MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a9555123e39a8acb3758551f6745e320d9bf8d53456cd18152616bbab5d7b42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a9555123e39a8acb3758551f6745e320d9bf8d53456cd18152616bbab5d7b42
SHA3-384 hash: 3000db9d959710a618d4e4867f6df8d3547f9d489dff2b34e0afdd34acf413270aac7ff316cf5ca8a3474a65918aac44
SHA1 hash: 704a15084762101d571af894f5c9fdb137414ee5
MD5 hash: 394d8d99f32848c9ea0260b3460b40e6
humanhash: xray-yankee-aspen-fruit
File name:file
Download: download sample
Signature Nymaim
Create hunting rule
File size:403'456 bytes
First seen:2022-09-16 15:04:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b6c6744c87891f47924ea05001f3809 (5 x Smoke Loader, 4 x GCleaner, 2 x Stop)
ssdeep 6144:waXnu2u/1Ycgyi6hL3Yl9UK9xm3l0/nVnigabwVfj:wunudQyDhbc9t9Qu/nVis
TLSH T18384CF327991CC70D4592D308822DFA4267FBC625A305647F3A47B9E6EB3390667638F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 32f0c8c8c8d8e8e0 (1 x GCleaner, 1 x Nymaim)
Reporter andretavare5
Tags:exe NyMaim


Avatar
andretavare5
Sample downloaded from http://95.214.24.96/load.php?pub=mixinte

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-16 15:06:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efff6a0f-153e-439d-b50d-095d68fdf76b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310583/
Detection(s):
Win.Packed.Tofsee-9951336-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the system32 subdirectories
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37898/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/632490a9b564f001cc8e5b4f/reports/4153aef9-e18e-4359-9742-c275445a7a96/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b133dcf3-d793-465b-9de7-b699a50a58f1
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071703
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704246 Sample: file.exe Startdate: 16/09/2022 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 3 other signatures 2->51 7 file.exe 18 2->7         started        12 DRB9kYZk.exe 2->12         started        process3 dnsIp4 43 208.67.104.97, 49724, 49738, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 7->43 25 C:\Users\user\AppData\Roaming\DRB9kYZk.exe, PE32 7->25 dropped 27 C:\Users\...\DRB9kYZk.exe:Zone.Identifier, ASCII 7->27 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 14 WerFault.exe 9 7->14         started        17 WerFault.exe 9 7->17         started        19 WerFault.exe 9 7->19         started        21 10 other processes 7->21 55 Detected unpacking (changes PE section rights) 12->55 57 Detected unpacking (overwrites its own PE header) 12->57 file5 signatures6 process7 file8 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->39 dropped 41 5 other malicious files 21->41 dropped 23 conhost.exe 21->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a9555123e39a8acb3758551f6745e320d9bf8d53456cd18152616bbab5d7b42/
Threat name:
Win32.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 15:05:08 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkkvker6hgukzm3vqvi7m5c6gigzx6gvgrlm2gaveyllxk25pnba._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/220916-sf581sbgdn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
NyMaim
Malware Config
C2 Extraction:
208.67.104.97
85.31.46.167
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fc4cd1f0-8b45-42cb-8249-bb0196fa4aa0
Unpacked files
SH256 hash:
278609beb49951ce52d729ce9c1a1077f969d5757babecd70886441a0a310e83
MD5 hash:
9ea2b2e54f13acde7711cbe48d54b607
SHA1 hash:
14ec8b2ed519137d44a32f32a7abdf509419bc33
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/a318c63b-eb52-412d-ba02-64053f2cfd32/
SH256 hash:
2a9555123e39a8acb3758551f6745e320d9bf8d53456cd18152616bbab5d7b42
MD5 hash:
394d8d99f32848c9ea0260b3460b40e6
SHA1 hash:
704a15084762101d571af894f5c9fdb137414ee5
Link:
https://www.unpac.me/results/a318c63b-eb52-412d-ba02-64053f2cfd32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a9555123e39a8acb3758551f6745e320d9bf8d53456cd18152616bbab5d7b42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/310583/
  
URLhaus
https://urlhaus.abuse.ch/url/2276314/

Comments