SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fobber (Back to overview)

Fobber

There is no description at this point.

References
2015-09-11GovCERT.chGovCERT.ch
@online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } Analysing a new eBanking Trojan called Fobber
Fobber
2015-09-11GovCERT.chGovCERT.ch
@techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } Fobber Analysis
Fobber
2015-08-18ByteAtlasDaniel Plohmann
@online{plohmann:20150818:knowledge:78bb6cf, author = {Daniel Plohmann}, title = {{Knowledge Fragment: Unwrapping Fobber}}, date = {2015-08-18}, organization = {ByteAtlas}, url = {http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html}, language = {English}, urldate = {2020-01-10} } Knowledge Fragment: Unwrapping Fobber
Fobber
2015-08-10Coding StuffsSergio Paganoni
@online{paganoni:20150810:fobber:ac48fa7, author = {Sergio Paganoni}, title = {{Fobber Code Decryption}}, date = {2015-08-10}, organization = {Coding Stuffs}, url = {http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html}, language = {English}, urldate = {2020-01-10} } Fobber Code Decryption
Fobber
2015-06-24MalwarebytesJérôme Segura
@online{segura:20150624:elusive:0df6ca6, author = {Jérôme Segura}, title = {{Elusive HanJuan EK Drops New Tinba Version (updated)}}, date = {2015-06-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/}, language = {English}, urldate = {2019-12-20} } Elusive HanJuan EK Drops New Tinba Version (updated)
Fobber
Yara Rules
[TLP:WHITE] win_fobber_auto (20230125 | Detects win.fobber.)
rule win_fobber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.fobber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4d10 39f7 760e 8d0431 39f8 7607 }
            // n = 6, score = 1100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   39f7                 | cmp                 edi, esi
            //   760e                 | jbe                 0x10
            //   8d0431               | lea                 eax, [ecx + esi]
            //   39f8                 | cmp                 eax, edi
            //   7607                 | jbe                 9

        $sequence_1 = { f2ae 31c0 e303 4f 89f8 5f 59 }
            // n = 7, score = 1100
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   31c0                 | xor                 eax, eax
            //   e303                 | jecxz               5
            //   4f                   | dec                 edi
            //   89f8                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   59                   | pop                 ecx

        $sequence_2 = { 89e5 51 8b4510 8b5508 8b4d0c 3002 }
            // n = 6, score = 1100
            //   89e5                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   3002                 | xor                 byte ptr [edx], al

        $sequence_3 = { 740f 89c1 8b450c fc f2ae }
            // n = 5, score = 1100
            //   740f                 | je                  0x11
            //   89c1                 | mov                 ecx, eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   fc                   | cld                 
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]

        $sequence_4 = { 31c9 f7d1 fc f2ae }
            // n = 4, score = 1100
            //   31c9                 | xor                 ecx, ecx
            //   f7d1                 | not                 ecx
            //   fc                   | cld                 
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]

        $sequence_5 = { 0fb066f5 75f6 66b80100 660fc146f9 6685c0 7515 }
            // n = 6, score = 1100
            //   0fb066f5             | cmpxchg             byte ptr [esi - 0xb], ah
            //   75f6                 | jne                 0xfffffff8
            //   66b80100             | mov                 ax, 1
            //   660fc146f9           | xadd                word ptr [esi - 7], ax
            //   6685c0               | test                ax, ax
            //   7515                 | jne                 0x17

        $sequence_6 = { 31c0 50 50 ff750c ff7508 50 50 }
            // n = 7, score = 1100
            //   31c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_7 = { ff31 ffd0 85c0 7403 8b4508 }
            // n = 5, score = 1100
            //   ff31                 | push                dword ptr [ecx]
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_8 = { 0f8dc5f40100 3975f8 0f84b9f50100 ff75fc e8???????? 8b4508 59 }
            // n = 7, score = 100
            //   0f8dc5f40100         | jge                 0x1f4cb
            //   3975f8               | cmp                 dword ptr [ebp - 8], esi
            //   0f84b9f50100         | je                  0x1f5bf
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   59                   | pop                 ecx

        $sequence_9 = { 0081c7546900 0081c7397d00 00e9 a99effff5b 5f }
            // n = 5, score = 100
            //   0081c7546900         | add                 byte ptr [ecx + 0x6954c7], al
            //   0081c7397d00         | add                 byte ptr [ecx + 0x7d39c7], al
            //   00e9                 | add                 cl, ch
            //   a99effff5b           | test                eax, 0x5bffff9e
            //   5f                   | pop                 edi

        $sequence_10 = { 5a 8d6a5f 664d b672 3ef9 }
            // n = 5, score = 100
            //   5a                   | pop                 edx
            //   8d6a5f               | lea                 ebp, [edx + 0x5f]
            //   664d                 | dec                 bp
            //   b672                 | mov                 dh, 0x72
            //   3ef9                 | stc                 

        $sequence_11 = { 741c ff7508 56 57 }
            // n = 4, score = 100
            //   741c                 | je                  0x1e
            //   ff7508               | push                dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_12 = { 8b00 895dd0 895ddc 895dc0 5e 3bc3 }
            // n = 6, score = 100
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   895dc0               | mov                 dword ptr [ebp - 0x40], ebx
            //   5e                   | pop                 esi
            //   3bc3                 | cmp                 eax, ebx

        $sequence_13 = { 0f85c5140100 0fb708 6685c9 7425 85f6 }
            // n = 5, score = 100
            //   0f85c5140100         | jne                 0x114cb
            //   0fb708               | movzx               ecx, word ptr [eax]
            //   6685c9               | test                cx, cx
            //   7425                 | je                  0x27
            //   85f6                 | test                esi, esi

        $sequence_14 = { 63746f72 27 009090906064 656661 756c }
            // n = 5, score = 100
            //   63746f72             | arpl                word ptr [edi + ebp*2 + 0x72], si
            //   27                   | daa                 
            //   009090906064         | add                 byte ptr [eax + 0x64609090], dl
            //   656661               | popaw               
            //   756c                 | jne                 0x6e

        $sequence_15 = { 0f8f00510100 8b4d0c 83f9ff 7448 83f9fe 7443 }
            // n = 6, score = 100
            //   0f8f00510100         | jg                  0x15106
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   83f9ff               | cmp                 ecx, -1
            //   7448                 | je                  0x4a
            //   83f9fe               | cmp                 ecx, -2
            //   7443                 | je                  0x45

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules