Derin Analiz - Nim Malware (puppy HTTP / winim) | Tehdit: YUKSEK

Dosya Kimligi

SHA2563de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b
Boyut831,360 byte (811 KB) PE32 x86 MinGW GCC 9.3
DilNim (MinGW GCC 9.3-win32 20200320)
Section18 section (yuksek), TLS found

Nim Kutuphaneleri (NimBle)

NIM: NimBle paket sistemi ile derlenmis! 3 kritik nimble paketi kullaniliyor:
winim 5.7.48      <- Windows API bindings (winim manifest embed)\npuppy 4.9.4       <- HTTP istemci kutuphanesi\n  allowAnyHttpsCertificate  <- SSL sertifika dogrulama atlatma!\n  @application/x-www-form-urlencoded <- HTTP form POST\n  CLSID_HttpProtocol / CLSID_HttpSProtocol\nzippy 4.9.8       <- Veri sikistirma/acma (LZ4/deflate)

Windows API Yetenekleri

WinHttpOpen / WinHttpOpenRequest / WinHttpSendRequest\n@WinHttpSendRequest error: / @WinHttpOpenRequest error: <- Nim debug string\n\nwinim manifest: \n  -> Windows COM, shellapi, winbase, windef API'leri\n\nsinc@sobjbase.nim / sinc@sshellapi.nim   <- Nim kaynak dosya yollari\nsinc@swinbase.nim / sinc@swindef.nim

Komut Calistirma

@cmd /c timeout 2 & "  <- gecikmeli komut calistirma (sandbox atlama)\npoEchoCmd               <- Nim surec nesnesi echo modu\n@buildCommandLine       <- komut satiri hazirlama\npassword                <- kimlik bilgisi kullanimi

IOC

SHA2563de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b
DilNim (MinGW GCC 9.3-win32)
HTTP Libpuppy 4.9.4 (allowAnyHttpsCertificate)
Win APIwinim 5.7.48 (shellapi, objbase, winbase)
Sikistirmazippy 4.9.8
TLSTLS directory found (anti-analiz)

NimMalware — Malware Profile

Nim programlama dili ile derlenmis malware. winim 5.7.48 Windows API, puppy 4.9.4 HTTP istemcisi (allowAnyHttpsCertificate - SSL dogrulama atlatma), zippy 4.9.8 sikistirma kutuphanelerini kullanir. MinGW GCC 9.3-win32 ile derlenmis. 18 PE section, TLS anti-analiz.

Malware Type
Backdoor
Programming Language
Nim
C2 Protocol
HTTP
Target Systems
Kuresel

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — NimMalware
# SHA256 3de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b
TypeValueNote
sha256 3de6a48a918e174b9bde3828a9ef0af4e6c6d17cf48bb4fe2d17e008b901ae3b
Tags
nim-programming-language-malwarewinim-5-7-48-windows-api-bindingspuppy-4-9-4-http-client-libraryallowanyhttpscertificate-ssl-bypasszippy-compression-lz4-deflatewinhttpsendrequest-c2-httpmingw-gcc-9-3-win32-compiler18-sections-high-section-counttls-directory-found-anti-analysiscmd-c-timeout-2-sandbox-evasionsinc-shellapi-objbase-winbase-windefnim-malware-puppy-http-form-post