Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.
rule win_nimgrabber_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.nimgrabber." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0f8fa7000000 c7819814000000400000 b800400000 c744240c04000000 c744240800300000 39c7 0f8fd0010000 } // n = 7, score = 200 // 0f8fa7000000 | jg 0xad // c7819814000000400000 | mov dword ptr [ecx + 0x1498], 0x4000 // b800400000 | mov eax, 0x4000 // c744240c04000000 | mov dword ptr [esp + 0xc], 4 // c744240800300000 | mov dword ptr [esp + 8], 0x3000 // 39c7 | cmp edi, eax // 0f8fd0010000 | jg 0x1d6 $sequence_1 = { 8b842490000000 83c004 89442430 0f80de2e0000 8b8424d8000000 8b00 39442430 } // n = 7, score = 200 // 8b842490000000 | mov eax, dword ptr [esp + 0x90] // 83c004 | add eax, 4 // 89442430 | mov dword ptr [esp + 0x30], eax // 0f80de2e0000 | jo 0x2ee4 // 8b8424d8000000 | mov eax, dword ptr [esp + 0xd8] // 8b00 | mov eax, dword ptr [eax] // 39442430 | cmp dword ptr [esp + 0x30], eax $sequence_2 = { c705????????b83b4800 c705????????20000000 c705????????02000000 c705????????00254800 668915???????? c605????????01 c705????????00000000 } // n = 7, score = 200 // c705????????b83b4800 | // c705????????20000000 | // c705????????02000000 | // c705????????00254800 | // 668915???????? | // c605????????01 | // c705????????00000000 | $sequence_3 = { 8d4710 8d5f08 be???????? b90b000000 c743042b000000 c747082b000000 89c7 } // n = 7, score = 200 // 8d4710 | lea eax, [edi + 0x10] // 8d5f08 | lea ebx, [edi + 8] // be???????? | // b90b000000 | mov ecx, 0xb // c743042b000000 | mov dword ptr [ebx + 4], 0x2b // c747082b000000 | mov dword ptr [edi + 8], 0x2b // 89c7 | mov edi, eax $sequence_4 = { c1f80c 89442418 89e8 0fb6c0 8d0483 8944241c 8b8084100000 } // n = 7, score = 200 // c1f80c | sar eax, 0xc // 89442418 | mov dword ptr [esp + 0x18], eax // 89e8 | mov eax, ebp // 0fb6c0 | movzx eax, al // 8d0483 | lea eax, [ebx + eax*4] // 8944241c | mov dword ptr [esp + 0x1c], eax // 8b8084100000 | mov eax, dword ptr [eax + 0x1084] $sequence_5 = { 7f0d b9???????? e8???????? 8b4514 83e801 0f8067160000 894514 } // n = 7, score = 200 // 7f0d | jg 0xf // b9???????? | // e8???????? | // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 83e801 | sub eax, 1 // 0f8067160000 | jo 0x166d // 894514 | mov dword ptr [ebp + 0x14], eax $sequence_6 = { c70424???????? 894c2474 89542404 e8???????? 8b4c2474 31c0 894b04 } // n = 7, score = 200 // c70424???????? | // 894c2474 | mov dword ptr [esp + 0x74], ecx // 89542404 | mov dword ptr [esp + 4], edx // e8???????? | // 8b4c2474 | mov ecx, dword ptr [esp + 0x74] // 31c0 | xor eax, eax // 894b04 | mov dword ptr [ebx + 4], ecx $sequence_7 = { 8b6f04 81fd0000003f 7e28 c704240000003f 89fa 89f1 e8???????? } // n = 7, score = 200 // 8b6f04 | mov ebp, dword ptr [edi + 4] // 81fd0000003f | cmp ebp, 0x3f000000 // 7e28 | jle 0x2a // c704240000003f | mov dword ptr [esp], 0x3f000000 // 89fa | mov edx, edi // 89f1 | mov ecx, esi // e8???????? | $sequence_8 = { 89f9 e8???????? 8b4c2454 89da e8???????? 8b07 } // n = 6, score = 200 // 89f9 | mov ecx, edi // e8???????? | // 8b4c2454 | mov ecx, dword ptr [esp + 0x54] // 89da | mov edx, ebx // e8???????? | // 8b07 | mov eax, dword ptr [edi] $sequence_9 = { 740a 8b0b 85c9 0f88a6020000 e8???????? 31ed 89442430 } // n = 7, score = 200 // 740a | je 0xc // 8b0b | mov ecx, dword ptr [ebx] // 85c9 | test ecx, ecx // 0f88a6020000 | js 0x2ac // e8???????? | // 31ed | xor ebp, ebp // 89442430 | mov dword ptr [esp + 0x30], eax condition: 7 of them and filesize < 1238016 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY