MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2f5fa3fb54ab1da789789e7f33d12daab4665d72b99200018211fc1517907f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash: e2f5fa3fb54ab1da789789e7f33d12daab4665d72b99200018211fc1517907f0
SHA3-384 hash: 8f755cc9ad547000cc92fa715a563b977930429fc150399ec0d1eb407d9a6e25b3cf870207f3b4245084f7e2920ce54b
SHA1 hash: 9590cc6fc2bb4ef4b424aa0b4e96ca3d1188d50c
MD5 hash: 5e78824e5a2f6c49d502ba72321a4016
humanhash: fish-may-sodium-east
File name:Nightmare.exe
Download: download sample
File size:77'134'447 bytes
First seen:2026-07-11 09:48:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (589 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 1572864:At9IKPUxR7bGYLeTqowzKYypCPRfYLgRLlPBnU6InslAWQAx7:AUKMxR/GYpoyKYyuB/5PU6InskAx7
TLSH T188F7333C8AF5719FEE3D4CF41170F973F66AA06E9E2C64E69AEC35613132008057E59A
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter burger
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
155
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nightmare.exe
Verdict:
Suspicious activity
Analysis date:
2026-07-11 09:48:22 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Loading a suspicious library
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Deleting a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 crypto expand expired-cert fingerprint hacktool installer installer installer-heuristic lolbin microsoft_visual_cc nsis reconnaissance
Verdict:
Clean
File Type:
exe x32
First seen:
2026-07-09T11:33:00Z UTC
Last seen:
2026-07-09T11:54:00Z UTC
Hits:
~10
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Signature
Drops large PE files
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Unusual module load detection (module proxying)
Uses WMIC command to query system information (often done to detect virtual machines)
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1940967 Sample: Nightmare.exe Startdate: 11/07/2026 Architecture: WINDOWS Score: 92 50 Sigma detected: Suspicious PowerShell Encoded Command Patterns 2->50 52 PE file contains section with special chars 2->52 54 Sigma detected: Suspicious File Creation In Uncommon AppData Folder 2->54 56 2 other signatures 2->56 8 Nightmare.exe 182 2->8         started        process3 file4 34 C:\Users\user\AppData\Local\...\ffmpeg.dll, PE32+ 8->34 dropped 36 C:\Users\user\AppData\...\d3dcompiler_47.dll, PE32+ 8->36 dropped 38 C:\Users\user\AppData\...\JabapipaModule.exe, PE32+ 8->38 dropped 40 10 other malicious files 8->40 dropped 58 Drops large PE files 8->58 12 JabapipaModule.exe 6 8->12         started        signatures5 process6 file7 42 C:\Users\user\AppData\...\grt18qebvj.exe, PE32+ 12->42 dropped 62 Suspicious powershell command line found 12->62 64 Encrypted powershell cmdline option found 12->64 66 Unusual module load detection (module proxying) 12->66 68 Uses WMIC command to query system information (often done to detect virtual machines) 12->68 16 cmd.exe 1 12->16         started        19 powershell.exe 23 12->19         started        21 powershell.exe 12->21         started        23 3 other processes 12->23 signatures8 process9 signatures10 44 Uses WMIC command to query system information (often done to detect virtual machines) 16->44 25 WMIC.exe 1 16->25         started        28 conhost.exe 16->28         started        46 Loading BitLocker PowerShell Module 19->46 30 conhost.exe 19->30         started        32 conhost.exe 21->32         started        48 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->48 process11 signatures12 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->60
Gathering data
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution themida trojan
Behaviour
Checks processor information in registry
Detects videocard installed
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Themida packer
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:GenesisStealer_Installer_NSIS_MaaS_Template
Author:n3r
Description:GenesisStealer NSIS installer (MaaS template). Imphash-based broad detector - also catches ScarfaceStealer / RemusStealer / VoidStealer variants sharing the same installer shell.
Rule name:NSIS
Author:kevoreilly
Description:NSIS Integrity Check function

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments