SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nymaim2 (Back to overview)

Nymaim2


There is no description at this point.

References
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2018-04-29Johannes Bader
@online{bader:20180429:new:b8e7b59, author = {Johannes Bader}, title = {{The new Domain Generation Algorithm of Nymaim}}, date = {2018-04-29}, url = {https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/}, language = {English}, urldate = {2020-01-07} } The new Domain Generation Algorithm of Nymaim
Nymaim2
Yara Rules
[TLP:WHITE] win_nymaim2_auto (20230125 | Detects win.nymaim2.)
rule win_nymaim2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.nymaim2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 8bce 8b3cb8 8a450b 8806 ff15???????? 57 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   8bce                 | mov                 ecx, esi
            //   8b3cb8               | mov                 edi, dword ptr [eax + edi*4]
            //   8a450b               | mov                 al, byte ptr [ebp + 0xb]
            //   8806                 | mov                 byte ptr [esi], al
            //   ff15????????         |                     
            //   57                   | push                edi

        $sequence_1 = { c3 b8???????? e8???????? 53 33db 8d4d08 895dfc }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   b8????????           |                     
            //   e8????????           |                     
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_2 = { c645fc08 e8???????? 8bc8 c645fc0a e8???????? 50 53 }
            // n = 7, score = 200
            //   c645fc08             | mov                 byte ptr [ebp - 4], 8
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   c645fc0a             | mov                 byte ptr [ebp - 4], 0xa
            //   e8????????           |                     
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_3 = { 6a0a 0430 53 57 8806 e8???????? 8bda }
            // n = 7, score = 200
            //   6a0a                 | push                0xa
            //   0430                 | add                 al, 0x30
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8806                 | mov                 byte ptr [esi], al
            //   e8????????           |                     
            //   8bda                 | mov                 ebx, edx

        $sequence_4 = { e8???????? 83c40c 8b4d08 8d45d8 50 c645fc03 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   e8????????           |                     

        $sequence_5 = { c645fc01 e8???????? 84db 0f85ca030000 68???????? }
            // n = 5, score = 200
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   e8????????           |                     
            //   84db                 | test                bl, bl
            //   0f85ca030000         | jne                 0x3d0
            //   68????????           |                     

        $sequence_6 = { e8???????? ff37 8bc8 c645fc04 e8???????? 50 8d45e8 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ff37                 | push                dword ptr [edi]
            //   8bc8                 | mov                 ecx, eax
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_7 = { 8bc8 e8???????? 8bc8 e8???????? c645fc0b 8d4de0 e8???????? }
            // n = 7, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   c645fc0b             | mov                 byte ptr [ebp - 4], 0xb
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     

        $sequence_8 = { e8???????? 8b0d???????? 8b06 5e 8b4904 8b0481 c3 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   5e                   | pop                 esi
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   8b0481               | mov                 eax, dword ptr [ecx + eax*4]
            //   c3                   | ret                 

        $sequence_9 = { 50 ff732c ff5324 8986500c0000 8b4624 69c0a0860100 40 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff732c               | push                dword ptr [ebx + 0x2c]
            //   ff5324               | call                dword ptr [ebx + 0x24]
            //   8986500c0000         | mov                 dword ptr [esi + 0xc50], eax
            //   8b4624               | mov                 eax, dword ptr [esi + 0x24]
            //   69c0a0860100         | imul                eax, eax, 0x186a0
            //   40                   | inc                 eax

    condition:
        7 of them and filesize < 753664
}
Download all Yara Rules