MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18
SHA3-384 hash: 7cbb4e60ed88e9e702f29afd557b99db78220f690232d73f7ff523366a0ebcfdc117d28f848a4e41976f7ea321ed7df9
SHA1 hash: 821e6ab0fe1fe841cf9ba24b3fc838846b4785f4
MD5 hash: 32b85e5061a27630ddea16c0d4f3f9a0
humanhash: november-fish-dakota-three
File name:32b85e5061a27630ddea16c0d4f3f9a0.exe
Download: download sample
Signature Nymaim
Create hunting rule
File size:404'992 bytes
First seen:2022-12-12 15:23:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5632d54ec7a430a4ccbd59048a8a61d (10 x Smoke Loader, 7 x RedLineStealer, 1 x Nymaim)
ssdeep 6144:WkcteyLKfKtUdaXSc1l5JPIv5VR+ExfFtzM0sRQGHRbpLje1atpBYQW:WkjyWfKt5l5og4F20sXxbljaatUQW
TLSH T19884DF027582EE31C85351748832CBF11F7EEC611924990F776A3B5E6DFB2925A32F52
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a1d6e8e8e8f0f0e4 (1 x Nymaim)
Reporter abuse_ch
Tags:exe NyMaim

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32b85e5061a27630ddea16c0d4f3f9a0.exe
Verdict:
Malicious activity
Analysis date:
2022-12-12 15:26:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/224fde95-6bf5-43d4-9b6c-c21d3cd4209d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/345502/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63974792f6e448d42df83346/reports/c5235389-febb-4c97-956e-eba8862878e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c08408fc-151b-44c6-826e-1aba6d0d79aa
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1132771
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 15:24:06 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvp27knutbs3e5h3i6v33uehz6lboab6k2zhkajjf5jvx4xqzmma._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/221212-ss15tsbf86/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Malware Config
C2 Extraction:
45.139.105.171
85.31.46.167
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c7a71921-7b9b-49b5-920e-17c302397398
Unpacked files
SH256 hash:
d4682fad13146ccfcb058f396ab660f767ee02e6a3fc30b8745c95a2b98c47e5
MD5 hash:
578f2af8fbbf35a8aa9680da3ace6084
SHA1 hash:
2b44ee8a9c4c4c9f10255692af11f4513a27ccc3
Detections:
win_nymaim_g0
Create hunting rule
Nymaim
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/dd5fae63-f6e0-4b09-9084-9d983fecb81d/
Parent samples :
8405a59e0d13ee969c38e123328e08caf2a5f9100afe61544aff05c384a99f70
a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557
2fdbdce5b0e9ed475227c3b6b6ede5b1b8afbe727d44fe7279951c8151a5314a
d4682fad13146ccfcb058f396ab660f767ee02e6a3fc30b8745c95a2b98c47e5
138e37382279146b147a115f956bed45a13a8701252cb18b9875d55d3920bcc8
b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3
a13589f335147b2c2703d7eded2a9c592d282f439315b404b76b298a09d37ba0
30874230e72e52ffc9ab190856dc099e1f81c778b9c56d2af70805489f7d8279
c920e82d1a56b26205e4f8956edadce709403ba044b608d0ff35690882ba2376
b34edbe1b903e3b9b93ce170c9298bfb4fcc964a7b8dc6a131750be4d487ece6
d9ad071b8a1580636fad78a01aced6efb029870af5a57167c7744247c8a1aa08
9c8e8b7a65db59215b739fb24203f56fc13a317b981c0b76e2d7b23000abe354
8bb48c700d88cf9a700abcf517848d86e5854877a00a5945f9374cf68a338666
5eb0b4b21107152dfbfaed3a9c61233233d3cab8a650cbb88dcfc34cff1f99ec
6f9a1370e6e0c1e36d61fd0a790d76c58392b99ca8f25549bca0b9388dbdea1a
5ef67f8e51b449211ced12b0331374960517332e6c23a8e9a97d4bb7b2c65472
d33c52f3046ba948150cbfc5c08a4f8848690c0b28a20fb6765540a5ca79cda1
e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c
5139de19309ffe544e92c535f651440a1d43bb9bc1c45f5dbb4a3a763f6b6017
2d19810dd9356f72dc65d6b0521b4a6294ac04634c28c00f9e04751c6a8505ae
6783cfad82b43f038bea849c511d1ed511bfd6e1c39d9ffe76c808cd1003b1d4
8c69f995e6aa47a25048993654a5318787a009891c5687a35859a1d7abccd487
f3a7d831c9fa8577a6dffae63ca18f8c05274b49a5a0f3a6091165fe1a212d85
a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39
6306356060c0d04116e7d1a59af7960cdfea8606429e2ffac14bc930efaf032a
1641ef6e4857c7ea1b96dcbbd9ce5f62358e2868a91ce10e0360da52dee92806
SH256 hash:
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18
MD5 hash:
32b85e5061a27630ddea16c0d4f3f9a0
SHA1 hash:
821e6ab0fe1fe841cf9ba24b3fc838846b4785f4
Link:
https://www.unpac.me/results/dd5fae63-f6e0-4b09-9084-9d983fecb81d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345502/

Comments