SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nemim (Back to overview)

Nemim

aka: Nemain

Actor(s): DarkHotel


There is no description at this point.

References
2020-09-08NSFOCUSNSFOCUS
@online{nsfocus:20200908:groupdarkhotelrat:f6ecf8c, author = {NSFOCUS}, title = {{APT GROUP系列——DARKHOTEL之窃密与RAT篇}}, date = {2020-09-08}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/darkhotel-3-0908/}, language = {Chinese}, urldate = {2020-09-15} } APT GROUP系列——DARKHOTEL之窃密与RAT篇
Nemim
2020SecureworksSecureWorks
@online{secureworks:2020:tungsten:f923f8b, author = {SecureWorks}, title = {{TUNGSTEN BRIDGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tungsten-bridge}, language = {English}, urldate = {2020-05-23} } TUNGSTEN BRIDGE
Nemim DarkHotel
Yara Rules
[TLP:WHITE] win_nemim_auto (20220411 | Detects win.nemim.)
rule win_nemim_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.nemim."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89542418 89442414 75cc 8b742418 8bcd }
            // n = 5, score = 200
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   75cc                 | jne                 0xffffffce
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]
            //   8bcd                 | mov                 ecx, ebp

        $sequence_1 = { 56 8bf1 c1e603 3b96d0254300 0f851c010000 a1???????? 83f801 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   c1e603               | shl                 esi, 3
            //   3b96d0254300         | cmp                 edx, dword ptr [esi + 0x4325d0]
            //   0f851c010000         | jne                 0x122
            //   a1????????           |                     
            //   83f801               | cmp                 eax, 1

        $sequence_2 = { 884806 8b5604 c1ea18 885007 8a4e08 }
            // n = 5, score = 200
            //   884806               | mov                 byte ptr [eax + 6], cl
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   c1ea18               | shr                 edx, 0x18
            //   885007               | mov                 byte ptr [eax + 7], dl
            //   8a4e08               | mov                 cl, byte ptr [esi + 8]

        $sequence_3 = { ff15???????? 8b442410 3d97010000 0f84ae000000 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   3d97010000           | cmp                 eax, 0x197
            //   0f84ae000000         | je                  0xb4

        $sequence_4 = { 85ff 0f84a2000000 33f6 57 e8???????? 83c404 83f8ff }
            // n = 7, score = 200
            //   85ff                 | test                edi, edi
            //   0f84a2000000         | je                  0xa8
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   83f8ff               | cmp                 eax, -1

        $sequence_5 = { 8bf9 f7d7 03d0 0bfa 33f8 03fd 8b6c2424 }
            // n = 7, score = 200
            //   8bf9                 | mov                 edi, ecx
            //   f7d7                 | not                 edi
            //   03d0                 | add                 edx, eax
            //   0bfa                 | or                  edi, edx
            //   33f8                 | xor                 edi, eax
            //   03fd                 | add                 edi, ebp
            //   8b6c2424             | mov                 ebp, dword ptr [esp + 0x24]

        $sequence_6 = { 53 56 ff90d0a74200 83c414 83f801 7514 8d047f }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff90d0a74200         | call                dword ptr [eax + 0x42a7d0]
            //   83c414               | add                 esp, 0x14
            //   83f801               | cmp                 eax, 1
            //   7514                 | jne                 0x16
            //   8d047f               | lea                 eax, dword ptr [edi + edi*2]

        $sequence_7 = { 397e04 7570 c7460c106f4100 c74610806f4100 c7461440704100 }
            // n = 5, score = 200
            //   397e04               | cmp                 dword ptr [esi + 4], edi
            //   7570                 | jne                 0x72
            //   c7460c106f4100       | mov                 dword ptr [esi + 0xc], 0x416f10
            //   c74610806f4100       | mov                 dword ptr [esi + 0x10], 0x416f80
            //   c7461440704100       | mov                 dword ptr [esi + 0x14], 0x417040

        $sequence_8 = { 51 e8???????? 682c010000 68???????? 68???????? }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   682c010000           | push                0x12c
            //   68????????           |                     
            //   68????????           |                     

        $sequence_9 = { 33fe 33f8 03fd 8dbc396556acc4 }
            // n = 4, score = 200
            //   33fe                 | xor                 edi, esi
            //   33f8                 | xor                 edi, eax
            //   03fd                 | add                 edi, ebp
            //   8dbc396556acc4       | lea                 edi, dword ptr [ecx + edi - 0x3b53a99b]

    condition:
        7 of them and filesize < 499712
}
Download all Yara Rules