SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_088 (Back to overview)

Unidentified 088 (Nim Ransomware)


Ransomware written in Nim.

References
2021-10-14Medium walmartglobaltechJason Reaves
@online{reaves:20211014:investigation:29ef29c, author = {Jason Reaves}, title = {{Investigation into the state of NIM malware Part 2}}, date = {2021-10-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671}, language = {English}, urldate = {2021-12-15} } Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
Yara Rules
[TLP:WHITE] win_unidentified_088_auto (20221125 | Detects win.unidentified_088.)
rule win_unidentified_088_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.unidentified_088."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4dc4 89fa e8???????? 31d2 51 89c3 85c0 }
            // n = 7, score = 100
            //   8b4dc4               | mov                 ecx, dword ptr [ebp - 0x3c]
            //   89fa                 | mov                 edx, edi
            //   e8????????           |                     
            //   31d2                 | xor                 edx, edx
            //   51                   | push                ecx
            //   89c3                 | mov                 ebx, eax
            //   85c0                 | test                eax, eax

        $sequence_1 = { e8???????? 84c0 7405 e8???????? 8b7ddc 85ff }
            // n = 6, score = 100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7405                 | je                  7
            //   e8????????           |                     
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   85ff                 | test                edi, edi

        $sequence_2 = { 89510c 8b55ec 0345e0 1355e4 83c424 5b }
            // n = 6, score = 100
            //   89510c               | mov                 dword ptr [ecx + 0xc], edx
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   0345e0               | add                 eax, dword ptr [ebp - 0x20]
            //   1355e4               | adc                 edx, dword ptr [ebp - 0x1c]
            //   83c424               | add                 esp, 0x24
            //   5b                   | pop                 ebx

        $sequence_3 = { 48 893c24 89442404 e8???????? eb0d }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   893c24               | mov                 dword ptr [esp], edi
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     
            //   eb0d                 | jmp                 0xf

        $sequence_4 = { 8945b4 e9???????? 8b45b0 bf03000000 8b08 89c8 99 }
            // n = 7, score = 100
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   e9????????           |                     
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   bf03000000           | mov                 edi, 3
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   89c8                 | mov                 eax, ecx
            //   99                   | cdq                 

        $sequence_5 = { e8???????? c74424086c050000 ba???????? 89d9 c7442404???????? c70424???????? e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c74424086c050000     | mov                 dword ptr [esp + 8], 0x56c
            //   ba????????           |                     
            //   89d9                 | mov                 ecx, ebx
            //   c7442404????????     |                     
            //   c70424????????       |                     
            //   e8????????           |                     

        $sequence_6 = { 85c0 7406 8b30 85f6 7f0a }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   85f6                 | test                esi, esi
            //   7f0a                 | jg                  0xc

        $sequence_7 = { 8d4de0 89fa e8???????? 84c0 7405 e8???????? 8b7de0 }
            // n = 7, score = 100
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   89fa                 | mov                 edx, edi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7405                 | je                  7
            //   e8????????           |                     
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]

        $sequence_8 = { 89542404 e8???????? 8b4df0 e8???????? 893424 8d55f4 }
            // n = 6, score = 100
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   e8????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   893424               | mov                 dword ptr [esp], esi
            //   8d55f4               | lea                 edx, [ebp - 0xc]

        $sequence_9 = { c705????????04000000 c705????????04000000 c605????????16 c705????????00ae4200 c705????????fa5b4100 c705????????00000000 c705????????01000000 }
            // n = 7, score = 100
            //   c705????????04000000     |     
            //   c705????????04000000     |     
            //   c605????????16       |                     
            //   c705????????00ae4200     |     
            //   c705????????fa5b4100     |     
            //   c705????????00000000     |     
            //   c705????????01000000     |     

    condition:
        7 of them and filesize < 919552
}
Download all Yara Rules