SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nymaim2 (Back to overview)

Nymaim2


There is no description at this point.

References
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2018-04-29Johannes Bader
@online{bader:20180429:new:b8e7b59, author = {Johannes Bader}, title = {{The new Domain Generation Algorithm of Nymaim}}, date = {2018-04-29}, url = {https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/}, language = {English}, urldate = {2020-01-07} } The new Domain Generation Algorithm of Nymaim
Nymaim2
Yara Rules
[TLP:WHITE] win_nymaim2_auto (20220808 | Detects win.nymaim2.)
rule win_nymaim2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.nymaim2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? eb63 c70603000000 e9???????? 83e85d 0f849a000000 6a09 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb63                 | jmp                 0x65
            //   c70603000000         | mov                 dword ptr [esi], 3
            //   e9????????           |                     
            //   83e85d               | sub                 eax, 0x5d
            //   0f849a000000         | je                  0xa0
            //   6a09                 | push                9

        $sequence_1 = { 56 8b31 85f6 7508 8b4d08 2b4104 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   8b31                 | mov                 esi, dword ptr [ecx]
            //   85f6                 | test                esi, esi
            //   7508                 | jne                 0xa
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   2b4104               | sub                 eax, dword ptr [ecx + 4]

        $sequence_2 = { 8bf1 50 e8???????? 8b00 3b460c 5e 7504 }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   3b460c               | cmp                 eax, dword ptr [esi + 0xc]
            //   5e                   | pop                 esi
            //   7504                 | jne                 6

        $sequence_3 = { 8910 894808 89480c 894814 897010 894804 897028 }
            // n = 7, score = 200
            //   8910                 | mov                 dword ptr [eax], edx
            //   894808               | mov                 dword ptr [eax + 8], ecx
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   894814               | mov                 dword ptr [eax + 0x14], ecx
            //   897010               | mov                 dword ptr [eax + 0x10], esi
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   897028               | mov                 dword ptr [eax + 0x28], esi

        $sequence_4 = { ff15???????? 8d45e0 8d4dc8 50 c645fc06 e8???????? 6a01 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   50                   | push                eax
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6
            //   e8????????           |                     
            //   6a01                 | push                1

        $sequence_5 = { 8a542408 6a01 881408 ff460c 58 5e c20400 }
            // n = 7, score = 200
            //   8a542408             | mov                 dl, byte ptr [esp + 8]
            //   6a01                 | push                1
            //   881408               | mov                 byte ptr [eax + ecx], dl
            //   ff460c               | inc                 dword ptr [esi + 0xc]
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   c20400               | ret                 4

        $sequence_6 = { ebc4 48 744e 48 7407 33c0 e9???????? }
            // n = 7, score = 200
            //   ebc4                 | jmp                 0xffffffc6
            //   48                   | dec                 eax
            //   744e                 | je                  0x50
            //   48                   | dec                 eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_7 = { 8b5df0 8bce 2bdf ff9094000000 8b4ddc 8b7d10 8a4c19ff }
            // n = 7, score = 200
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   8bce                 | mov                 ecx, esi
            //   2bdf                 | sub                 ebx, edi
            //   ff9094000000         | call                dword ptr [eax + 0x94]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8a4c19ff             | mov                 cl, byte ptr [ecx + ebx - 1]

        $sequence_8 = { ff45f8 397df8 72b3 807dff00 7579 57 8bcb }
            // n = 7, score = 200
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   397df8               | cmp                 dword ptr [ebp - 8], edi
            //   72b3                 | jb                  0xffffffb5
            //   807dff00             | cmp                 byte ptr [ebp - 1], 0
            //   7579                 | jne                 0x7b
            //   57                   | push                edi
            //   8bcb                 | mov                 ecx, ebx

        $sequence_9 = { e8???????? 59 47 3b7e08 7ce2 5b 6aff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   47                   | inc                 edi
            //   3b7e08               | cmp                 edi, dword ptr [esi + 8]
            //   7ce2                 | jl                  0xffffffe4
            //   5b                   | pop                 ebx
            //   6aff                 | push                -1

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules