MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033
SHA3-384 hash: 0978f6b961649b346297b20bedcd594c1fd20950d1cba559de4c42052d5ff7a356a197660439620c5c9ef0bb0d8a3e31
SHA1 hash: e4c5691422f8bb438cae51bdb4340e75efed9f8d
MD5 hash: 42d5422b60e6b5e20e7aaf730a81cc87
humanhash: fix-uranus-solar-mexico
File name:42d5422b60e6b5e20e7aaf730a81cc87.exe
Download: download sample
Signature Nymaim
Create hunting rule
File size:1'144'320 bytes
First seen:2022-10-29 05:07:04 UTC
Last seen:2022-10-29 06:12:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9de6be7a88c6b62e6fe9c345eca2a6c5 (1 x Nymaim)
ssdeep 24576:S7+J7TGhOa+9EuP9HxoXZoVeCe6TXjJpsB8jIy:S7a7TwOaexTz7sU
Threatray 21 similar samples on MalwareBazaar
TLSH T15835AE12E691D0F5E8B780B187FB173DFB34B85003286ECBA3D81A564F225E1B639765
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe NyMaim

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-29 01:14:11 UTC
Tags:
trojan amadey kelihos loader ransomware stealer
Link:
https://app.any.run/tasks/d0dae40d-fa16-4fa6-8ea0-95532cb52d56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/325743/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61276436.13235.11154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a file
Changing a file
Sending a custom TCP request
Replacing files
Moving a recently created file
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Modifying an executable file
Unauthorized injection to a system process
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46518/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware obfuscated packed packed shell32.dll
Link:
https://www.filescan.io/uploads/635cb533a5db8d309cbbc571/reports/09868ece-e99c-4bea-a1cb-8827f823a74b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tripoli Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54794334-2c0a-4e40-aea9-8c08b539a0dc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100769
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates files in the recycle bin to hide itself
Deletes itself after installation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Renames NTDLL to bypass HIPS
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 733430 Sample: w04jFmVSb4.exe Startdate: 29/10/2022 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 2 other signatures 2->64 7 w04jFmVSb4.exe 4 2->7         started        11 explorer.exe 19 154 2->11         started        14 explorer.exe 2->14 injected process3 dnsIp4 40 C:\Users\user\AppData\Local\Temp\B2CF.tmp, PE32 7->40 dropped 42 C:\Users\user\AppData\Local\Temp\B290.tmp, PE32 7->42 dropped 44 C:\Users\user\AppData\Local\Temp\B202.tmp, PE32 7->44 dropped 46 C:\Users\user\AppData\Local\Temp\B194.tmp, PE32 7->46 dropped 70 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->70 72 Writes to foreign memory regions 7->72 74 Allocates memory in foreign processes 7->74 76 2 other signatures 7->76 16 write.exe 4 7->16         started        48 192.168.2.1 unknown unknown 11->48 file5 signatures6 process7 file8 24 C:\Users\user\AppData\Local\Temp\BFB0.tmp, PE32 16->24 dropped 26 C:\Users\user\AppData\Local\Temp\BF80.tmp, PE32 16->26 dropped 28 C:\Users\user\AppData\Local\Temp\BEF3.tmp, PE32 16->28 dropped 30 C:\Users\user\AppData\Local\Temp\BE84.tmp, PE32 16->30 dropped 50 Writes a notice file (html or txt) to demand a ransom 16->50 52 Deletes itself after installation 16->52 54 Renames NTDLL to bypass HIPS 16->54 56 2 other signatures 16->56 20 write.exe 2 100 16->20         started        signatures9 process10 file11 32 C:\Users\user\Favorites\...\HOW_FIX_FILES.htm, ASCII 20->32 dropped 34 C:\Users\user\Desktop\...\HOW_FIX_FILES.htm, ASCII 20->34 dropped 36 C:\Users\user\...\IconCache.db.rnsmcat4er, data 20->36 dropped 38 38 other files (34 malicious) 20->38 dropped 66 Creates files in the recycle bin to hide itself 20->66 68 Modifies existing user documents (likely ransomware behavior) 20->68 signatures12
Detection:
nymaim
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033/
Threat name:
Win32.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2022-10-28 22:25:47 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjikdzjeawne2gcjgocqxrteuz2smcfbboq6q5veqasufxbucazq._file
Verdict:
malicious
Similar samples:
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
Nymaim
7fc24e1d5c5ddc8734298cb42b397f55db75bfddc27319e56d4239e56e9c01c4
Nymaim
914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e
Nymaim
a164a56178ed04e87b40798f3ac2c0695366262d15156ac9b1e475f0ac6afc6e
Nymaim
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7
Nymaim
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
Nymaim
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
Nymaim
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
Nymaim
e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61
Nymaim
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b
Nymaim
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221029-fsjvbscheq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Unpacked files
SH256 hash:
aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033
MD5 hash:
42d5422b60e6b5e20e7aaf730a81cc87
SHA1 hash:
e4c5691422f8bb438cae51bdb4340e75efed9f8d
Detections:
win_nymaim_g0
Create hunting rule
Nymaim
Create hunting rule
win_nymaim_auto
Create hunting rule
Link:
https://www.unpac.me/results/03b9a208-f686-4da9-90bb-fb28d4fb1603/
Parent samples :
aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa50a1e52405/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nymaim
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_nymaim_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.nymaim.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nymaim

Executable exe aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2389786/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/325743/

Comments