[patriq]

more chinese food
hxxp://222.186.42.36:8080/

4c21b42198d6af8c704430a3bddc4a1d yy999.exe
https://www.virustotal.com/en-gb/file/8 ... 386130658/

downloader was hosted with some ELF files.

ELF files

Code: Select all

dos32 
dos64 

UPX packed ELF files

Code: Select all

linux1 
xudp 
(linux1.unpacked xudp.unpacked)

WTF?

Anyway...

02fc2a862c1c90728c33285da0d1a9c2 dos32
531d447787de34493f28c547c2fce3d5 dos64
6ceff396ac1e3f10d7e610c25869a26a linux1
5c2c95b96299d84ce14b70150a72dcdc linux1.unpacked
136b47ca78c4b02069fe1ffa581ba6ae xudp
f07feb1a736ea92d01d9e9d61355634b xudp.unpacked

[Xylitol]

DDoS:Win32/Nitol.B
https://www.virustotal.com/en/file/8073 ... 432479794/
dumped: https://www.virustotal.com/en/file/428f ... 432480126/

[ikolor]

next ..


https://www.virustotal.com/en/file/aa7c ... 439320290/

[EP_X0FF]

next ..


https://www.virustotal.com/en/file/aa7c ... 439320290/

It is muldrop trojans with DDoS:Win32/Nitol.B as one of payloads. You can actually figure it yourself and add comment to your post instead of just posting unknown files.

[ikolor]

next
https://www.virustotal.com/en/file/f411 ... 443206047/

[ikolor]

next

https://www.virustotal.com/en/file/c366 ... 446393067/

[nullptr]

next
https://www.virustotal.com/en/file/c366 ... 446393067/

Another Muldrop, this time with the usual Nitol + some Waledac variant.
Both attached.

[EP_X0FF]

Nitol.B recovered from disk with winhex (it was deleted) in attach with unpacked.



Machine was fucked up by various malware (including ransom encoder) and adware.

unpacked vt
https://www.virustotal.com/en/file/dc2f ... /analysis/

Payload entry point at .00404946
Attempt to connect d.googlex.me:30

[MalwareTech]

Is Nitol associated with Kelihos in any way?

Sample I found was a UPX'd exe appended to another UPX'd exe then crypted. The main exe was a downloader for Kelihos, other was Nitol.B.

[EP_X0FF]

I often saw them together in one muldrop.