Nimbo-C2 (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.nimbo_c2 (Back to overview)
Nimbo-C2

VTCollection
According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).
References

2022-10-08 ⋅ Github (itaymigdal) ⋅ Itay Migdal
Nimbo-C2 - A new C2 Framework
Nimbo-C2 Nimbo-C2
Yara Rules

[TLP:WHITE] win_nimbo_c2_auto (20230808 | Detects win.nimbo_c2.)
rule win_nimbo_c2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.nimbo_c2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 741a 488b4960 ba22000000 e8???????? 488d4b60 4889c2 e8???????? }
            // n = 7, score = 500
            //   741a                 | sub                 esp, 0x188
            //   488b4960             | inc                 ecx
            //   ba22000000           | pop                 ebp
            //   e8????????           |                     
            //   488d4b60             | inc                 ecx
            //   4889c2               | pop                 esi
            //   e8????????           |                     

        $sequence_1 = { 7434 498b07 b902000000 4899 48f7f9 498b17 31c9 }
            // n = 7, score = 500
            //   7434                 | inc                 ecx
            //   498b07               | push                ebp
            //   b902000000           | dec                 eax
            //   4899                 | sub                 esp, 0x30
            //   48f7f9               | mov                 edx, 0x10
            //   498b17               | dec                 ecx
            //   31c9                 | mov                 ebp, ecx

        $sequence_2 = { e8???????? 4883c470 5b 5e 5f 415c 415d }
            // n = 7, score = 500
            //   e8????????           |                     
            //   4883c470             | add                 esp, 0x28
            //   5b                   | pop                 ebx
            //   5e                   | dec                 eax
            //   5f                   | test                eax, eax
            //   415c                 | je                  0x160d
            //   415d                 | dec                 eax

        $sequence_3 = { 488b4c2428 84c0 740f 4883c430 415c 415d 415e }
            // n = 7, score = 500
            //   488b4c2428           | sub                 esp, 0x28
            //   84c0                 | dec                 eax
            //   740f                 | lea                 eax, [0x5ead6]
            //   4883c430             | pop                 ebx
            //   415c                 | pop                 esi
            //   415d                 | pop                 edi
            //   415e                 | dec                 eax

        $sequence_4 = { 4889f1 4889442420 e8???????? 48ff4608 4883c440 5b 5e }
            // n = 7, score = 500
            //   4889f1               | shr                 ebp, 0x20
            //   4889442420           | dec                 ecx
            //   e8????????           |                     
            //   48ff4608             | cmp                 ebp, esi
            //   4883c440             | dec                 ebp
            //   5b                   | add                 ebx, esi
            //   5e                   | jmp                 0x1fb6

        $sequence_5 = { 7d45 eb49 488b4a10 488b5218 48894810 4889d9 48895018 }
            // n = 7, score = 500
            //   7d45                 | mov                 ecx, 0xf
            //   eb49                 | dec                 esp
            //   488b4a10             | mov                 ecx, ebp
            //   488b5218             | mov                 edx, 0x11e
            //   48894810             | jmp                 0x807
            //   4889d9               | dec                 esp
            //   48895018             | mov                 eax, dword ptr [esp + 0x50]

        $sequence_6 = { 4d8b2c24 31ff 4c39ef 7de9 498b54fc10 4889f1 48ffc7 }
            // n = 7, score = 500
            //   4d8b2c24             | inc                 ecx
            //   31ff                 | movzx               eax, al
            //   4c39ef               | sub                 eax, edx
            //   7de9                 | jne                 0x19
            //   498b54fc10           | dec                 ecx
            //   4889f1               | inc                 edx
            //   48ffc7               | jmp                 0xffffffe3

        $sequence_7 = { e8???????? 31d2 4c89e1 498907 e8???????? 4c89e9 488906 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   31d2                 | dec                 eax
            //   4c89e1               | cmp                 eax, 7
            //   498907               | ja                  0x1685
            //   e8????????           |                     
            //   4c89e9               | dec                 eax
            //   488906               | add                 ecx, 0x18

        $sequence_8 = { c1fa0c 83e23f 83ca80 885012 89da 83e33f c1fa06 }
            // n = 7, score = 500
            //   c1fa0c               | inc                 ecx
            //   83e23f               | pop                 esi
            //   83ca80               | inc                 ecx
            //   885012               | pop                 edi
            //   89da                 | ret                 
            //   83e33f               | inc                 ecx
            //   c1fa06               | push                esp

        $sequence_9 = { 807c33102d 0f94c0 48ffc6 ebd4 4c89e0 4883c428 5b }
            // n = 7, score = 500
            //   807c33102d           | je                  0x135f
            //   0f94c0               | inc                 esp
            //   48ffc6               | movzx               ecx, byte ptr [eax + esi + 0x10]
            //   ebd4                 | dec                 ebx
            //   4c89e0               | add                 eax, dword ptr [ebx + ecx*8]
            //   4883c428             | jmp                 0x1335
            //   5b                   | dec                 ebp

    condition:
        7 of them and filesize < 1141760
}
Download all Yara Rules
Nimbo-C2 Propose Change

References

Yara Rules

Nimbo-C2
