{
	"id": "9e018109-666d-4e53-842a-db407587da3a",
	"created_at": "2026-04-06T00:10:09.045596Z",
	"updated_at": "2026-04-10T03:21:40.76455Z",
	"deleted_at": null,
	"sha1_hash": "91010e3655c9b33e634d9f027b81af7603cc0407",
	"title": "Investigation into the state of NIM malware Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1387387,
	"plain_text": "Investigation into the state of NIM malware Part 2\r\nBy Jason Reaves\r\nPublished: 2021-10-14 · Archived: 2026-04-05 19:24:06 UTC\r\nBy: Jason Reaves\r\nPress enter or click to view image in full size\r\nWe did an investigation in the usage of NIM malware earlier in 2021[1] after the discovery of\r\nNimRod/Nimza[2,5] and RustyBuer[3,4] which are both being leveraged by actors associated with the TrickBot\r\ncrew. This is just a continuation of that earlier report or a dump of data from continuing to track NIM based\r\nmalware over time.\r\nNimGrabber\r\nMD5: 8753b73e2486523f0bd1120b0d87df21\r\nSHA-1: 5048bb4ac50049ba1490347920a65d7309e1ebfb\r\nSHA-256: 8ec44187e50c15a7c4c89af4a1e99c63c855539101ec1ef4588d2e12e05f7d2bMD5: 8c7086bf1606da31134b36c\r\nSHA-1: ee85527be9f6017e9dee0a9979a9b948a8d244be\r\nSHA-256: bc74f22b5407ac67b8d7dcb05262bee0dc9581620448c2b6514ed519ab7f6bd2\r\nThese samples call themselves NimGrabber based on the report it builds to be sent back to the actor.\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 1 of 11\n\nThe data stolen includes Discord tokens are data from popular browsers, including:\r\nVivaldi\r\nMicrosoft Edge\r\nOpera\r\nChrome\r\nYandex\r\nBrave\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 2 of 11\n\nAfter harvesting the data and building out the report it is exfiltrated by sending the data to a Discord webhook:\r\nhxxps://discord.]com/api/webhooks/891404241124605982/evrTSNuCyasJcFT1KiY35gFCugpWZFoE7VfNXtlhrEfJLWeY\r\nCobaltStrike Stagers\r\nMD5: 9d6c1908baa481203faa31bce05ab8b2\r\nSHA-1: 76441909714108823c90f7ed9603d21bab53d801\r\nSHA-256: 41f40f8bbaeaeb811e5a9f8ba7870e6165fc749fe1121d09da30b127291ef351\r\nThis stager has a base64 encoded blob onboard but then leverages 3DES for decrypting the decoded data. As it\r\nturns out this stager is built based on a project called NimShellCodeLoader[6] which can leverage multiple\r\nencryption routines including our previously mentioned Caesar or lookup table based encodings from our previous\r\nreport[1].\r\nAfter Base64 decoding we are left with a blob that contains the length of the plaintext followed by the 3DES key\r\nand then the encrypted shellcode blob. Unfortunately my version of 3DES in python was incompatible, I’ve talked\r\nabout how this problem can come up with encryption algorithms in the past. The easiest solution here since we\r\nhave the source code is to utilize that to decode the data.\r\nproc D3DES_Decrypt(plainBuffer:cstring,keyBuffer:cstring,cipherBuffer:cstring,n:cint):cint {.importc\r\nimport base64,strutils,sequtilsconst source {.strdefine.}: string = \"\"\r\nvar code*:cstring\r\nvar codelen*:cint = 0proc de3des(enbase64:string): void =\r\n let shellcode:string = decode(enbase64)\r\n let plain_len_byte = cast[int16]([shellcode[0],shellcode[1]])\r\n let input_encode:cstring = shellcode[26..high(shellcode)]\r\n let key:cstring = shellcode[2..25]\r\n var str = cast[cstring](alloc0(plain_len_byte));\r\n discard D3DES_Decrypt(input_encode,key,str,cast[cint](plain_len_byte))\r\n code = str\r\n codelen = plain_len_bytewhen isMainModule:\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 3 of 11\n\nlet data = readFile(\"blah.bin\")\r\n de3des(data)\r\n let f = open(\"blah.dec\", fmWrite)\r\n let b = writeBuffer(f, code, codelen)\r\n close(f)\r\nIf we wanted to make a standalone decoder in python we could either search for alternative python\r\nimplementations or just compile our NIM code into a shared library and call it using ctypes from python.\r\nRegardless having the code allows us to easily decode the shellcode blobs from samples.\r\n1.14.66.81\r\n/3mXe\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)\r\nSample:\r\nMD5: 5fd028a9bd6087c70c0a09cc2ac8f2fd\r\nSHA-1: 0d6b34d4c9678dd35155093fde7aaca1847d3f09\r\nSHA-256: d34bc5060dd7e433bd11f16fb7f2ef289511476a2ba32721078483fbc0372024\r\nData:\r\n81.69.224.81\r\n/dJv9\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MDDCJS)\r\nSample:\r\nMD5: da61a622aff329ad08141387c9432b1a\r\nSHA-1: c49649cc71e7aaf243265959ec372173947a34a0\r\nSHA-256: ff261192a1defd66fcd5924e04c04cf255859beda3a02bb58dfe6d3e211d9c04\r\nData:\r\n192.168.111.141\r\n/LwAY\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)\r\nSample:\r\nMD5: c48763be59b1ba3fe81b06a31a5369bc\r\nSHA-1: 2e4086ca701304d67d14063b2105c20ff85a366c\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 4 of 11\n\nSHA-256: 40f8ca4c9f19d0330e42c98b9d0396b9f0caf191c6a544df4e4edb6837ed542c\r\nThis CobaltStrike stager appears to be more custom than the others, it still leverages base64 but has a replacement\r\nset of characters that it will do before decoding and loaded the shellcode onboard.