Virustotal Link:https://www.virustotal.com/#/file/fe65f6a79528802cb61effc06447

1. Virustotal Link:
2. https://www.virustotal.com/#/file/fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e/details
3.  
4. Sandbox Sessions:
5. https://app.any.run/tasks/050e2570-c079-4258-8906-e642ec34a790
6. https://cape.contextis.com/analysis/29783/
7. https://sandbox.pikker.ee/analysis/884371/summary/
8. https://www.hybrid-analysis.com/sample/fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e
9. https://www.joesandbox.com/analysis/103265/0/html
10. https://app.sndbox.com/sample/1a8c812f-a596-4565-870e-1f3260364bcc/static
11.  
12. Intezer Analysis:
13. https://analyze.intezer.com/#/analyses/89e5ccce-9e50-4fe8-a1c7-ef94ca3cff50
14.  
15. Potential Packer:
16. Armadillo v1.71
17.  
18. YARA Hits:
19. CN_disclosed_20180208_Mal1 - Detects malware from disclosed CN malware set
20. ZxShell_Related_Malware_CN_Group_Jul17_2 - Detects a ZxShell related sample from a CN threat group
21. Backdoor_Nitol_Jun17 - Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
22.  
23. Additional YARA hits:
24. BASE64_table - Look for Base64 table
25. network_tcp_listen - Listen for incoming communication
26. network_tcp_socket - Communications over RAW socket
27. network_dns - Communications use DNS
28. win_mutex - Create or check mutex
29. win_registry - Affect system registries
30. win_files_operation - Affect private profile
31. Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
32.  
33. Suricata Alerts:
34. ET TROJAN [PTsecurity] Botnet Nitol.B Checkin
35.  
36. Example Service that gets created - Binary name changes each time:
37. service_start_name =>
38. start_type => 2
39. password =>
40. display_name => Microsoft .Net Frameworek COMi+ Suppoot
41. filepath => C:\Windows\debug\lkghost.exe
42. service_name => Serpiei
43. filepath_r => C:\Windows\Debug\lkghost.exe
44. service_handle => 0x004bce10
45. desired_access => 983551
46. service_type => 272
47. error_control => 1
48. service_manager_handle => 0x004bcf50
49.  
50. Potential DGA DNS Requests:
51. llgddg5h.nnnn.eu.org
52. y5z2yev2.nnnn.eu.org
53. 1xnhwm1js.nnnn.eu.org
54. otksqvgzn.nnnn.eu.org
55. y913wupojb.nnnn.eu.org
56. ev8af4pklj.nnnn.eu.org
57. eticshy9xk.nnnn.eu.org
58. ehxb3oihl.nnnn.eu.org
59. vdec1jtct0.nnnn.eu.org
60. lcp6mr2ksi.nnnn.eu.org
61. ogpvdon4cn.nnnn.eu.org
62. omtke6uey.nnnn.eu.org
63. yo1dzkj0qs.nnnn.eu.org
64. 8x2mgaddoe.nnnn.eu.org
65. e1mpmuiax3.nnnn.eu.org
66. 4mfm9znoqh.nnnn.eu.org
67. 1d7cphje41.nnnn.eu.org
68. ip4znstixl.nnnn.eu.org
69. idjyyyhk7m.nnnn.eu.org
70. hkz9rhw7sh.nnnn.eu.org
71. y2gckqw3up.nnnn.eu.org
72. inox9eunlt.nnnn.eu.org
73. 4zfdgcw0on.nnnn.eu.org
74. by9rswrd8.nnnn.eu.org
75. ronxjwmomc.nnnn.eu.org
76. e2wrqxhvv.nnnn.eu.org
