Nimbo-C2 (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.nimbo_c2 (Back to overview)
Nimbo-C2

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 only. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).
References

2022-10-08 ⋅ Github (itaymigdal) ⋅ Itay Migdal
Nimbo-C2 - A new C2 Framework
Nimbo-C2
Yara Rules

[TLP:WHITE] win_nimbo_c2_auto (20230407 | Detects win.nimbo_c2.)
rule win_nimbo_c2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.nimbo_c2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? ebe4 8b4608 a880 7405 c6032d eb12 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   ebe4                 | dec                 eax
            //   8b4608               | lea                 edx, [0x32bf4]
            //   a880                 | dec                 esp
            //   7405                 | lea                 ecx, [0x32a50]
            //   c6032d               | dec                 esp
            //   eb12                 | lea                 edx, [0x58bac]

        $sequence_1 = { ebeb 4183fa6f 759d ebb0 4801c3 e9???????? 4889ec }
            // n = 7, score = 300
            //   ebeb                 | dec                 eax
            //   4183fa6f             | mov                 ecx, dword ptr [ebp - 0x3b8]
            //   759d                 | dec                 eax
            //   ebb0                 | mov                 ecx, dword ptr [ebp + 0x18]
            //   4801c3               | dec                 eax
            //   e9????????           |                     
            //   4889ec               | mov                 eax, dword ptr [eax]

        $sequence_2 = { 498b4c2418 ba11000000 e8???????? 4c89f1 4889c2 e8???????? 498b4c2418 }
            // n = 7, score = 300
            //   498b4c2418           | mov                 edx, 1
            //   ba11000000           | dec                 esp
            //   e8????????           |                     
            //   4c89f1               | mov                 ecx, ecx
            //   4889c2               | dec                 eax
            //   e8????????           |                     
            //   498b4c2418           | lea                 edx, [0x2e090]

        $sequence_3 = { ebc1 4c39ca 7d0d 418a4c1010 880c10 48ffc2 ebee }
            // n = 7, score = 300
            //   ebc1                 | dec                 eax
            //   4c39ca               | mov                 ecx, dword ptr [ebx + 0x78]
            //   7d0d                 | dec                 esp
            //   418a4c1010           | mov                 edx, esp
            //   880c10               | dec                 eax
            //   48ffc2               | mov                 ecx, dword ptr [ebx + 0x88]
            //   ebee                 | dec                 eax

        $sequence_4 = { eb3d 4c89ea 4883e837 48c1e204 4809d0 4989c5 eb2a }
            // n = 7, score = 300
            //   eb3d                 | dec                 eax
            //   4c89ea               | mov                 edx, dword ptr [esp + 0xa0]
            //   4883e837             | dec                 esp
            //   48c1e204             | mov                 ecx, esp
            //   4809d0               | dec                 eax
            //   4989c5               | mov                 eax, dword ptr [edi + 8]
            //   eb2a                 | dec                 eax

        $sequence_5 = { 4531c0 4885db 7403 4c8b03 4889442420 488d5310 4c89e1 }
            // n = 7, score = 300
            //   4531c0               | pop                 es
            //   4885db               | adc                 byte ptr [eax - 0x7b], cl
            //   7403                 | sal                 byte ptr [ebp + 5], 0x49
            //   4c8b03               | and                 ebp, ebx
            //   4889442420           | dec                 ebp
            //   488d5310             | mov                 esp, ebp
            //   4c89e1               | jmp                 0xffffffd1

        $sequence_6 = { ff15???????? 4531c9 31d2 b900130000 89c3 488d442448 4531ed }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   4531c9               | sub                 dword ptr [esp + 0xbc], ebp
            //   31d2                 | dec                 eax
            //   b900130000           | mov                 dword ptr [esp + 0xc8], eax
            //   89c3                 | mov                 eax, dword ptr [esp + 0x50]
            //   488d442448           | dec                 eax
            //   4531ed               | mov                 ecx, dword ptr [esp + 0xc8]

        $sequence_7 = { 4c89e2 4c89c9 e8???????? 4c89ea eb24 31c0 4d85e4 }
            // n = 7, score = 300
            //   4c89e2               | inc                 esi
            //   4c89c9               | inc                 ecx
            //   e8????????           |                     
            //   4c89ea               | mov                 edi, eax
            //   eb24                 | inc                 ecx
            //   31c0                 | movzx               edx, bh
            //   4d85e4               | dec                 eax

        $sequence_8 = { 48ffc2 4c8d0412 488d0c40 4939c8 7c09 4829c2 4883fa03 }
            // n = 7, score = 300
            //   48ffc2               | add                 esp, 0x28
            //   4c8d0412             | dec                 eax
            //   488d0c40             | mov                 eax, dword ptr [ecx - 0x10]
            //   4939c8               | dec                 eax
            //   7c09                 | lea                 edx, [0x31c57]
            //   4829c2               | jmp                 0x19d
            //   4883fa03             | mov                 edx, 2

        $sequence_9 = { e8???????? ebe3 e8???????? 4889c1 e8???????? 488b8d58fbffff 4885c9 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   ebe3                 | lea                 eax, [0x2aca0]
            //   e8????????           |                     
            //   4889c1               | dec                 eax
            //   e8????????           |                     
            //   488b8d58fbffff       | lea                 eax, [0x525d6]
            //   4885c9               | dec                 eax

    condition:
        7 of them and filesize < 1076224
}
Download all Yara Rules
Nimbo-C2 Propose Change

References

Yara Rules

Nimbo-C2
