nymaim

General

Target

E52E6BBF7705F9B90E4A20F2935CB86EE6078035F14D8.exe
Size

2.7MB
Sample

220826-a4m38seah7
MD5

0d7692792b4907f9470d3b1bb6ce8310
SHA1

ca834957d8ba9b9b718b48208a34739a7c93a0f1
SHA256

e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
SHA512

5265f0687c7b543c944923ff803ce04dac343ce4092b40b688076149b5d5bbd53e9213255905bfe50119a9f50fe5a915a8952dc4e7ecc6e7003d23d603e7de8c
SSDEEP

49152:EgaxsZeUoyyLrESKgT9evi3VEiQ3cMkBtghtojoiprtroZsiONIG:JkuALrxlMGEiQ3cqt2oiprtcZsiONp

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

redline

Botnet

Cana01

C2

176.111.174.254:56328

Extracted

Family

redline

Botnet

ruzki9

C2

176.113.115.146:9582

Attributes

auth_value
0bc3fe6153667b0956cb33e6a376b53d

Extracted

Family

redline

Botnet

nam6.2

C2

103.89.90.61:34589

Attributes

auth_value
2276f4d8810e679413659a9576a6cdf4

Targets

- Target
  
  E52E6BBF7705F9B90E4A20F2935CB86EE6078035F14D8.exe
- Size
  
  2.7MB
- MD5
  
  0d7692792b4907f9470d3b1bb6ce8310
- SHA1
  
  ca834957d8ba9b9b718b48208a34739a7c93a0f1
- SHA256
  
  e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
- SHA512
  
  5265f0687c7b543c944923ff803ce04dac343ce4092b40b688076149b5d5bbd53e9213255905bfe50119a9f50fe5a915a8952dc4e7ecc6e7003d23d603e7de8c
- SSDEEP
  
  49152:EgaxsZeUoyyLrESKgT9evi3VEiQ3cMkBtghtojoiprtroZsiONIG:JkuALrxlMGEiQ3cqt2oiprtcZsiONp
Score

10^/10

nymaim privateloader redline vidar ytstealer 933 cana01 ruzki9 aspackv2 evasion infostealer loader stealer trojan upx nam6.2 discovery miner persistence spyware vmprotect
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NyMaim
  NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
  trojan nymaim
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- YTStealer
  YTStealer is a malware designed to steal YouTube authentication cookies.
  stealer ytstealer
- YTStealer payload
- Detectes Phoenix Miner Payload
  miner
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2