Edit tour
Windows
Analysis Report
oKum4jX2X3.exe
Overview
General Information
Sample name: | oKum4jX2X3.exerenamed because original name is a hash value |
Original sample name: | c2aab8150d3d763706fbe02fe07f8aa1.exe |
Analysis ID: | 1417239 |
MD5: | c2aab8150d3d763706fbe02fe07f8aa1 |
SHA1: | 96f231a59c8bfb43aa78aa43501973a52919b7df |
SHA256: | 4af89e5a1cfa894ce90b1a5acb94abd36e90339e92c137d2f77d59c2e1efdb6f |
Tags: | exe |
Infos: | |
Detection
GCleaner, Nymaim
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GCleaner
Yara detected Nymaim
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Classification
- System is w10x64
- oKum4jX2X3.exe (PID: 7356 cmdline:
"C:\Users\ user\Deskt op\oKum4jX 2X3.exe" MD5: C2AAB8150D3D763706FBE02FE07F8AA1) - WerFault.exe (PID: 7476 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 356 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7552 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 356 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7660 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 356 -s 764 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7716 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 356 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7788 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 356 -s 980 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7848 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 356 -s 101 2 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 936 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 356 -s 130 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
GCleaner | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Nymaim | Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising. | No Attribution |
{"C2 addresses": ["185.172.128.90", "5.42.64.3", "5.42.64.3"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_Nymaim | Yara detected Nymaim | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: |