77. ymv0ts3rg.nnnn.eu.org
78. lsxidpvscw.nnnn.eu.org
79. egmzuk6mvk.nnnn.eu.org
80. llzh3zvov.nnnn.eu.org
81. rkmugrcep.nnnn.eu.org
82. rpaj57qjzy.nnnn.eu.org
83. ow9q1imhnw.nnnn.eu.org
84. 8kyp92zaq4.nnnn.eu.org
85. yof27acqxc.nnnn.eu.org
86. vtadqxgdjt.nnnn.eu.org
87. offtzkieqm.nnnn.eu.org
88. vzetotztme.nnnn.eu.org
89. ug4ao6kggz.nnnn.eu.org
90. r46scrlvxk.nnnn.eu.org
91. bedoq5vned.nnnn.eu.org
92. ls7loiih.nnnn.eu.org
93. u0np68q8xl.nnnn.eu.org
94. h4sugn3zit.nnnn.eu.org
95. 1wdfifbb7r.nnnn.eu.org
96. bqzpftil0g.nnnn.eu.org
97. lg2k5rnffq.nnnn.eu.org
98. llmgzhwwpy.nnnn.eu.org
99. rilrnd24gm.nnnn.eu.org
100. hczwkqcvvv.nnnn.eu.org
101. yw06omgcm1.nnnn.eu.org
102. 8jnnvo0e7.nnnn.eu.org
103. jy3vqzu.nnnn.eu.org
104. lzl9ott7vi.nnnn.eu.org
105. e8cxgcxnit.nnnn.eu.org
106. o2fwscz2yg.nnnn.eu.org
107. rkwt1l7tnd.nnnn.eu.org
108. uft3kyfqub.nnnn.eu.org
109. lesisjijsz.nnnn.eu.org
110. oa8jmunwsz.nnnn.eu.org
111. vk3udhhrcc.nnnn.eu.org
112. vxxrkfq49m.nnnn.eu.org
113. ohyrmc8jju.nnnn.eu.org
114. yck1igpt7.nnnn.eu.org
115. ustbcp6ex2.nnnn.eu.org
116. muwphlav3.nnnn.eu.org
117. y4neoy5ygq.nnnn.eu.org
118. 1kietvodgs.nnnn.eu.org
119. 6g0wnlnku.nnnn.eu.org
120. btonbljpof.nnnn.eu.org
121. v6ov214pyf.nnnn.eu.org
122. rdlignel9v.nnnn.eu.org
123. eohyfr4x0y.nnnn.eu.org
124. uliqvwd6jk.nnnn.eu.org
125. o3yhimexc8.nnnn.eu.org
126. etbn8mdlc.nnnn.eu.org
127. oncgtsrzqf.nnnn.eu.org
128. yvw6jrdox.nnnn.eu.org
129. onemplfjrz.nnnn.eu.org
130. enbqbduyow.nnnn.eu.org
131. eegnjsqdvd.nnnn.eu.org
132. 5zzsjcxxt.nnnn.eu.org
133. bckq3d5dqf.nnnn.eu.org
134. rxgljf0jcp.nnnn.eu.org
135. hve8cxk9ci.nnnn.eu.org
136. luhjh3ahox.nnnn.eu.org
137. oojixa1u26.nnnn.eu.org
138. hqdvv7px5s.nnnn.eu.org
139. yvq4lig94.nnnn.eu.org
140. yhrv6ebeq.nnnn.eu.org
141. rdrwuctrwd.nnnn.eu.org
142. rrcvfphtz.nnnn.eu.org
143. r5huq5urjc.nnnn.eu.org
144. br8lx7eqbn.nnnn.eu.org
145. ypxeb7ylv.nnnn.eu.org
146. euxy5wkkfr.nnnn.eu.org
147. lx2s1sx79.nnnn.eu.org
148. 4l4evwesep.nnnn.eu.org
149. 1j9hlgtyfr.nnnn.eu.org
150. vnsszzc2zl.nnnn.eu.org
151. 8uiokim8a5.nnnn.eu.org
152. 8vrk3x8nd.nnnn.eu.org
153. bdtmmrqoxg.nnnn.eu.org
154. vfpefryb5s.nnnn.eu.org
155. h35iuiouv7.nnnn.eu.org
156. rvkuvdhqw.nnnn.eu.org
157. 4uwojhnndi.nnnn.eu.org
158. rc6mxymh2o.nnnn.eu.org
159. 8dlsgvlxf.nnnn.eu.org
160. yqcfdssq3j.nnnn.eu.org
161. iuaccgkkj.nnnn.eu.org
162. ipqjjwsra.nnnn.eu.org
163. 48anynalgg.nnnn.eu.org
164. ybxg2cfoti.nnnn.eu.org
165. lew8zzb95j.nnnn.eu.org
166. ocjl0yss51.nnnn.eu.org
167. hwugg4jzi.nnnn.eu.org
168. ryrtmm5eon.nnnn.eu.org
169. 1lyg73o3tq.nnnn.eu.org
170. uuj4zmxiqa.nnnn.eu.org
171. hikh5obxf9.nnnn.eu.org
172. efqox6pcb5.nnnn.eu.org
173. l7ho5jugx.nnnn.eu.org
174. lr05x7fm2j.nnnn.eu.org
175. 1ysdeb2fqz.nnnn.eu.org
176. ovuuo4u6mo.nnnn.eu.org
177. 46qfkg1q4o.nnnn.eu.org