nymaim

General

Target

0x00070000000139bc-141.dat
Size

812KB
Sample

220825-p5ln5aebd4
MD5

f8fdccdc4cc17f6781497d69742aeb58
SHA1

026edf00ad6a4f77a99a8100060184caeb9a58ba
SHA256

97f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144
SHA512

ee4969810435ab43fd7fe1cfc42667544cdb9766dacca2258cc4a860983b6477a9c8c74e6e41ef6230a89fd016f8f044eb83ca5e96796a6375dacd28e7254ac1
SSDEEP

24576:G6euVbQiKkWZPnmL0bLXM2NbEUO7TffYGX:NVEChLXT3YGX

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

marketing

C2

103.190.107.205:13122

Attributes

auth_value
6eb612390194e7efd1aa4f4c81e3d2fe

Extracted

Family

redline

Botnet

ruzki9

C2

176.113.115.146:9582

Attributes

auth_value
0bc3fe6153667b0956cb33e6a376b53d

Extracted

Family

redline

Botnet

nam6.2

C2

103.89.90.61:34589

Attributes

auth_value
2276f4d8810e679413659a9576a6cdf4

Targets

- Target
  
  0x00070000000139bc-141.dat
- Size
  
  812KB
- MD5
  
  f8fdccdc4cc17f6781497d69742aeb58
- SHA1
  
  026edf00ad6a4f77a99a8100060184caeb9a58ba
- SHA256
  
  97f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144
- SHA512
  
  ee4969810435ab43fd7fe1cfc42667544cdb9766dacca2258cc4a860983b6477a9c8c74e6e41ef6230a89fd016f8f044eb83ca5e96796a6375dacd28e7254ac1
- SSDEEP
  
  24576:G6euVbQiKkWZPnmL0bLXM2NbEUO7TffYGX:NVEChLXT3YGX
Score

10^/10

nymaim redline marketing ruzki9 discovery evasion infostealer persistence spyware stealer trojan nam6.2 miner vmprotect
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NyMaim
  NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
  trojan nymaim
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Detectes Phoenix Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2