Unidentified 088 (Nim Ransomware) (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.unidentified_088 (Back to overview)
Unidentified 088 (Nim Ransomware)

VTCollection
Ransomware written in Nim.
References

2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
Yara Rules

[TLP:WHITE] win_unidentified_088_auto (20230808 | Detects win.unidentified_088.)
rule win_unidentified_088_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.unidentified_088."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c642e801 894af4 83f807 75df c705????????06000000 c705????????11000000 c705????????12000000 }
            // n = 7, score = 100
            //   c642e801             | mov                 byte ptr [edx - 0x18], 1
            //   894af4               | mov                 dword ptr [edx - 0xc], ecx
            //   83f807               | cmp                 eax, 7
            //   75df                 | jne                 0xffffffe1
            //   c705????????06000000     |     
            //   c705????????11000000     |     
            //   c705????????12000000     |     

        $sequence_1 = { c705????????208d4200 c705????????62eb4100 c705????????90154200 c605????????01 c705????????10000000 c705????????20a94200 c705????????40eb4100 }
            // n = 7, score = 100
            //   c705????????208d4200     |     
            //   c705????????62eb4100     |     
            //   c705????????90154200     |     
            //   c605????????01       |                     
            //   c705????????10000000     |     
            //   c705????????20a94200     |     
            //   c705????????40eb4100     |     

        $sequence_2 = { c605????????01 c705????????04000000 c705????????80a94200 c705????????61e04100 c705????????30054200 c705????????00000000 }
            // n = 6, score = 100
            //   c605????????01       |                     
            //   c705????????04000000     |     
            //   c705????????80a94200     |     
            //   c705????????61e04100     |     
            //   c705????????30054200     |     
            //   c705????????00000000     |     

        $sequence_3 = { 8b10 8d4a01 8d3490 8908 8b4de4 8b5e08 }
            // n = 6, score = 100
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8d4a01               | lea                 ecx, [edx + 1]
            //   8d3490               | lea                 esi, [eax + edx*4]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8b5e08               | mov                 ebx, dword ptr [esi + 8]

        $sequence_4 = { 0f8438010000 8b00 39c7 720d 48 893c24 }
            // n = 6, score = 100
            //   0f8438010000         | je                  0x13e
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   39c7                 | cmp                 edi, eax
            //   720d                 | jb                  0xf
            //   48                   | dec                 eax
            //   893c24               | mov                 dword ptr [esp], edi

        $sequence_5 = { 8b7de4 e9???????? 8d65f4 5b 5e 5f 5d }
            // n = 7, score = 100
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   e9????????           |                     
            //   8d65f4               | lea                 esp, [ebp - 0xc]
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp

        $sequence_6 = { e9???????? c705????????08000000 c705????????04000000 c605????????12 c705????????00000000 c705????????d80f4200 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   c705????????08000000     |     
            //   c705????????04000000     |     
            //   c605????????12       |                     
            //   c705????????00000000     |     
            //   c705????????d80f4200     |     

        $sequence_7 = { c705????????a0ad4200 c705????????4ce84100 c705????????100d4200 c605????????01 c705????????04000000 }
            // n = 5, score = 100
            //   c705????????a0ad4200     |     
            //   c705????????4ce84100     |     
            //   c705????????100d4200     |     
            //   c605????????01       |                     
            //   c705????????04000000     |     

        $sequence_8 = { e8???????? 89d9 89c2 e8???????? 8d65f4 5b }
            // n = 6, score = 100
            //   e8????????           |                     
            //   89d9                 | mov                 ecx, ebx
            //   89c2                 | mov                 edx, eax
            //   e8????????           |                     
            //   8d65f4               | lea                 esp, [ebp - 0xc]
            //   5b                   | pop                 ebx

        $sequence_9 = { 894c2408 89f1 89542404 895c240c e8???????? b904000000 83ec10 }
            // n = 7, score = 100
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   89f1                 | mov                 ecx, esi
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   895c240c             | mov                 dword ptr [esp + 0xc], ebx
            //   e8????????           |                     
            //   b904000000           | mov                 ecx, 4
            //   83ec10               | sub                 esp, 0x10

    condition:
        7 of them and filesize < 919552
}
Download all Yara Rules
Unidentified 088 (Nim Ransomware) Propose Change

References

Yara Rules

Unidentified 088 (Nim Ransomware)
