nymaim | 736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
Size

380KB
Sample

221018-gba2jaehdl
MD5

c0b4de4f711b7c28369d7a4018f94759
SHA1

4cf0c26459c732e1b334b8a2b4748161d922e657
SHA256

736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
SHA512

6e0f13d4492841eecf84bba5953aeec94563aa3c5bc11845e6d6a94915cb4493564f920e849a51551328c25aae71674646768a7ec666dd8263767a9ec3293ada
SSDEEP

6144:x/QiQXCykm+ksmpk3U9j0IidOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3yP6m6UR0IqlL//plmW9bTXeVhDrE

Score

10^/10

nymaim evasion persistence trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d.exe

Resource

win10v2004-20220812-en

nymaim evasion persistence trojan vmprotect

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

nymaim

C2

45.15.156.54

85.31.46.167

Targets

- Target
  
  736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
- Size
  
  380KB
- MD5
  
  c0b4de4f711b7c28369d7a4018f94759
- SHA1
  
  4cf0c26459c732e1b334b8a2b4748161d922e657
- SHA256
  
  736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
- SHA512
  
  6e0f13d4492841eecf84bba5953aeec94563aa3c5bc11845e6d6a94915cb4493564f920e849a51551328c25aae71674646768a7ec666dd8263767a9ec3293ada
- SSDEEP
  
  6144:x/QiQXCykm+ksmpk3U9j0IidOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3yP6m6UR0IqlL//plmW9bTXeVhDrE
Score

10^/10

nymaim evasion persistence trojan vmprotect
- NyMaim
  NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
  trojan nymaim
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

Software Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

nymaimevasionpersistencetrojanvmprotect

© 2018-2025

Terms | Privacy