MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15ae62081abe2c2b45d52ac109920361982ba77a644fbbe328d28c0e67da71ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15ae62081abe2c2b45d52ac109920361982ba77a644fbbe328d28c0e67da71ee
SHA3-384 hash: ebc87def297367c667eec10be84cbdcfd902d224cc4fcf50d813177dfae4aa5c15a2ba8ee8c6f3aadc737ffc6506bba9
SHA1 hash: 609d337b091c2f9407ee1829898c941112599ac7
MD5 hash: 6d62fdba070cf28fa74843bcd56ee587
humanhash: king-mango-butter-harry
File name:file
Download: download sample
Signature Nymaim
Create hunting rule
File size:280'576 bytes
First seen:2022-08-26 22:58:34 UTC
Last seen:2022-08-27 00:02:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e10eabd109796663b2b8fe47960ce479 (13 x Smoke Loader, 4 x Nymaim, 2 x GCleaner)
ssdeep 6144:IX74s+YWx47W8miQ5F+gakGa7LcIGPmIrkVigaLwVf:elax0fmiQKg5PcVg4
TLSH T11E54F0027D910C71F06A7E705471DBA113BBBC9A6E309606F3A0A39F1EB33A159B0797
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 36f0c8c8d8c8e8e0 (1 x Nymaim)
Reporter andretavare5
Tags:exe NyMaim


Avatar
andretavare5
Sample downloaded from http://95.214.24.96/load.php?pub=mixinte

Intelligence

File Origin
# of uploads :
2
# of downloads :
712
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-08-26 22:59:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba3bc1d5-fd8e-465b-9887-0d44b721a2cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301443/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.17305.723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30220/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63095052c9bbd9909797f4e1/reports/d48b1a09-e3c3-49b8-8249-d217abd7deaa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88e87b5d-b691-424f-bc80-8c8c26397809
Result
Threat name:
Nymaim, PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1058641
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15ae62081abe2c2b45d52ac109920361982ba77a644fbbe328d28c0e67da71ee/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2022-08-26 22:59:09 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwxgeca2xywcwrovflaqteqdmgmcxj32mrh3xyzi2kga4z62ohxa._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/220826-2ydq6aafhl/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Unpacked files
SH256 hash:
076275c696b3600f0af323328150d0166ed2c032e52399d1671391718eb79351
MD5 hash:
a8d488739fdbbcced8899b5ad39df067
SHA1 hash:
f3ffb476100c0767400296d60dcb70146fcbc084
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/b5d9dff1-da54-4dd0-a12b-8c15bf6eed46/
Parent samples :
3e8d3230c1d7db58efa85791435fe1b35692d4c23977e4d79949aaab253e23d0
100eb77779a383441af55fc1af37d0d169b44759e9beaed974cfc97ad1f26aa0
29738ae68c178c94a779a4407e621ca5c917422700881c220a7f2763a3f0f549
ae163ebe54d0c2f32134cee1cfbc9139e3b59b21c8beb7dcfb3d580bc698c875
93214b8130543f1615e25c831390d4d1bf392e2f89ef591c70dcce7e99f9b0fd
01f613b5571851c9c06ec43d31fe327cde2049a01bd65a3274d213a8ed258dc0
856956385382c6debbb62d425e9915e86a742c4adcb0a1cf7da8f0e8e92d2461
7cc1e70947f9be48ad3edfb07cd26482b9a565367d0c6e9c6cfa5b0c12588183
8be1905f4c62eb330fc76486e05ea2a6bda21094ed1a6b4a40953043ff825fea
6eb7bbf3284118bfa2ea895804a57f9a50c669df3668f0812db675c4a42ccb21
349a8ea986c949899801e9656ca1ca43b85c83f1e0ff9f2ab791d0d141a305bb
e1fd0048cd272f42ad65d722a2b4aa5beb52b610bc1b18c2eeec0d41511386fc
e56ec13f712bc01284335e2ae5f573d621260ddc10b456d67156345460f1b229
4473bf0407f179baaecd35d2337a2214547e40edfb31f71e0e54676fcee4d8fd
7ed81bb250e1a753452eefcd32c6713cb1780b4a5754b47ad470533d3f4a4dff
4c25c164945e7106cbd4e45a87aa64839519c22b6751b2b09d2029f3a357922b
2db3251d95cb2b7d3e6b4db0649670f92724772bd7d5ff5e9b2edf7c103cddf6
bbd3e77bc19fa2340b2c3b44d4d18f5f59339c64653e1924d102577eca828cb9
15ae62081abe2c2b45d52ac109920361982ba77a644fbbe328d28c0e67da71ee
e465fa6159a71c9ef946ba84eb8cb3727af0f0a18c04c96e90f5f3009edb43cc
fb807617856d2e00b0e2cd7c122df75bb3e1b704038a8164687068b04c444c12
df4690aa0330b969f7c63122c6329d072a696676597c535f31cb9c4e308ae910
fe7ccaf2e0bb88b4a5b5aaa555c9e429335b8ae5d56a7d57a8977c273673e463
f7bf3a783a4de0ca61ca331d127cc2d2b18a5e2a0f8376a436581adea7d5913c
aff1726aa963fbfbf275945e3c1337b13dc374494f3594657843a0edcce42e81
819a4adf5008cfc484aadde231a2f84b5f3d944e036b265b9c7b371276632d28
SH256 hash:
15ae62081abe2c2b45d52ac109920361982ba77a644fbbe328d28c0e67da71ee
MD5 hash:
6d62fdba070cf28fa74843bcd56ee587
SHA1 hash:
609d337b091c2f9407ee1829898c941112599ac7
Link:
https://www.unpac.me/results/b5d9dff1-da54-4dd0-a12b-8c15bf6eed46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15ae62081abe2c2b45d52ac109920361982ba77a644fbbe328d28c0e67da71ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2276314/
Cape
Cape
https://www.capesandbox.com/analysis/301443/

Comments