Nymaim2 (Malware Family)

Nymaim2

There is no description at this point.
References

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2018-04-29 ⋅ Johannes Bader
The new Domain Generation Algorithm of Nymaim
Nymaim2
Yara Rules

[TLP:WHITE] win_nymaim2_auto (20230407 | Detects win.nymaim2.)
rule win_nymaim2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.nymaim2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 e8???????? 8b4508 8b4dec 83c448 0fb7444354 ff3481 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   83c448               | add                 esp, 0x48
            //   0fb7444354           | movzx               eax, word ptr [ebx + eax*2 + 0x54]
            //   ff3481               | push                dword ptr [ecx + eax*4]

        $sequence_1 = { 83780800 75c2 ff400c ebbd 8b5620 8b461c 8d4af8 }
            // n = 7, score = 200
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   75c2                 | jne                 0xffffffc4
            //   ff400c               | inc                 dword ptr [eax + 0xc]
            //   ebbd                 | jmp                 0xffffffbf
            //   8b5620               | mov                 edx, dword ptr [esi + 0x20]
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   8d4af8               | lea                 ecx, [edx - 8]

        $sequence_2 = { e8???????? 8d4de8 c645fc07 e8???????? 395dd8 895d08 7e51 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   e8????????           |                     
            //   395dd8               | cmp                 dword ptr [ebp - 0x28], ebx
            //   895d08               | mov                 dword ptr [ebp + 8], ebx
            //   7e51                 | jle                 0x53

        $sequence_3 = { 83c440 6a50 68???????? e8???????? 6a60 68???????? e8???????? }
            // n = 7, score = 200
            //   83c440               | add                 esp, 0x40
            //   6a50                 | push                0x50
            //   68????????           |                     
            //   e8????????           |                     
            //   6a60                 | push                0x60
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_4 = { c1f808 99 2bc2 d1f8 40 c1e008 8901 }
            // n = 7, score = 200
            //   c1f808               | sar                 eax, 8
            //   99                   | cdq                 
            //   2bc2                 | sub                 eax, edx
            //   d1f8                 | sar                 eax, 1
            //   40                   | inc                 eax
            //   c1e008               | shl                 eax, 8
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_5 = { 8965e4 50 e8???????? 59 8d45e8 50 }
            // n = 6, score = 200
            //   8965e4               | mov                 dword ptr [ebp - 0x1c], esp
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax

        $sequence_6 = { 8965f0 50 e8???????? 59 8d45f0 50 }
            // n = 6, score = 200
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_7 = { 68eb000000 895dfc e8???????? 8bc8 c645fc02 e8???????? 51 }
            // n = 7, score = 200
            //   68eb000000           | push                0xeb
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   e8????????           |                     
            //   51                   | push                ecx

        $sequence_8 = { 681d040000 8d4ddc e8???????? 8bc8 c745fc12000000 e8???????? 8945bc }
            // n = 7, score = 200
            //   681d040000           | push                0x41d
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   c745fc12000000       | mov                 dword ptr [ebp - 4], 0x12
            //   e8????????           |                     
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax

        $sequence_9 = { c1e004 50 ff7604 53 e8???????? 8b4608 8bcf }
            // n = 7, score = 200
            //   c1e004               | shl                 eax, 4
            //   50                   | push                eax
            //   ff7604               | push                dword ptr [esi + 4]
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8bcf                 | mov                 ecx, edi

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules
Nymaim2 Propose Change

References

Yara Rules

Nymaim2
