SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nimgrabber (Back to overview)

NimGrabber


Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.

References
2021-10-14Medium walmartglobaltechJason Reaves
@online{reaves:20211014:investigation:29ef29c, author = {Jason Reaves}, title = {{Investigation into the state of NIM malware Part 2}}, date = {2021-10-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671}, language = {English}, urldate = {2021-12-15} } Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
Yara Rules
[TLP:WHITE] win_nimgrabber_auto (20221125 | Detects win.nimgrabber.)
rule win_nimgrabber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.nimgrabber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89da b9???????? e8???????? 85ff 0f8573ffffff 8b460c c7460800000000 }
            // n = 7, score = 200
            //   89da                 | mov                 edx, ebx
            //   b9????????           |                     
            //   e8????????           |                     
            //   85ff                 | test                edi, edi
            //   0f8573ffffff         | jne                 0xffffff79
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   c7460800000000       | mov                 dword ptr [esi + 8], 0

        $sequence_1 = { 89442468 e9???????? 8bbc2490000000 83e801 89442404 893c24 e8???????? }
            // n = 7, score = 200
            //   89442468             | mov                 dword ptr [esp + 0x68], eax
            //   e9????????           |                     
            //   8bbc2490000000       | mov                 edi, dword ptr [esp + 0x90]
            //   83e801               | sub                 eax, 1
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     

        $sequence_2 = { e8???????? 8bac2488000000 8b4500 8b00 8b10 0fb77c1808 39f2 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bac2488000000       | mov                 ebp, dword ptr [esp + 0x88]
            //   8b4500               | mov                 eax, dword ptr [ebp]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   0fb77c1808           | movzx               edi, word ptr [eax + ebx + 8]
            //   39f2                 | cmp                 edx, esi

        $sequence_3 = { 8b06 3dff0f0000 761c 8b50f8 8d48f8 83ea08 8950f8 }
            // n = 7, score = 200
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   3dff0f0000           | cmp                 eax, 0xfff
            //   761c                 | jbe                 0x1e
            //   8b50f8               | mov                 edx, dword ptr [eax - 8]
            //   8d48f8               | lea                 ecx, [eax - 8]
            //   83ea08               | sub                 edx, 8
            //   8950f8               | mov                 dword ptr [eax - 8], edx

        $sequence_4 = { 89c6 8944245c 83ee01 0f8088010000 8b8424f8000000 8b4810 b8ffffffff }
            // n = 7, score = 200
            //   89c6                 | mov                 esi, eax
            //   8944245c             | mov                 dword ptr [esp + 0x5c], eax
            //   83ee01               | sub                 esi, 1
            //   0f8088010000         | jo                  0x18e
            //   8b8424f8000000       | mov                 eax, dword ptr [esp + 0xf8]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   b8ffffffff           | mov                 eax, 0xffffffff

        $sequence_5 = { c605????????02 c705????????b4444800 c705????????08454800 c705????????04000000 c705????????04000000 c605????????18 c705????????60444800 }
            // n = 7, score = 200
            //   c605????????02       |                     
            //   c705????????b4444800     |     
            //   c705????????08454800     |     
            //   c705????????04000000     |     
            //   c705????????04000000     |     
            //   c605????????18       |                     
            //   c705????????60444800     |     

        $sequence_6 = { 8b549808 85d2 0f841f090000 8b0a 39f9 0f8643090000 }
            // n = 6, score = 200
            //   8b549808             | mov                 edx, dword ptr [eax + ebx*4 + 8]
            //   85d2                 | test                edx, edx
            //   0f841f090000         | je                  0x925
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   39f9                 | cmp                 ecx, edi
            //   0f8643090000         | jbe                 0x949

        $sequence_7 = { 8b4500 39f0 0f8685000000 8b4cf508 e8???????? 8b4c241c 89c3 }
            // n = 7, score = 200
            //   8b4500               | mov                 eax, dword ptr [ebp]
            //   39f0                 | cmp                 eax, esi
            //   0f8685000000         | jbe                 0x8b
            //   8b4cf508             | mov                 ecx, dword ptr [ebp + esi*8 + 8]
            //   e8????????           |                     
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   89c3                 | mov                 ebx, eax

        $sequence_8 = { 891c24 8944241c e8???????? 891c24 e8???????? 8b54241c c744240800000000 }
            // n = 7, score = 200
            //   891c24               | mov                 dword ptr [esp], ebx
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   e8????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0

        $sequence_9 = { 8b7c2478 c744242000000000 896c2418 897c2424 8bbc24fc000000 897c241c 8b5334 }
            // n = 7, score = 200
            //   8b7c2478             | mov                 edi, dword ptr [esp + 0x78]
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   896c2418             | mov                 dword ptr [esp + 0x18], ebp
            //   897c2424             | mov                 dword ptr [esp + 0x24], edi
            //   8bbc24fc000000       | mov                 edi, dword ptr [esp + 0xfc]
            //   897c241c             | mov                 dword ptr [esp + 0x1c], edi
            //   8b5334               | mov                 edx, dword ptr [ebx + 0x34]

    condition:
        7 of them and filesize < 1238016
}
Download all Yara Rules