Unidentified 115 (Nim Loader) (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.unidentified_115 (Back to overview)
Unidentified 115 (Nim Loader)

VTCollection
According to Walmart, this is a loader written in Nim that contains an AmsiScanBuffer patch followed by a EtwEventWrite patch and that will download/decrypt a payload via AES CFB and inject it into a hardcoded process target (e.g. explorer.exe).
References

2024-03-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Unknown Nim Loader using PSBypassCLM
Unidentified 115 (Nim Loader)
Yara Rules

[TLP:WHITE] win_unidentified_115_auto (20260504 | Detects win.unidentified_115.)
rule win_unidentified_115_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_115."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_115"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 4c8d6c242c baf4010000 4c89e9 e8???????? 31c9 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   4c8d6c242c           | jne                 0x1a98
            //   baf4010000           | inc                 ecx
            //   4c89e9               | mov                 eax, 0x40
            //   e8????????           |                     
            //   31c9                 | dec                 esp

        $sequence_1 = { 4889cb 4889d1 4989d4 e8???????? 4889c6 4885c0 7505 }
            // n = 7, score = 100
            //   4889cb               | mov                 eax, dword ptr [esp + 0x48]
            //   4889d1               | mov                 edx, 0x13
            //   4989d4               | dec                 esp
            //   e8????????           |                     
            //   4889c6               | mov                 ecx, ebp
            //   4885c0               | dec                 eax
            //   7505                 | lea                 ecx, [esp + 0x84]

        $sequence_2 = { 4431e5 4189c4 4401dd 4189d3 01eb 89d5 41c1cb0b }
            // n = 7, score = 100
            //   4431e5               | lea                 eax, [edx + eax + 0x1f]
            //   4189c4               | dec                 eax
            //   4401dd               | lea                 ecx, [eax + 0xf]
            //   4189d3               | dec                 eax
            //   01eb                 | lea                 edx, [0x1c593]
            //   89d5                 | dec                 eax
            //   41c1cb0b             | mov                 ecx, eax

        $sequence_3 = { 4989c6 488b05???????? 4d8b7e18 498906 488d0531650100 49894610 }
            // n = 6, score = 100
            //   4989c6               | dec                 eax
            //   488b05????????       |                     
            //   4d8b7e18             | mov                 ecx, dword ptr [esp + 0xa0]
            //   498906               | call                dword ptr [ebx]
            //   488d0531650100       | dec                 eax
            //   49894610             | cmp                 dword ptr [esp + 0x108], 0

        $sequence_4 = { 498907 4c89442448 e8???????? 4c8b442448 49894718 4d85c0 7408 }
            // n = 7, score = 100
            //   498907               | mov                 edx, ecx
            //   4c89442448           | and                 edx, 0xffffffdf
            //   e8????????           |                     
            //   4c8b442448           | sub                 edx, 0x41
            //   49894718             | cmp                 dl, 0x19
            //   4d85c0               | ja                  0x1f69
            //   7408                 | mov                 cl, byte ptr [esp + 0x67]

        $sequence_5 = { 31d2 e8???????? 4898 48898424d8020000 4885c0 7511 488b4c2438 }
            // n = 7, score = 100
            //   31d2                 | dec                 eax
            //   e8????????           |                     
            //   4898                 | lea                 ebx, [edx + 1]
            //   48898424d8020000     | inc                 esp
            //   4885c0               | lea                 eax, [ecx - 0x2b]
            //   7511                 | dec                 eax
            //   488b4c2438           | mov                 edx, ecx

        $sequence_6 = { 488b8c24b8000000 e8???????? e9???????? 488b0d???????? ba30000000 e8???????? 4989c4 }
            // n = 7, score = 100
            //   488b8c24b8000000     | lea                 ecx, [0x1ee93]
            //   e8????????           |                     
            //   e9????????           |                     
            //   488b0d????????       |                     
            //   ba30000000           | push                ebx
            //   e8????????           |                     
            //   4989c4               | dec                 eax

        $sequence_7 = { 488b0d???????? ba30000000 4c8d35a9b70100 e8???????? b941000000 4989c5 488b05???????? }
            // n = 7, score = 100
            //   488b0d????????       |                     
            //   ba30000000           | mov                 byte ptr [ebx + eax + 0x28], 0x80
            //   4c8d35a9b70100       | dec                 eax
            //   e8????????           |                     
            //   b941000000           | inc                 eax
            //   4989c5               | dec                 esp
            //   488b05????????       |                     

        $sequence_8 = { 4c8b0e 488bb424d0010000 488b7c2430 488b4e38 4c8d4710 4889542420 488b542438 }
            // n = 7, score = 100
            //   4c8b0e               | mov                 ecx, dword ptr [esp + 0xb0]
            //   488bb424d0010000     | call                dword ptr [ebx]
            //   488b7c2430           | dec                 eax
            //   488b4e38             | mov                 ecx, dword ptr [esp + 0xa8]
            //   4c8d4710             | call                dword ptr [ebx]
            //   4889542420           | dec                 eax
            //   488b542438           | lea                 edx, [esp + 0x20]

        $sequence_9 = { e8???????? 49c7450800000000 4c8d0d67410100 4c89e9 4c8d0568410100 48c7442420ed000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   49c7450800000000     | mov                 dword ptr [esp + 8], 0
            //   4c8d0d67410100       | dec                 esp
            //   4c89e9               | lea                 ecx, [0x22681]
            //   4c8d0568410100       | dec                 esp
            //   48c7442420ed000000     | mov    ecx, esp

    condition:
        7 of them and filesize < 648192
}
Download all Yara Rules
Unidentified 115 (Nim Loader) Propose Change

References

Yara Rules

Unidentified 115 (Nim Loader)
