Derin Analiz - Nim Malware (puppy HTTP / winim) | Tehdit: YUKSEK
Dosya Kimligi
| SHA256 | 3de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b |
|---|---|
| Boyut | 831,360 byte (811 KB) PE32 x86 MinGW GCC 9.3 |
| Dil | Nim (MinGW GCC 9.3-win32 20200320) |
| Section | 18 section (yuksek), TLS found |
Nim Kutuphaneleri (NimBle)
NIM: NimBle paket sistemi ile derlenmis! 3 kritik nimble paketi kullaniliyor:
winim 5.7.48 <- Windows API bindings (winim manifest embed)\npuppy 4.9.4 <- HTTP istemci kutuphanesi\n allowAnyHttpsCertificate <- SSL sertifika dogrulama atlatma!\n @application/x-www-form-urlencoded <- HTTP form POST\n CLSID_HttpProtocol / CLSID_HttpSProtocol\nzippy 4.9.8 <- Veri sikistirma/acma (LZ4/deflate)
Windows API Yetenekleri
WinHttpOpen / WinHttpOpenRequest / WinHttpSendRequest\n@WinHttpSendRequest error: / @WinHttpOpenRequest error: <- Nim debug string\n\nwinim manifest:\n -> Windows COM, shellapi, winbase, windef API'leri\n\nsinc@sobjbase.nim / sinc@sshellapi.nim <- Nim kaynak dosya yollari\nsinc@swinbase.nim / sinc@swindef.nim
Komut Calistirma
@cmd /c timeout 2 & " <- gecikmeli komut calistirma (sandbox atlama)\npoEchoCmd <- Nim surec nesnesi echo modu\n@buildCommandLine <- komut satiri hazirlama\npassword <- kimlik bilgisi kullanimi
IOC
| SHA256 | 3de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b |
|---|---|
| Dil | Nim (MinGW GCC 9.3-win32) |
| HTTP Lib | puppy 4.9.4 (allowAnyHttpsCertificate) |
| Win API | winim 5.7.48 (shellapi, objbase, winbase) |
| Sikistirma | zippy 4.9.8 |
| TLS | TLS directory found (anti-analiz) |
NimMalware — Malware Profile
Nim programlama dili ile derlenmis malware. winim 5.7.48 Windows API, puppy 4.9.4 HTTP istemcisi (allowAnyHttpsCertificate - SSL dogrulama atlatma), zippy 4.9.8 sikistirma kutuphanelerini kullanir. MinGW GCC 9.3-win32 ile derlenmis. 18 PE section, TLS anti-analiz.
Malware Type
Backdoor
Programming Language
Nim
C2 Protocol
HTTP
Target Systems
Kuresel
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List (1 indicators)
IOC — NimMalware
# SHA256
3de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b
| Type | Value | Note |
|---|---|---|
| sha256 | 3de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b |