{
	"id": "714727b5-0ba5-4d80-be32-3aaa83e76fd4",
	"created_at": "2026-04-06T00:11:20.336217Z",
	"updated_at": "2026-04-10T03:21:50.570336Z",
	"deleted_at": null,
	"sha1_hash": "65730682c39fa1c1cc40759b06580903f02d3faf",
	"title": "Malware-Scripts/Nymaim at master · coldshell/Malware-Scripts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39995,
	"plain_text": "Malware-Scripts/Nymaim at master · coldshell/Malware-Scripts\r\nBy coldshell\r\nArchived: 2026-04-05 19:40:04 UTC\r\nThis tool helps to deobfuscate nymaim samples.\r\nTo deobfuscate we use miasm for the emulation and grap to match graph patterns.\r\n./nymaim.py --ida /tmp/nymaim_unpack_2018-03-28.bin\r\n[+] Searching for the pattern push_reg\r\n[i] The graph push_reg was found 1 time(s)\r\n[+] Emulating each call to push_reg\r\n[+] Patching each call to push_reg (can take a while)\r\n[+] Searching for the pattern detour_call\r\n[i] The graph detour_call was found 34 time(s)\r\n[e] No XREFS to the function 0x429537 was found\r\n[+] Emulating each call to detour_call\r\n[+] Patching each call to detour_call (can take a while)\r\n[+] Searching for the pattern detour_jmp\r\n[i] The graph detour_jmp was found 32 time(s)\r\n[e] No XREFS to the function 0x402AC2 was found\r\n[e] No XREFS to the function 0x404A23 was found\r\n[e] No XREFS to the function 0x404EAB was found\r\n[e] No XREFS to the function 0x406A90 was found\r\n[e] No XREFS to the function 0x4081B3 was found\r\n[e] No XREFS to the function 0x40DF3D was found\r\n[e] No XREFS to the function 0x41148D was found\r\n[e] No XREFS to the function 0x419F2C was found\r\n[e] No XREFS to the function 0x41A5B4 was found\r\n[e] No XREFS to the function 0x41FB49 was found\r\n[e] No XREFS to the function 0x42247A was found\r\n[e] No XREFS to the function 0x423A38 was found\r\n[e] No XREFS to the function 0x42477F was found\r\n[e] No XREFS to the function 0x4278C1 was found\r\n[e] No XREFS to the function 0x42914B was found\r\n[e] No XREFS to the function 0x42BFFF was found\r\n[e] No XREFS to the function 0x42F385 was found\r\n[e] No XREFS to the function 0x43212F was found\r\n[+] Emulating each call to detour_jmp\r\n[+] Patching each call to detour_jmp (can take a while)\r\nhttps://github.com/coldshell/Malware-Scripts/tree/master/Nymaim\r\nPage 1 of 2\n\n[+] Creation of an IDA script to rename function: /tmp/nymaim_unpack_2018-03-28.bin_ida.py\r\n[+] Patched nymaim available: /tmp/nymaim_unpack_2018-03-28.bin.clean\r\nMakeFunction(4214618)\r\nMakeNameEx(4214618, \"detour_jmp_0\", SN_NOWARN)\r\nMakeFunction(4226729)\r\nMakeNameEx(4226729, \"detour_jmp_1\", SN_NOWARN)\r\nMakeFunction(4229427)\r\nMakeNameEx(4229427, \"detour_jmp_2\", SN_NOWARN)\r\nMakeFunction(4261327)\r\nMakeNameEx(4261327, \"detour_jmp_3\", SN_NOWARN)\r\nMakeFunction(4270551)\r\nMakeNameEx(4270551, \"detour_jmp_4\", SN_NOWARN)\r\nMakeFunction(4327584)\r\nMakeNameEx(4327584, \"detour_jmp_5\", SN_NOWARN)\r\nMakeFunction(4327617)\r\nMakeNameEx(4327617, \"detour_jmp_6\", SN_NOWARN)\r\nMakeFunction(4356652)\r\n...\r\n...\r\n...\r\nYou will need grap and miasm. For the others dependencies see the requierments.txt .\r\nSource: https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim\r\nhttps://github.com/coldshell/Malware-Scripts/tree/master/Nymaim\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim"
	],
	"report_names": [
		"Nymaim"
	],
	"threat_actors": [],
	"ts_created_at": 1775434280,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65730682c39fa1c1cc40759b06580903f02d3faf.pdf",
		"text": "https://archive.orkl.eu/65730682c39fa1c1cc40759b06580903f02d3faf.txt",
		"img": "https://archive.orkl.eu/65730682c39fa1c1cc40759b06580903f02d3faf.jpg"
	}
}