SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nymaim2 (Back to overview)

Nymaim2

VTCollection    

According to bin.re, in April 2018 a new version of Nymaim appeared, that has dropped previous obfuscation, and uses a new wordlist based DGA (Domain Generation Algorithm).

References
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2018-04-29Johannes Bader
The new Domain Generation Algorithm of Nymaim
Nymaim2
Yara Rules
[TLP:WHITE] win_nymaim2_auto (20260504 | Detects win.nymaim2.)
rule win_nymaim2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nymaim2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 037704 8d450c 50 8bce e8???????? 834dfcff 8d4d0c }
            // n = 7, score = 200
            //   037704               | add                 esi, dword ptr [edi + 4]
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]

        $sequence_1 = { 6806020000 8d8d6cffffff e8???????? ff762c 8bc8 897dfc e8???????? }
            // n = 7, score = 200
            //   6806020000           | push                0x206
            //   8d8d6cffffff         | lea                 ecx, [ebp - 0x94]
            //   e8????????           |                     
            //   ff762c               | push                dword ptr [esi + 0x2c]
            //   8bc8                 | mov                 ecx, eax
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   e8????????           |                     

        $sequence_2 = { 0fb6c0 8d4b04 8945f4 894dfc 8b4dfc e8???????? 84c0 }
            // n = 7, score = 200
            //   0fb6c0               | movzx               eax, al
            //   8d4b04               | lea                 ecx, [ebx + 4]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_3 = { 89460c 8bc6 5f 5e 5b c20400 b8???????? }
            // n = 7, score = 200
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c20400               | ret                 4
            //   b8????????           |                     

        $sequence_4 = { 8b4d10 50 e8???????? 50 ff15???????? 50 ff15???????? }
            // n = 7, score = 200
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_5 = { 50 e8???????? 59 8d45f0 50 e8???????? 6a01 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a01                 | push                1

        $sequence_6 = { c706???????? 8365fc00 8d4e08 e8???????? 834dfcff 8d4e04 e8???????? }
            // n = 7, score = 200
            //   c706????????         |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d4e08               | lea                 ecx, [esi + 8]
            //   e8????????           |                     
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8d4e04               | lea                 ecx, [esi + 4]
            //   e8????????           |                     

        $sequence_7 = { 75f5 33c0 8a23 894514 8b4518 48 83f803 }
            // n = 7, score = 200
            //   75f5                 | jne                 0xfffffff7
            //   33c0                 | xor                 eax, eax
            //   8a23                 | mov                 ah, byte ptr [ebx]
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   48                   | dec                 eax
            //   83f803               | cmp                 eax, 3

        $sequence_8 = { ff15???????? ff36 8d45d4 8bcb c645fc04 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   ff36                 | push                dword ptr [esi]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   8bcb                 | mov                 ecx, ebx
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4

        $sequence_9 = { 834dfcff 89770c 5e 8b450c 8b4d08 85c0 7608 }
            // n = 7, score = 200
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   89770c               | mov                 dword ptr [edi + 0xc], esi
            //   5e                   | pop                 esi
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax
            //   7608                 | jbe                 0xa

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules