MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e12d85aa606d45cdbb85982f5ea17d5c0b6f030dbbb30275ec0803f37c188a5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nitol


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e12d85aa606d45cdbb85982f5ea17d5c0b6f030dbbb30275ec0803f37c188a5b
SHA3-384 hash: 4b8e09968dc8ababcaec1b98af0ee728d88ba2b50d023e1d995de3d4c59524b768553846b761e72c0dd4e9523da0967d
SHA1 hash: 66aef8129896c6e6dd36b2e3abadbbce7b4d51d6
MD5 hash: 7b1f03fb9936f72548c7d006eabfc310
humanhash: iowa-grey-beryllium-october
File name:7b1f03fb9936f72548c7d006eabfc310.exe
Download: download sample
Signature Nitol
Create hunting rule
File size:886'784 bytes
First seen:2023-02-12 19:23:36 UTC
Last seen:2023-02-12 20:34:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 320ffb3ead7d13ea9d4a4b7814c6523f (3 x Nitol)
ssdeep 24576:b2c2oVEmdgUwB4qM742kyxzDL/KHYAmCS:ac2osByEby5DL/Dr
Threatray 17'880 similar samples on MalwareBazaar
TLSH T1A41512C5DE7811B6E2BB15B0600760CCDAB41DA10E7CD8BB43E60795BAF13B8B576683
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 75757575757592b2 (6 x Nitol, 1 x Nloader, 1 x Gh0stRAT)
Reporter abuse_ch
Tags:exe Nitol

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7b1f03fb9936f72548c7d006eabfc310.exe
Verdict:
Malicious activity
Analysis date:
2023-02-12 19:30:06 UTC
Tags:
loader trojan
Link:
https://app.any.run/tasks/2d34d3a0-1782-49ad-821b-c8b896af8653

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/364588/
Detection(s):
SecuriteInfo.com.Variant.Zusy.400149.5536.21827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Searching for the window
Creating a window
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a process from a recently created file
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Moving a recently created file
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed sality shell32.dll virus zusy
Link:
https://www.filescan.io/uploads/63e93cd797e87dd9097e0807/reports/f1a069f2-64ef-4387-ac31-a23e25cf7ef7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e12d85aa606d45cdbb85982f5ea17d5c0b6f030dbbb30275ec0803f37c188a5b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5193aee9-a24f-4eec-a042-72699675e667
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1172741
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 805531 Sample: D77wDrFT4o.exe Startdate: 12/02/2023 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for domain / URL 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 6 other signatures 2->39 7 D77wDrFT4o.exe 2 14 2->7         started        11 D77wDrFT4o.exe 13 2->11         started        13 D77wDrFT4o.exe 12 2->13         started        process3 dnsIp4 27 121.4.98.100, 10086 ONQ-AS-APOnQAU China 7->27 29 106.52.15.123, 80 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 7->29 31 47.93.60.63, 8000 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 7->31 41 Detected unpacking (changes PE section rights) 7->41 43 Checks if browser processes are running 7->43 45 Contains functionality to capture and log keystrokes 7->45 47 Tries to detect virtualization through RDTSC time measurements 7->47 15 cmd.exe 2 7->15         started        49 Hides threads from debuggers 11->49 17 cmd.exe 2 11->17         started        19 cmd.exe 2 13->19         started        signatures5 process6 process7 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e12d85aa606d45cdbb85982f5ea17d5c0b6f030dbbb30275ec0803f37c188a5b/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 12:56:50 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ewylktanvc43o4ftaxv5il5lqfw6aynxozqe5pmbab7g7ayrjnq._file
Verdict:
malicious
Similar samples:
04ac3bd28388262ae4c1b8e905796d09862da493112cbe7c9b2595c17a10ed55
Nitol
10d1ea43692d0049837a3ed5fa0eae8f9b8b6139d29aeab14750acf0505ee4b9
Nitol
8aa720fbb142a30d24e082eb17f74ee926a4c28e6f811195518c45c1317faa24
Nitol
9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d
Nitol
b7aba24aec5f9057cd655a618d10c55eca01e4e4c8a046806fb37e567ba57f2c
Nitol
cdc95392f7aaf04457256258571c08966e093503028339eeeb586a3d1d2903e0
Nitol
d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc
Nitol
+ 17'870 additional samples on MalwareBazaar
Result
Malware family:
chinese_generic_botnet
Create hunting rule
Score:
  10/10
Tags:
family:chinese_generic_botnet botnet persistence
Link:
https://tria.ge/reports/230212-x4dk5aga34/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Chinese Botnet payload
Generic Chinese Botnet
Unpacked files
SH256 hash:
80c844d068746c802f4bb98e212450e3dddbb16d5d91350563b57507eb5d6cb5
MD5 hash:
987277355f1294a69197e15a66568934
SHA1 hash:
9aa32c9923f98fa6756c91f0857c73d5c4c1d06b
Link:
https://www.unpac.me/results/4864e915-09d4-4190-8df8-6832cc5c87d7/
SH256 hash:
e12d85aa606d45cdbb85982f5ea17d5c0b6f030dbbb30275ec0803f37c188a5b
MD5 hash:
7b1f03fb9936f72548c7d006eabfc310
SHA1 hash:
66aef8129896c6e6dd36b2e3abadbbce7b4d51d6
Link:
https://www.unpac.me/results/4864e915-09d4-4190-8df8-6832cc5c87d7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e12d85aa606d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e12d85aa606d45cdbb85982f5ea17d5c0b6f030dbbb30275ec0803f37c188a5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Backdoor_Nitol_Jun17
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:Backdoor_Nitol_Jun17_RID2E8F
Create hunting rule
Author:Florian Roth
Description:Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:https://goo.gl/OOB3mH
Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:MAL_Nitol_Malware_Jan19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Nitol Malware
Reference:https://twitter.com/shotgunner101/status/1084602413691166721
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

Executable exe e12d85aa606d45cdbb85982f5ea17d5c0b6f030dbbb30275ec0803f37c188a5b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2354969/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/364588/

Comments