https://www.unpac.me/results/c031c565-7bec-4683-89ef-a2491673e1fa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb10d1876255/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

Executable exe bb10d1876255ac5c7beb971b9c3f748976eef78067690392f36e698939331ac1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2354969/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/318223/

Comments