SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nimgrabber (Back to overview)

NimGrabber


Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.

References
2021-10-14Medium walmartglobaltechJason Reaves
@online{reaves:20211014:investigation:29ef29c, author = {Jason Reaves}, title = {{Investigation into the state of NIM malware Part 2}}, date = {2021-10-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671}, language = {English}, urldate = {2021-12-15} } Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
Yara Rules
[TLP:WHITE] win_nimgrabber_auto (20230715 | Detects win.nimgrabber.)
rule win_nimgrabber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nimgrabber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b9424b4000000 0301 895008 8b9424b8000000 89500c 8b9424bc000000 }
            // n = 6, score = 200
            //   8b9424b4000000       | mov                 edx, dword ptr [esp + 0xb4]
            //   0301                 | add                 eax, dword ptr [ecx]
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   8b9424b8000000       | mov                 edx, dword ptr [esp + 0xb8]
            //   89500c               | mov                 dword ptr [eax + 0xc], edx
            //   8b9424bc000000       | mov                 edx, dword ptr [esp + 0xbc]

        $sequence_1 = { 891424 89ca 8b4d84 e8???????? 8b5304 83ec04 85d2 }
            // n = 7, score = 200
            //   891424               | mov                 dword ptr [esp], edx
            //   89ca                 | mov                 edx, ecx
            //   8b4d84               | mov                 ecx, dword ptr [ebp - 0x7c]
            //   e8????????           |                     
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]
            //   83ec04               | sub                 esp, 4
            //   85d2                 | test                edx, edx

        $sequence_2 = { 898538fcffff e8???????? 8b8538fcffff 0fb6440708 88441e08 83c301 }
            // n = 6, score = 200
            //   898538fcffff         | mov                 dword ptr [ebp - 0x3c8], eax
            //   e8????????           |                     
            //   8b8538fcffff         | mov                 eax, dword ptr [ebp - 0x3c8]
            //   0fb6440708           | movzx               eax, byte ptr [edi + eax + 8]
            //   88441e08             | mov                 byte ptr [esi + ebx + 8], al
            //   83c301               | add                 ebx, 1

        $sequence_3 = { 8b5c2444 8b7c2440 83fbff 0f84a4000000 39fb 7c4c 85c9 }
            // n = 7, score = 200
            //   8b5c2444             | mov                 ebx, dword ptr [esp + 0x44]
            //   8b7c2440             | mov                 edi, dword ptr [esp + 0x40]
            //   83fbff               | cmp                 ebx, -1
            //   0f84a4000000         | je                  0xaa
            //   39fb                 | cmp                 ebx, edi
            //   7c4c                 | jl                  0x4e
            //   85c9                 | test                ecx, ecx

        $sequence_4 = { e8???????? 0fb6541e08 8d4a9f 89d0 83ea20 80f91a 0f42c2 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   0fb6541e08           | movzx               edx, byte ptr [esi + ebx + 8]
            //   8d4a9f               | lea                 ecx, [edx - 0x61]
            //   89d0                 | mov                 eax, edx
            //   83ea20               | sub                 edx, 0x20
            //   80f91a               | cmp                 cl, 0x1a
            //   0f42c2               | cmovb               eax, edx

        $sequence_5 = { 0f8697020000 8db600000000 893e 8b07 ba5c5c0000 8d440708 668910 }
            // n = 7, score = 200
            //   0f8697020000         | jbe                 0x29d
            //   8db600000000         | lea                 esi, [esi]
            //   893e                 | mov                 dword ptr [esi], edi
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   ba5c5c0000           | mov                 edx, 0x5c5c
            //   8d440708             | lea                 eax, [edi + eax + 8]
            //   668910               | mov                 word ptr [eax], dx

        $sequence_6 = { 31db 01d8 0fb6c9 11f2 89c3 89fe 894c2420 }
            // n = 7, score = 200
            //   31db                 | xor                 ebx, ebx
            //   01d8                 | add                 eax, ebx
            //   0fb6c9               | movzx               ecx, cl
            //   11f2                 | adc                 edx, esi
            //   89c3                 | mov                 ebx, eax
            //   89fe                 | mov                 esi, edi
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx

        $sequence_7 = { 0f8066170000 29df 7105 e8???????? 83c701 0f805e170000 85ff }
            // n = 7, score = 200
            //   0f8066170000         | jo                  0x176c
            //   29df                 | sub                 edi, ebx
            //   7105                 | jno                 7
            //   e8????????           |                     
            //   83c701               | add                 edi, 1
            //   0f805e170000         | jo                  0x1764
            //   85ff                 | test                edi, edi

        $sequence_8 = { 8b39 8b2f 83fd07 775a 8b4c241c 8d4c0aec }
            // n = 6, score = 200
            //   8b39                 | mov                 edi, dword ptr [ecx]
            //   8b2f                 | mov                 ebp, dword ptr [edi]
            //   83fd07               | cmp                 ebp, 7
            //   775a                 | ja                  0x5c
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   8d4c0aec             | lea                 ecx, [edx + ecx - 0x14]

        $sequence_9 = { 7d49 39e8 0f8670020000 807c1f085c 753a 89dd 83c501 }
            // n = 7, score = 200
            //   7d49                 | jge                 0x4b
            //   39e8                 | cmp                 eax, ebp
            //   0f8670020000         | jbe                 0x276
            //   807c1f085c           | cmp                 byte ptr [edi + ebx + 8], 0x5c
            //   753a                 | jne                 0x3c
            //   89dd                 | mov                 ebp, ebx
            //   83c501               | add                 ebp, 1

    condition:
        7 of them and filesize < 1238016
}
Download all Yara Rules