SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nimgrabber (Back to overview)

NimGrabber

VTCollection    

Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.

References
2021-10-14Medium walmartglobaltechJason Reaves
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
Yara Rules
[TLP:WHITE] win_nimgrabber_auto (20230808 | Detects win.nimgrabber.)
rule win_nimgrabber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.nimgrabber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8fa7000000 c7819814000000400000 b800400000 c744240c04000000 c744240800300000 39c7 0f8fd0010000 }
            // n = 7, score = 200
            //   0f8fa7000000         | jg                  0xad
            //   c7819814000000400000     | mov    dword ptr [ecx + 0x1498], 0x4000
            //   b800400000           | mov                 eax, 0x4000
            //   c744240c04000000     | mov                 dword ptr [esp + 0xc], 4
            //   c744240800300000     | mov                 dword ptr [esp + 8], 0x3000
            //   39c7                 | cmp                 edi, eax
            //   0f8fd0010000         | jg                  0x1d6

        $sequence_1 = { 8b842490000000 83c004 89442430 0f80de2e0000 8b8424d8000000 8b00 39442430 }
            // n = 7, score = 200
            //   8b842490000000       | mov                 eax, dword ptr [esp + 0x90]
            //   83c004               | add                 eax, 4
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   0f80de2e0000         | jo                  0x2ee4
            //   8b8424d8000000       | mov                 eax, dword ptr [esp + 0xd8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   39442430             | cmp                 dword ptr [esp + 0x30], eax

        $sequence_2 = { c705????????b83b4800 c705????????20000000 c705????????02000000 c705????????00254800 668915???????? c605????????01 c705????????00000000 }
            // n = 7, score = 200
            //   c705????????b83b4800     |     
            //   c705????????20000000     |     
            //   c705????????02000000     |     
            //   c705????????00254800     |     
            //   668915????????       |                     
            //   c605????????01       |                     
            //   c705????????00000000     |     

        $sequence_3 = { 8d4710 8d5f08 be???????? b90b000000 c743042b000000 c747082b000000 89c7 }
            // n = 7, score = 200
            //   8d4710               | lea                 eax, [edi + 0x10]
            //   8d5f08               | lea                 ebx, [edi + 8]
            //   be????????           |                     
            //   b90b000000           | mov                 ecx, 0xb
            //   c743042b000000       | mov                 dword ptr [ebx + 4], 0x2b
            //   c747082b000000       | mov                 dword ptr [edi + 8], 0x2b
            //   89c7                 | mov                 edi, eax

        $sequence_4 = { c1f80c 89442418 89e8 0fb6c0 8d0483 8944241c 8b8084100000 }
            // n = 7, score = 200
            //   c1f80c               | sar                 eax, 0xc
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   89e8                 | mov                 eax, ebp
            //   0fb6c0               | movzx               eax, al
            //   8d0483               | lea                 eax, [ebx + eax*4]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8b8084100000         | mov                 eax, dword ptr [eax + 0x1084]

        $sequence_5 = { 7f0d b9???????? e8???????? 8b4514 83e801 0f8067160000 894514 }
            // n = 7, score = 200
            //   7f0d                 | jg                  0xf
            //   b9????????           |                     
            //   e8????????           |                     
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   83e801               | sub                 eax, 1
            //   0f8067160000         | jo                  0x166d
            //   894514               | mov                 dword ptr [ebp + 0x14], eax

        $sequence_6 = { c70424???????? 894c2474 89542404 e8???????? 8b4c2474 31c0 894b04 }
            // n = 7, score = 200
            //   c70424????????       |                     
            //   894c2474             | mov                 dword ptr [esp + 0x74], ecx
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   e8????????           |                     
            //   8b4c2474             | mov                 ecx, dword ptr [esp + 0x74]
            //   31c0                 | xor                 eax, eax
            //   894b04               | mov                 dword ptr [ebx + 4], ecx

        $sequence_7 = { 8b6f04 81fd0000003f 7e28 c704240000003f 89fa 89f1 e8???????? }
            // n = 7, score = 200
            //   8b6f04               | mov                 ebp, dword ptr [edi + 4]
            //   81fd0000003f         | cmp                 ebp, 0x3f000000
            //   7e28                 | jle                 0x2a
            //   c704240000003f       | mov                 dword ptr [esp], 0x3f000000
            //   89fa                 | mov                 edx, edi
            //   89f1                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_8 = { 89f9 e8???????? 8b4c2454 89da e8???????? 8b07 }
            // n = 6, score = 200
            //   89f9                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b4c2454             | mov                 ecx, dword ptr [esp + 0x54]
            //   89da                 | mov                 edx, ebx
            //   e8????????           |                     
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_9 = { 740a 8b0b 85c9 0f88a6020000 e8???????? 31ed 89442430 }
            // n = 7, score = 200
            //   740a                 | je                  0xc
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   85c9                 | test                ecx, ecx
            //   0f88a6020000         | js                  0x2ac
            //   e8????????           |                     
            //   31ed                 | xor                 ebp, ebp
            //   89442430             | mov                 dword ptr [esp + 0x30], eax

    condition:
        7 of them and filesize < 1238016
}
Download all Yara Rules