General

  • Target

    d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1

  • Size

    380KB

  • Sample

    221118-27l4wsgc8s

  • MD5

    e91e8a603108c29db5d1a1ba1c8123fd

  • SHA1

    e609bf5881c00aa4c325a2250407d0d8b254e04c

  • SHA256

    d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1

  • SHA512

    2d0c23f0a9cc784820291595816ec49a9f12d3b4bdd5cc569f56810d1766fb73b9a1a8ece293210678d03ebe8d3413bb9ebc7ae9eb757588345bebcd4e8abff7

  • SSDEEP

    6144:x/QiQXCWkm+ksmpk3U9j0IV/OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3WP6m6UR0IV/lL//plmW9bTXeVhD4

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Targets

    • Target

      d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1

    • Size

      380KB

    • MD5

      e91e8a603108c29db5d1a1ba1c8123fd

    • SHA1

      e609bf5881c00aa4c325a2250407d0d8b254e04c

    • SHA256

      d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1

    • SHA512

      2d0c23f0a9cc784820291595816ec49a9f12d3b4bdd5cc569f56810d1766fb73b9a1a8ece293210678d03ebe8d3413bb9ebc7ae9eb757588345bebcd4e8abff7

    • SSDEEP

      6144:x/QiQXCWkm+ksmpk3U9j0IV/OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3WP6m6UR0IV/lL//plmW9bTXeVhD4

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks