SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nimgrabber (Back to overview)

NimGrabber


Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.

References
2021-10-14Medium walmartglobaltechJason Reaves
@online{reaves:20211014:investigation:29ef29c, author = {Jason Reaves}, title = {{Investigation into the state of NIM malware Part 2}}, date = {2021-10-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671}, language = {English}, urldate = {2021-12-15} } Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
Yara Rules
[TLP:WHITE] win_nimgrabber_auto (20230125 | Detects win.nimgrabber.)
rule win_nimgrabber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.nimgrabber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d44240c 8944240c 8b54240c 31c0 85d2 740c 8b442414 }
            // n = 7, score = 200
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   31c0                 | xor                 eax, eax
            //   85d2                 | test                edx, edx
            //   740c                 | je                  0xe
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_1 = { 3b5f44 0f823b140000 3b5f48 0f8247140000 3b5f4c 0f8279140000 3b5f50 }
            // n = 7, score = 200
            //   3b5f44               | cmp                 ebx, dword ptr [edi + 0x44]
            //   0f823b140000         | jb                  0x1441
            //   3b5f48               | cmp                 ebx, dword ptr [edi + 0x48]
            //   0f8247140000         | jb                  0x144d
            //   3b5f4c               | cmp                 ebx, dword ptr [edi + 0x4c]
            //   0f8279140000         | jb                  0x147f
            //   3b5f50               | cmp                 ebx, dword ptr [edi + 0x50]

        $sequence_2 = { b9???????? 8d50f8 e8???????? 897b14 8b530c 8b4314 }
            // n = 6, score = 200
            //   b9????????           |                     
            //   8d50f8               | lea                 edx, [eax - 8]
            //   e8????????           |                     
            //   897b14               | mov                 dword ptr [ebx + 0x14], edi
            //   8b530c               | mov                 edx, dword ptr [ebx + 0xc]
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]

        $sequence_3 = { eb03 83ea01 890424 89542404 e8???????? 8b442468 8b4c245c }
            // n = 7, score = 200
            //   eb03                 | jmp                 5
            //   83ea01               | sub                 edx, 1
            //   890424               | mov                 dword ptr [esp], eax
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   e8????????           |                     
            //   8b442468             | mov                 eax, dword ptr [esp + 0x68]
            //   8b4c245c             | mov                 ecx, dword ptr [esp + 0x5c]

        $sequence_4 = { 03b37c100000 83ec08 8b442418 89b37c100000 83c008 c7470401000000 83c42c }
            // n = 7, score = 200
            //   03b37c100000         | add                 esi, dword ptr [ebx + 0x107c]
            //   83ec08               | sub                 esp, 8
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   89b37c100000         | mov                 dword ptr [ebx + 0x107c], esi
            //   83c008               | add                 eax, 8
            //   c7470401000000       | mov                 dword ptr [edi + 4], 1
            //   83c42c               | add                 esp, 0x2c

        $sequence_5 = { 8b6c2460 85c0 0f84a7000000 8b10 85d2 0f849d000000 8d44243c }
            // n = 7, score = 200
            //   8b6c2460             | mov                 ebp, dword ptr [esp + 0x60]
            //   85c0                 | test                eax, eax
            //   0f84a7000000         | je                  0xad
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   85d2                 | test                edx, edx
            //   0f849d000000         | je                  0xa3
            //   8d44243c             | lea                 eax, [esp + 0x3c]

        $sequence_6 = { 83ec0c 85c0 0f855dfdffff c70424???????? e8???????? c7042401000000 e8???????? }
            // n = 7, score = 200
            //   83ec0c               | sub                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f855dfdffff         | jne                 0xfffffd63
            //   c70424????????       |                     
            //   e8????????           |                     
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   e8????????           |                     

        $sequence_7 = { 83c050 89442478 8b8424f8000000 8b4810 8b5814 85c9 0f84f0060000 }
            // n = 7, score = 200
            //   83c050               | add                 eax, 0x50
            //   89442478             | mov                 dword ptr [esp + 0x78], eax
            //   8b8424f8000000       | mov                 eax, dword ptr [esp + 0xf8]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   8b5814               | mov                 ebx, dword ptr [eax + 0x14]
            //   85c9                 | test                ecx, ecx
            //   0f84f0060000         | je                  0x6f6

        $sequence_8 = { 57 56 53 89cb 83ec20 c744240400000000 8d54241f }
            // n = 7, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   53                   | push                ebx
            //   89cb                 | mov                 ebx, ecx
            //   83ec20               | sub                 esp, 0x20
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8d54241f             | lea                 edx, [esp + 0x1f]

        $sequence_9 = { be0e000000 e9???????? c744241001000000 c1eb0f bf01000000 e9???????? c744241002000000 }
            // n = 7, score = 200
            //   be0e000000           | mov                 esi, 0xe
            //   e9????????           |                     
            //   c744241001000000     | mov                 dword ptr [esp + 0x10], 1
            //   c1eb0f               | shr                 ebx, 0xf
            //   bf01000000           | mov                 edi, 1
            //   e9????????           |                     
            //   c744241002000000     | mov                 dword ptr [esp + 0x10], 2

    condition:
        7 of them and filesize < 1238016
}
Download all Yara Rules