Nymaim2 (Malware Family)

Nymaim2

There is no description at this point.
References

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2018-04-29 ⋅ Johannes Bader
The new Domain Generation Algorithm of Nymaim
Nymaim2
Yara Rules

[TLP:WHITE] win_nymaim2_auto (20230715 | Detects win.nymaim2.)
rule win_nymaim2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nymaim2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7de8 ff4514 6a04 890a 59 014dfc }
            // n = 6, score = 200
            //   8b7de8               | mov                 edi, dword ptr [ebp - 0x18]
            //   ff4514               | inc                 dword ptr [ebp + 0x14]
            //   6a04                 | push                4
            //   890a                 | mov                 dword ptr [edx], ecx
            //   59                   | pop                 ecx
            //   014dfc               | add                 dword ptr [ebp - 4], ecx

        $sequence_1 = { c645fc0c e8???????? b8???????? c3 6a51 8d4ddc e8???????? }
            // n = 7, score = 200
            //   c645fc0c             | mov                 byte ptr [ebp - 4], 0xc
            //   e8????????           |                     
            //   b8????????           |                     
            //   c3                   | ret                 
            //   6a51                 | push                0x51
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   e8????????           |                     

        $sequence_2 = { c9 c20800 56 8bf1 8b4604 c706???????? 85c0 }
            // n = 7, score = 200
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   c706????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 80fa30 7c05 80fa39 7ee8 5e c3 }
            // n = 6, score = 200
            //   80fa30               | cmp                 dl, 0x30
            //   7c05                 | jl                  7
            //   80fa39               | cmp                 dl, 0x39
            //   7ee8                 | jle                 0xffffffea
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_4 = { ff7650 8945fc ff750c 50 e8???????? 8b86a0000000 8b7df8 }
            // n = 7, score = 200
            //   ff7650               | push                dword ptr [esi + 0x50]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b86a0000000         | mov                 eax, dword ptr [esi + 0xa0]
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]

        $sequence_5 = { 53 56 8bf1 57 68fd030000 8d4dc0 e8???????? }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   68fd030000           | push                0x3fd
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     

        $sequence_6 = { 897df0 397df0 8d4d08 0f95c3 834dfcff e8???????? 8b4df4 }
            // n = 7, score = 200
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   397df0               | cmp                 dword ptr [ebp - 0x10], edi
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   0f95c3               | setne               bl
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_7 = { a5 a5 50 a5 e8???????? 8d75e0 8d7dc0 }
            // n = 7, score = 200
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   50                   | push                eax
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   e8????????           |                     
            //   8d75e0               | lea                 esi, [ebp - 0x20]
            //   8d7dc0               | lea                 edi, [ebp - 0x40]

        $sequence_8 = { ff15???????? 6a19 99 59 f7f9 8bc2 83c061 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a19                 | push                0x19
            //   99                   | cdq                 
            //   59                   | pop                 ecx
            //   f7f9                 | idiv                ecx
            //   8bc2                 | mov                 eax, edx
            //   83c061               | add                 eax, 0x61

        $sequence_9 = { e8???????? 85c0 59 7535 33ff 3975e8 7e2e }
            // n = 7, score = 200
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   7535                 | jne                 0x37
            //   33ff                 | xor                 edi, edi
            //   3975e8               | cmp                 dword ptr [ebp - 0x18], esi
            //   7e2e                 | jle                 0x30

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules
Nymaim2 Propose Change

References

Yara Rules

Nymaim2
