MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 263ba408f31fea50114cf2564e43fa5149f5d2da732012830a3f05b3c5c64d37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 263ba408f31fea50114cf2564e43fa5149f5d2da732012830a3f05b3c5c64d37
SHA3-384 hash: 0e4eb5f4ceab5341c3d0239f59bc878591242964a50afa5731528edc4fa4893100c251a64139c0e5d75c1b2c779135fc
SHA1 hash: e83e85aed2e556a07414efacc4246d66d9cb304b
MD5 hash: 7f7217a3f16da48f4b652588027b11ce
humanhash: uniform-hotel-lamp-wyoming
File name:file
Download: download sample
Signature Nymaim
Create hunting rule
File size:348'160 bytes
First seen:2022-10-11 02:03:10 UTC
Last seen:2022-10-11 02:38:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 78ee95c35be8f9cbb7d14afcce7e80bb (10 x Smoke Loader, 6 x GCleaner, 2 x Nymaim)
ssdeep 6144:CseoqPXlLeGwybxxFGuITsVct5ghr7/7NTfu0BlYrqWsXgBJv1:tTqPXlzwGIl5e7/7NT/BS+Wsk
Threatray 1'410 similar samples on MalwareBazaar
TLSH T14574E1223991C831E6263134CD75D6712BBFB8750536AB4B7BE807598F32791AE243C7
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3371696969696996 (1 x GCleaner, 1 x Nymaim)
Reporter andretavare5
Tags:exe NyMaim


Avatar
andretavare5
Sample downloaded from http://95.214.24.96/load.php?pub=mixinte

Intelligence

File Origin
# of uploads :
13
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318695/
Detection(s):
Win.Packed.Dropperx-9973281-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/6344cf13dbe426a948bd3833/reports/e4da21cb-ed5f-4877-934a-8acf80861d5a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e0e0f4f-457b-4300-96b5-8a0ca8a00c65
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1087500
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/263ba408f31fea50114cf2564e43fa5149f5d2da732012830a3f05b3c5c64d37/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 02:12:56 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ey52ichtd7vfaekm6jle4q72kfe7luw2omqbfaykh4c3hrogju3q._file
Verdict:
malicious
Similar samples:
1817d71d6d75cb18ab4a1ad6e0d538a4c0711131818f8fdec36b40138cb257fe
Nymaim
1c4ca1748b10b4caa13f3a9fdeb3b9f8728590d170adc2a5937b3eb92ecf48aa
Nymaim
40ff4949854e9668207abbae374cc429001191a3980707a49bae807a3b3066b5
Nymaim
56cb61aafd4e0f7255541c0b89649f8b1616490dd016e9efdab4423cfcce9a87
Nymaim
6a4c00312d056399452a15ab601461eda668625cc0f2ddc643fb414e283f591f
Nymaim
9dd0ea1fbd0d1c61a4c1ddf0cc122bd06cce3ce18ef722409a78e59b2efd2b48
Nymaim
9f7424e2f72c7d9e1fad08812334f72c193dd966951af01731998fa0da80e386
Nymaim
b000347178c5645b8691fe97b3fab986fbac71012f2645898b7d6b315df41fea
Nymaim
d96df3244bdc08ecb9a1630e8d8a68b791b880c07475b5e755024bf515d58f55
Nymaim
f305b8b905edd96dc7fa0c45767ab4a913e413f9233313278a1e9f2e61f005d3
Nymaim
+ 1'400 additional samples on MalwareBazaar
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/221011-cg91laacc4/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Program crash
NyMaim
Malware Config
C2 Extraction:
208.67.104.97
85.31.46.167
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/20755b7b-6c0e-406c-b0d0-201115139dde
Unpacked files
SH256 hash:
bdf886cafed6ed92f6940769a488aedcf751c5fd3e3f4fbb51b0620e39d6726b
MD5 hash:
e72cf1f71443c6b6e560b479ed960b59
SHA1 hash:
d83b2a4891ef38e0e9fe28e561725ae86ae415fc
Detections:
win_nymaim_g0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/dd0994f1-9d05-4511-ae9b-1e2efaeaf0d9/
Parent samples :
1817d71d6d75cb18ab4a1ad6e0d538a4c0711131818f8fdec36b40138cb257fe
9f7424e2f72c7d9e1fad08812334f72c193dd966951af01731998fa0da80e386
05b3de466abc996a878bbf1199e70f9ef8a36a7069ba838ff451b3c5fe05f18f
40ff4949854e9668207abbae374cc429001191a3980707a49bae807a3b3066b5
1c4ca1748b10b4caa13f3a9fdeb3b9f8728590d170adc2a5937b3eb92ecf48aa
88d59a3629e21d66fb7cd48f4d5542a4ff4205fb92834ded6244b6f243019390
56cb61aafd4e0f7255541c0b89649f8b1616490dd016e9efdab4423cfcce9a87
6a4c00312d056399452a15ab601461eda668625cc0f2ddc643fb414e283f591f
f305b8b905edd96dc7fa0c45767ab4a913e413f9233313278a1e9f2e61f005d3
d96df3244bdc08ecb9a1630e8d8a68b791b880c07475b5e755024bf515d58f55
b000347178c5645b8691fe97b3fab986fbac71012f2645898b7d6b315df41fea
9dd0ea1fbd0d1c61a4c1ddf0cc122bd06cce3ce18ef722409a78e59b2efd2b48
263ba408f31fea50114cf2564e43fa5149f5d2da732012830a3f05b3c5c64d37
2a976d8cf92d113e8c56dd9a3db304d0b3c193373139de3f05627f6e0bb100a6
6f959997fd2a9b93f18088188cae26410b5041713449349b7ddacb806a41f8b7
441b9eee712b85616ca62d08810f6d4a232c2307811c211354be18c3f3ef90d4
74b17d15bae61dd6971a1917c534c5a30fabe0121d2b58c9bcfd8ba54aee4a17
de84d2092f008362d2f36f8f31fc28fb506c2f0ebe53d41ea30efbd4f4f218c1
eace9d6f2be6f377e9a834aed0f2c7b31252e911a65c482366b7a9cb9828d42a
a34cd84ab3edd0b697e20905af0cb8c67a2bb6ef58477a16327a23c3ff203295
1fb998c5bd768cddd4b48eef261039e074fbaac2a459fb76742e7d3cf8e6eb31
5f9a01202ab0db3309e8285d83252cef4b81b9cd832a9785a18098761d97f427
56e180a89542f119e9a1ea6b1822651e2e35bab9fc23c1f045f988af67c5887f
SH256 hash:
263ba408f31fea50114cf2564e43fa5149f5d2da732012830a3f05b3c5c64d37
MD5 hash:
7f7217a3f16da48f4b652588027b11ce
SHA1 hash:
e83e85aed2e556a07414efacc4246d66d9cb304b
Link:
https://www.unpac.me/results/dd0994f1-9d05-4511-ae9b-1e2efaeaf0d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/263ba408f31fea50114cf2564e43fa5149f5d2da732012830a3f05b3c5c64d37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/318695/

Comments