MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30bb0e3893bd496f910db1ef709cf766e1277e0b097363798acd32e2a13fb92d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30bb0e3893bd496f910db1ef709cf766e1277e0b097363798acd32e2a13fb92d
SHA3-384 hash: 26bba28c3607142ddc0307b2dd56c0564bc7ca909b48eeb0c830d4ea01b7ebde4696b1e8977a49806bc6ed420a8aed15
SHA1 hash: 6021d97bd1b948cd072aa02a946999519225369f
MD5 hash: 1909dc145d81df639d4ad06a8b0b9933
humanhash: quebec-salami-stairway-nitrogen
File name:1909dc145d81df639d4ad06a8b0b9933.exe
Download: download sample
Signature Nymaim
Create hunting rule
File size:381'440 bytes
First seen:2022-06-16 12:23:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61140d815895ec0dbbfd43c91a23615a (1 x Nymaim, 1 x Smoke Loader)
ssdeep 6144:to17c/srQThFhCQHhgTxJF2+sBr8UAu/0/yl6dgOLl:to1AYQThFhCQH0s+ur8vusK6
TLSH T1C584BF10BA90C434F5F762F44AB6936CB53E7EA16B3451CB52E46AEA57346E0EC3130B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c2f0f4f0f0f8e495 (1 x Nymaim)
Reporter abuse_ch
Tags:exe NyMaim

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/280681/
Detection(s):
Win.Packed.Generic-9952003-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21612/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62ab20e6c07f2e38a14db360/reports/f00cae85-d372-48dd-958f-6a0b90707fe9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18c7c6c1-b2e5-4c63-a65b-aa43e8daa30a
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1014609
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 647114 Sample: WiYifNHfKH.exe Startdate: 16/06/2022 Architecture: WINDOWS Score: 60 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Nymaim 2->38 40 Machine Learning detection for sample 2->40 7 WiYifNHfKH.exe 1 2->7         started        process3 process4 9 WerFault.exe 9 7->9         started        12 WerFault.exe 9 7->12         started        14 WerFault.exe 9 7->14         started        16 5 other processes 7->16 file5 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 12->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->34 dropped 18 taskkill.exe 1 16->18         started        20 conhost.exe 16->20         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30bb0e3893bd496f910db1ef709cf766e1277e0b097363798acd32e2a13fb92d/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-16 10:45:22 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gc5q4oetxvew7einwhxxbhhxm3qso7qlbfzwg6mkzuzofij7xewq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220616-pk26dahdh9/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
86a975cd5a8b6a4b5ad7636be516f79f831e25f0519e1aac169b1bf4b265ce11
MD5 hash:
231b20ab2403022f428dbfd9735906a7
SHA1 hash:
de64032b860d841ba089fe9ec369898511522c27
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/e27c2f8d-72ad-4810-8866-e1527a4114d9/
Parent samples :
30bb0e3893bd496f910db1ef709cf766e1277e0b097363798acd32e2a13fb92d
84c4fe56c2361a095ea3a1cb743b434b4ea995429ddc3171af6501c92b478828
f735cf911b0f9914977d9da28e834447e4100ec8a2d5e7d93200698315738cbd
3e25fc67f7e4cc42278e9c43aa0413157f3543d6fa082d22e02b3203febb47cf
048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514
SH256 hash:
30bb0e3893bd496f910db1ef709cf766e1277e0b097363798acd32e2a13fb92d
MD5 hash:
1909dc145d81df639d4ad06a8b0b9933
SHA1 hash:
6021d97bd1b948cd072aa02a946999519225369f
Link:
https://www.unpac.me/results/e27c2f8d-72ad-4810-8866-e1527a4114d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30bb0e3893bd496f910db1ef709cf766e1277e0b097363798acd32e2a13fb92d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280681/

Comments