MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
SHA3-384 hash: a8464067977a404020ff5a656c4c83f6c632f58456a293f47cfc58588b70d603b11077bfaeaedd555139c6d33c1246bb
SHA1 hash: 42956010017a96a0745f5cf8aaf4a9359e6528d2
MD5 hash: 83e921d6368baade50bb2a1031efd6bc
humanhash: fruit-tennessee-pennsylvania-connecticut
File name:83e921d6368baade50bb2a1031efd6bc.exe
Download: download sample
Signature Nymaim
Create hunting rule
File size:1'795'364 bytes
First seen:2023-06-19 13:08:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/N1lOR/IRKic6QL3E2vVsjECUAQT45deRV9RJ:sBuZrEU7q/IRKIy029s4C1eH9z
Threatray 22 similar samples on MalwareBazaar
TLSH T1BF85CF3FF268A13EC56A1B3245738320997BBA51B81A8C1E47FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe NyMaim

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
83e921d6368baade50bb2a1031efd6bc.exe
Verdict:
Suspicious activity
Analysis date:
2023-06-19 13:10:09 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c0d2f21f-e26f-4651-abb2-17fae39c52aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400489/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.19144.30290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91596/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/649053705f4ad0cf05685185/reports/cb24f8f9-45eb-4fea-a7e6-a5ca1629eb5c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b7dfe1c7-b932-4ed8-a841-03e382f87581
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/1257400
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 890420 Sample: WCYoS776qm.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 70 104 45.12.253.98 CMCSUS Germany 2->104 130 Snort IDS alert for network traffic 2->130 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 7 other signatures 2->136 12 WCYoS776qm.exe 2 2->12         started        signatures3 process4 file5 88 C:\Users\user\AppData\...\WCYoS776qm.tmp, PE32 12->88 dropped 15 WCYoS776qm.tmp 3 26 12->15         started        process6 dnsIp7 116 www.mimmo.pw 23.106.59.46, 49717, 80 LEASEWEB-UK-LON-11GB United Kingdom 15->116 118 www.crafterlimbcar.com 194.213.18.185, 443, 49692, 49693 HA-SDCGB United Kingdom 15->118 120 3 other IPs or domains 15->120 68 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 15->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 15->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 15->72 dropped 74 3 other files (2 malicious) 15->74 dropped 128 Performs DNS queries to domains with low reputation 15->128 20 s0.exe 2 15->20         started        23 s2.exe 19 15->23         started        27 s1.exe 1 20 15->27         started        file8 signatures9 process10 dnsIp11 84 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 20->84 dropped 29 s0.tmp 26 22 20->29         started        106 45.12.253.56, 49884, 80 CMCSUS Germany 23->106 108 45.12.253.72, 49886, 80 CMCSUS Germany 23->108 110 45.12.253.75, 49887, 80 CMCSUS Germany 23->110 86 C:\Users\user\AppData\Local\...\US[1].file, PE32 23->86 dropped 140 Multi AV Scanner detection for dropped file 23->140 142 Detected unpacking (changes PE section rights) 23->142 144 Detected unpacking (overwrites its own PE header) 23->144 33 WerFault.exe 23->33         started        35 WerFault.exe 23->35         started        37 WerFault.exe 23->37         started        39 5 other processes 23->39 file12 signatures13 process14 file15 90 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 29->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->92 dropped 94 C:\...\unins000.exe (copy), PE32 29->94 dropped 96 9 other files (none is malicious) 29->96 dropped 146 Obfuscated command line found 29->146 41 cmd.exe 1 29->41         started        43 cmd.exe 1 29->43         started        45 cmd.exe 13 29->45         started        47 wmiprvse.exe 18 29->47         started        signatures16 process17 dnsIp18 50 expand.exe 21 41->50         started        53 conhost.exe 41->53         started        55 reg.exe 1 1 43->55         started        58 conhost.exe 43->58         started        60 chrome.exe 1 45->60         started        63 conhost.exe 45->63         started        122 westcoalbin.top 185.9.147.202, 1203, 49694 DHUBRU Russian Federation 47->122 124 geography.netsupportsoftware.com 62.172.138.67, 49718, 80 BTGB United Kingdom 47->124 126 geo.netsupportsoftware.com 47->126 process19 dnsIp20 76 C:\ProgramData\...\wmiprvse.exe (copy), PE32 50->76 dropped 78 C:\ProgramData\...\remcmdstub.exe (copy), PE32 50->78 dropped 80 C:\ProgramData\...\pcicapi.dll (copy), PE32 50->80 dropped 82 15 other files (9 malicious) 50->82 dropped 138 Creates an undocumented autostart registry key 55->138 112 192.168.2.1 unknown unknown 60->112 114 239.255.255.250 unknown Reserved 60->114 65 chrome.exe 60->65         started        file21 signatures22 process23 dnsIp24 98 www.google.com 142.250.203.100, 443, 49701, 49928 GOOGLEUS United States 65->98 100 accounts.google.com 142.250.203.109, 443, 49696 GOOGLEUS United States 65->100 102 8 other IPs or domains 65->102
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 13:09:08 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anvbvxmyswtvkthpv2yh2sgntyvpqvvk6qwfsan2th2fofyar42a._file
Verdict:
malicious
Similar samples:
361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
Nymaim
3b40418879968636695bcf99fdf5565346c7dc1ca92622b18dd0d6a7c79e2249
Nymaim
539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f
Nymaim
9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3
Nymaim
a1840b15c1cb1a7da67a23c2f83ec9a6378a91813fe9a95ec5c2304142f236d4
Nymaim
c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
Nymaim
eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046
Nymaim
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230619-qdr79sfb2s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
15842276d35d953d57cb8e62a2dbadec0e3743772ebbaf53f540af4bf2da7a4c
MD5 hash:
cc18b869a73d9c9bd55f5e9c02243b0f
SHA1 hash:
9a8b26c0ede943c2861b40a998c9c4cc93b0e7b9
Link:
https://www.unpac.me/results/6be8a191-21c6-47d7-ac09-295a6f9035b1/
SH256 hash:
92ee7e5a068c426f4659b8a9a8715fe6898ade5e5ef64e22b7ece5972aabeaea
MD5 hash:
0ba94d74ed0c254d2a5cdff61142b5e7
SHA1 hash:
d230a815e3988d0ccfc5d97cb4cad99f2f4301c6
Link:
https://www.unpac.me/results/6be8a191-21c6-47d7-ac09-295a6f9035b1/
SH256 hash:
d74da605a5a1409aad2633de871d4fb3431290d87c9caf747eeb082cd8f83e25
MD5 hash:
7596eadac0f79f96492482327a42e24e
SHA1 hash:
120c958dafbf561a41292d98e18a60b4dea90d65
Link:
https://www.unpac.me/results/6be8a191-21c6-47d7-ac09-295a6f9035b1/
SH256 hash:
036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
MD5 hash:
83e921d6368baade50bb2a1031efd6bc
SHA1 hash:
42956010017a96a0745f5cf8aaf4a9359e6528d2
Link:
https://www.unpac.me/results/6be8a191-21c6-47d7-ac09-295a6f9035b1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/036a1add9895/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400489/

Comments