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nHere we can see the base64 like string but with non standard characters mixed in:\r\nBefore being Base64 decoded some of the characters are replaced:\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 5 of 11\n\nReplacement of characters\r\nPython version\r\nAfter replacing the characters and base64 decoding it we are left with CobaltStrike stager shellcode:\r\n/Mds9\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR\r\nwww[.monksec[.tk\r\nThis server was still at the time of analysis:\r\n'DOMAINS': 'www[.monksec[.tk,/j.ad'\r\n'SUBMITURI': '/submit.php'\r\n'WATERMARK': '305419896'\r\n'USERAGENT': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM)'\r\nRansomware\r\nMD5: 8c09df22e86a70bfc3aa541e5ccab80b\r\nSHA-1: bfb1b412fde1ba4bf26d10ac7d76915051fafc3e\r\nSHA-256: a7517bca3c161893f0af6884415538defe3da75534e6b2b75720a61ae1c77abf\r\nRansomware is the hot item lately in the media and finding tools or samples associated with them written in new\r\nlanguages should not be surprising, in this case however the ransomware turned out to be from a blog[7].\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 6 of 11\n\nSample:\r\nMD5: d65a8c0a2e771bb3b9664559552e69a7\r\nSHA-1: 4912dfe9fa35f5e209a5c019f5abce9a4e64132d\r\nSHA-256: 29f56a007e3f9b19a9a6ad9eab2af8edcdb3164a6f3323f0463c2983f83cdcef\r\nThis is another ransomware sample that also appears to be in testing but this time they have added a connection\r\npiece that receives content from a HTTP request to an embedded domain. Internally the objects are named\r\n‘exfilurl’ for the embedded domain:\r\nAnd ‘rware’ for the function responsible for encryption files:\r\nFile encryption appears to be a hash of a hardcoded string that will be used as an AES key in bcmode:\r\nWith the file then being overwritten:\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 7 of 11\n\nThe ransomware sample only targets files a hardcoded location with a ‘.local’ domain along with the source\r\nfilename artifact in the binary of ‘RwareEmulator.nim’ makes us suspect this is still testing or demonstrations\r\nbeing done.\r\nBackdoor\r\nAnother sample found appears to also be related to testing:\r\nMD5: 28d231ca6d2b5c219eb23abbf2e6eec6\r\nSHA-1: 3512085d14fada2a5afc123efc4a087a48b98be1\r\nSHA-256: 181b1d6ba674bd6d4f786c6838b2ba36f79e7210cb1b7cef9de93aa68153b488\r\nThis sample operates more as a simple reverse shell backdoor called NimRev, there are a number of examples of\r\nNIM based reverse shells on github but the disassembled binary most closely resembles the code from this\r\nblog[8].\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 8 of 11\n\nThe sample takes an IP and port as parameters and connects back to them, then signals to the server that it is ready\r\nto receive a command by sending a ‘\u003e ‘:\r\nAfter receiving a command it detonates the command and sends back the output:\r\nWhile reverse shells are fairly simplistic backdoors they can very effective.\r\nAnother NimRev sample:\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 9 of 11\n\nMD5: 533082e631bb02f640dde461b9b71939\r\nSHA-1: 955578c34fe814d0ffaf87b8e38ca2510dbc7f9f\r\nSHA-256: 8503bd24fd22b322a8ccd2290a655630cef45fe144a386ef57cb9a7cb8ae5bef\r\nThis one is much the same except that the prompt it sends back to the server is ‘nimrev\u003e ‘ instead of just ‘\u003e ‘.\r\nYARA rules\r\nrule caesar_cs_stager\r\n{\r\nmeta:\r\nauthor = \"Jason Reaves\"\r\nstrings:\r\n$a1 = \"caesar__w9\"\r\ncondition:\r\nall of them\r\n}rule nim_sc_loader\r\n{\r\nmeta:\r\nauthor = \"Jason Reaves\"\r\nstrings:\r\n$a1 = \"de3des__\"\r\n$a2 = \"D3DES_Decrypt\"\r\n$a3 = \"Direct_LoadPcy\"\r\ncondition:\r\nany of them\r\n}rule nimrev\r\n{\r\nmeta:\r\nauthor=\"Jason Reaves\"\r\nstrings:\r\n$a1 = \"nimrev.nim\"\r\n$b1 = \"result__\"\r\n$b2 = \"VirtualAlloc\"\r\n$b3 = \"recv__\"\r\n$b4 = \"send__\"\r\n$b5 = \"execProces\"\r\ncondition:\r\n$a1 or all of ($b*)\r\n}\r\nReferences\r\n1: https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 10 of 11\n\n2: https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\n3: https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96\r\n4: https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust\r\n5: https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\n6: https://github.com/aeverj/NimShellCodeLoader\r\n7: https://ilankalendarov.github.io/posts/nim-ransomware/\r\n8: https://trustfoundry.net/writing-basic-offensive-tooling-in-nim/\r\nSource: https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671"
	],
	"report_names": [
		"investigation-into-the-state-of-nim-malware-part-2-a28bffffa671"
	],
	"threat_actors": [],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91010e3655c9b33e634d9f027b81af7603cc0407.pdf",
		"text": "https://archive.orkl.eu/91010e3655c9b33e634d9f027b81af7603cc0407.txt",
		"img": "https://archive.orkl.eu/91010e3655c9b33e634d9f027b81af7603cc0407.jpg"
	}
}