Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.
rule win_nimgrabber_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.nimgrabber." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 894c2404 891424 83c001 89442408 e8???????? 8b03 0306 } // n = 7, score = 200 // 894c2404 | mov dword ptr [esp + 4], ecx // 891424 | mov dword ptr [esp], edx // 83c001 | add eax, 1 // 89442408 | mov dword ptr [esp + 8], eax // e8???????? | // 8b03 | mov eax, dword ptr [ebx] // 0306 | add eax, dword ptr [esi] $sequence_1 = { 0fb7c0 0fb6542e08 c1e206 81e2c00f0000 09d0 0fb6543e08 83e23f } // n = 7, score = 200 // 0fb7c0 | movzx eax, ax // 0fb6542e08 | movzx edx, byte ptr [esi + ebp + 8] // c1e206 | shl edx, 6 // 81e2c00f0000 | and edx, 0xfc0 // 09d0 | or eax, edx // 0fb6543e08 | movzx edx, byte ptr [esi + edi + 8] // 83e23f | and edx, 0x3f $sequence_2 = { c744241008000000 c1eb08 be08000000 e9???????? c744241009000000 c1eb07 be09000000 } // n = 7, score = 200 // c744241008000000 | mov dword ptr [esp + 0x10], 8 // c1eb08 | shr ebx, 8 // be08000000 | mov esi, 8 // e9???????? | // c744241009000000 | mov dword ptr [esp + 0x10], 9 // c1eb07 | shr ebx, 7 // be09000000 | mov esi, 9 $sequence_3 = { 0f87fc0a0000 395f6c 0f87080b0000 395f70 0f87140b0000 395f74 0f87200b0000 } // n = 7, score = 200 // 0f87fc0a0000 | ja 0xb02 // 395f6c | cmp dword ptr [edi + 0x6c], ebx // 0f87080b0000 | ja 0xb0e // 395f70 | cmp dword ptr [edi + 0x70], ebx // 0f87140b0000 | ja 0xb1a // 395f74 | cmp dword ptr [edi + 0x74], ebx // 0f87200b0000 | ja 0xb26 $sequence_4 = { 3b5f44 0f82010a0000 3b5f48 0f820d0a0000 3b5f4c 0f822e0a0000 } // n = 6, score = 200 // 3b5f44 | cmp ebx, dword ptr [edi + 0x44] // 0f82010a0000 | jb 0xa07 // 3b5f48 | cmp ebx, dword ptr [edi + 0x48] // 0f820d0a0000 | jb 0xa13 // 3b5f4c | cmp ebx, dword ptr [edi + 0x4c] // 0f822e0a0000 | jb 0xa34 $sequence_5 = { 0f8fcffeffff 89fd 8b5504 89e9 e8???????? 8d4d04 89da } // n = 7, score = 200 // 0f8fcffeffff | jg 0xfffffed5 // 89fd | mov ebp, edi // 8b5504 | mov edx, dword ptr [ebp + 4] // 89e9 | mov ecx, ebp // e8???????? | // 8d4d04 | lea ecx, [ebp + 4] // 89da | mov edx, ebx $sequence_6 = { 8b03 83ec0c 89c7 83ef08 0f80d9050000 83e804 8b6c3b08 } // n = 7, score = 200 // 8b03 | mov eax, dword ptr [ebx] // 83ec0c | sub esp, 0xc // 89c7 | mov edi, eax // 83ef08 | sub edi, 8 // 0f80d9050000 | jo 0x5df // 83e804 | sub eax, 4 // 8b6c3b08 | mov ebp, dword ptr [ebx + edi + 8] $sequence_7 = { 8b00 89842488000000 85c0 0f8eab1a0000 8b44246c 31db } // n = 6, score = 200 // 8b00 | mov eax, dword ptr [eax] // 89842488000000 | mov dword ptr [esp + 0x88], eax // 85c0 | test eax, eax // 0f8eab1a0000 | jle 0x1ab1 // 8b44246c | mov eax, dword ptr [esp + 0x6c] // 31db | xor ebx, ebx $sequence_8 = { 894d14 894500 895508 83fa38 7f08 8b7c241c 3907 } // n = 7, score = 200 // 894d14 | mov dword ptr [ebp + 0x14], ecx // 894500 | mov dword ptr [ebp], eax // 895508 | mov dword ptr [ebp + 8], edx // 83fa38 | cmp edx, 0x38 // 7f08 | jg 0xa // 8b7c241c | mov edi, dword ptr [esp + 0x1c] // 3907 | cmp dword ptr [edi], eax $sequence_9 = { e9???????? e8???????? e9???????? 894c2414 e8???????? 8b4c2414 e9???????? } // n = 7, score = 200 // e9???????? | // e8???????? | // e9???????? | // 894c2414 | mov dword ptr [esp + 0x14], ecx // e8???????? | // 8b4c2414 | mov ecx, dword ptr [esp + 0x14] // e9???????? | condition: 7 of them and filesize < 1238016 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY