MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e56ec13f712bc01284335e2ae5f573d621260ddc10b456d67156345460f1b229. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nymaim


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e56ec13f712bc01284335e2ae5f573d621260ddc10b456d67156345460f1b229
SHA3-384 hash: b21f71fbe078b3b85b60e9dbfa464077d52a7a9f0df167b281329e51dde85157edaa961ac8283642d64f8c1db61662eb
SHA1 hash: c5776eeb623f4c266b601a99ef9ca427a68a876f
MD5 hash: 5c688978af9a129b15eed49d87159e96
humanhash: yellow-lamp-west-fourteen
File name:file
Download: download sample
Signature Nymaim
Create hunting rule
File size:312'320 bytes
First seen:2022-08-24 23:30:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 672a9cbd22cfd5f4c8a0802430548cd4 (3 x RedLineStealer, 2 x Nymaim)
ssdeep 6144:5N10pRfstP4ZO5JGJgPRzLl5yQu+8tZx5vslgekiga:5MfsmZO5JGJURzLnnu+8Zx5vslTB
TLSH T1D664E1327AE14531D8AA3D308432CFA016BFB85116344687E3F86B5E6F667901E7539F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 93f0e868e86068e1 (1 x Nymaim)
Reporter andretavare5
Tags:exe NyMaim


Avatar
andretavare5
Sample downloaded from http://95.214.24.96/load.php?pub=mixinte

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-08-24 23:31:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b486ecb7-08d5-4ec9-88b4-425afef4867e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300981/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.2815.17698.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the system32 subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30000/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6306b4b605ef0c24e423c10f/reports/b55b6948-cd01-4476-b8b2-028b41c69e9d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42069a61-8432-49ab-b505-6bf410a97357
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1057345
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 689862 Sample: file Startdate: 25/08/2022 Architecture: WINDOWS Score: 60 39 Malicious sample detected (through community Yara rule) 2->39 41 Yara detected Nymaim 2->41 43 Machine Learning detection for sample 2->43 7 file.exe 15 2->7         started        process3 dnsIp4 37 208.67.104.97, 49736, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 7->37 10 WerFault.exe 9 7->10         started        13 WerFault.exe 9 7->13         started        15 WerFault.exe 9 7->15         started        17 8 other processes 7->17 process5 file6 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->23 dropped 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->25 dropped 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->27 dropped 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->33 dropped 35 3 other malicious files 17->35 dropped 19 conhost.exe 17->19         started        21 taskkill.exe 17->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e56ec13f712bc01284335e2ae5f573d621260ddc10b456d67156345460f1b229/
Threat name:
Win32.Trojan.DllCheck
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 23:31:07 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vxmcp3rfpabfbbtlyvol5lt2yqsmdo4cc2fnvtrky2fiyhrwiuq._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/220824-3hpddscebn/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Unpacked files
SH256 hash:
076275c696b3600f0af323328150d0166ed2c032e52399d1671391718eb79351
MD5 hash:
a8d488739fdbbcced8899b5ad39df067
SHA1 hash:
f3ffb476100c0767400296d60dcb70146fcbc084
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/4e9258f5-2536-4d04-a9f4-6d9254c2f71d/
Parent samples :
3e8d3230c1d7db58efa85791435fe1b35692d4c23977e4d79949aaab253e23d0
100eb77779a383441af55fc1af37d0d169b44759e9beaed974cfc97ad1f26aa0
29738ae68c178c94a779a4407e621ca5c917422700881c220a7f2763a3f0f549
ae163ebe54d0c2f32134cee1cfbc9139e3b59b21c8beb7dcfb3d580bc698c875
93214b8130543f1615e25c831390d4d1bf392e2f89ef591c70dcce7e99f9b0fd
01f613b5571851c9c06ec43d31fe327cde2049a01bd65a3274d213a8ed258dc0
856956385382c6debbb62d425e9915e86a742c4adcb0a1cf7da8f0e8e92d2461
7cc1e70947f9be48ad3edfb07cd26482b9a565367d0c6e9c6cfa5b0c12588183
8be1905f4c62eb330fc76486e05ea2a6bda21094ed1a6b4a40953043ff825fea
6eb7bbf3284118bfa2ea895804a57f9a50c669df3668f0812db675c4a42ccb21
349a8ea986c949899801e9656ca1ca43b85c83f1e0ff9f2ab791d0d141a305bb
e1fd0048cd272f42ad65d722a2b4aa5beb52b610bc1b18c2eeec0d41511386fc
e56ec13f712bc01284335e2ae5f573d621260ddc10b456d67156345460f1b229
4473bf0407f179baaecd35d2337a2214547e40edfb31f71e0e54676fcee4d8fd
7ed81bb250e1a753452eefcd32c6713cb1780b4a5754b47ad470533d3f4a4dff
4c25c164945e7106cbd4e45a87aa64839519c22b6751b2b09d2029f3a357922b
2db3251d95cb2b7d3e6b4db0649670f92724772bd7d5ff5e9b2edf7c103cddf6
bbd3e77bc19fa2340b2c3b44d4d18f5f59339c64653e1924d102577eca828cb9
15ae62081abe2c2b45d52ac109920361982ba77a644fbbe328d28c0e67da71ee
e465fa6159a71c9ef946ba84eb8cb3727af0f0a18c04c96e90f5f3009edb43cc
fb807617856d2e00b0e2cd7c122df75bb3e1b704038a8164687068b04c444c12
df4690aa0330b969f7c63122c6329d072a696676597c535f31cb9c4e308ae910
fe7ccaf2e0bb88b4a5b5aaa555c9e429335b8ae5d56a7d57a8977c273673e463
f7bf3a783a4de0ca61ca331d127cc2d2b18a5e2a0f8376a436581adea7d5913c
aff1726aa963fbfbf275945e3c1337b13dc374494f3594657843a0edcce42e81
819a4adf5008cfc484aadde231a2f84b5f3d944e036b265b9c7b371276632d28
SH256 hash:
e56ec13f712bc01284335e2ae5f573d621260ddc10b456d67156345460f1b229
MD5 hash:
5c688978af9a129b15eed49d87159e96
SHA1 hash:
c5776eeb623f4c266b601a99ef9ca427a68a876f
Link:
https://www.unpac.me/results/4e9258f5-2536-4d04-a9f4-6d9254c2f71d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e56ec13f712bc01284335e2ae5f573d621260ddc10b456d67156345460f1b229

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2276314/
Cape
Cape
https://www.capesandbox.com/analysis/300981/

Comments