SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fobber (Back to overview)

Fobber


There is no description at this point.

References
2015-09-11GovCERT.chGovCERT.ch
@online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } Analysing a new eBanking Trojan called Fobber
Fobber
2015-09-11GovCERT.chGovCERT.ch
@techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } Fobber Analysis
Fobber
2015-08-18ByteAtlasDaniel Plohmann
@online{plohmann:20150818:knowledge:78bb6cf, author = {Daniel Plohmann}, title = {{Knowledge Fragment: Unwrapping Fobber}}, date = {2015-08-18}, organization = {ByteAtlas}, url = {http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html}, language = {English}, urldate = {2020-01-10} } Knowledge Fragment: Unwrapping Fobber
Fobber
2015-08-10Coding StuffsSergio Paganoni
@online{paganoni:20150810:fobber:ac48fa7, author = {Sergio Paganoni}, title = {{Fobber Code Decryption}}, date = {2015-08-10}, organization = {Coding Stuffs}, url = {http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html}, language = {English}, urldate = {2020-01-10} } Fobber Code Decryption
Fobber
2015-06-24MalwarebytesJérôme Segura
@online{segura:20150624:elusive:0df6ca6, author = {Jérôme Segura}, title = {{Elusive HanJuan EK Drops New Tinba Version (updated)}}, date = {2015-06-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/}, language = {English}, urldate = {2019-12-20} } Elusive HanJuan EK Drops New Tinba Version (updated)
Fobber
Yara Rules
[TLP:WHITE] win_fobber_auto (20220411 | Detects win.fobber.)
rule win_fobber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.fobber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { fc f2ae 31c0 e303 4f 89f8 5f }
            // n = 7, score = 1100
            //   fc                   | cld                 
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   31c0                 | xor                 eax, eax
            //   e303                 | jecxz               5
            //   4f                   | dec                 edi
            //   89f8                 | mov                 eax, edi
            //   5f                   | pop                 edi

        $sequence_1 = { fc f2ae f7d1 49 89c8 }
            // n = 5, score = 1100
            //   fc                   | cld                 
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   89c8                 | mov                 eax, ecx

        $sequence_2 = { 3002 c0c803 0453 42 }
            // n = 4, score = 1100
            //   3002                 | xor                 byte ptr [edx], al
            //   c0c803               | ror                 al, 3
            //   0453                 | add                 al, 0x53
            //   42                   | inc                 edx

        $sequence_3 = { ff750c 6800300000 ff7508 6a00 }
            // n = 4, score = 1100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6800300000           | push                0x3000
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0

        $sequence_4 = { 89e5 ff7510 ff750c ff7508 e8???????? 85c0 }
            // n = 6, score = 1100
            //   89e5                 | mov                 ebp, esp
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { 51 8b7d08 30c0 31c9 }
            // n = 4, score = 1100
            //   51                   | push                ecx
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   30c0                 | xor                 al, al
            //   31c9                 | xor                 ecx, ecx

        $sequence_6 = { 89e5 51 8b4510 8b5508 8b4d0c 3002 }
            // n = 6, score = 1100
            //   89e5                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   3002                 | xor                 byte ptr [edx], al

        $sequence_7 = { 85c0 740f 89c1 8b450c fc }
            // n = 5, score = 1100
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   89c1                 | mov                 ecx, eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   fc                   | cld                 

        $sequence_8 = { 740a 8a08 3acb 0f8592000000 47 3b7d0c }
            // n = 6, score = 100
            //   740a                 | je                  0xc
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   3acb                 | cmp                 cl, bl
            //   0f8592000000         | jne                 0x98
            //   47                   | inc                 edi
            //   3b7d0c               | cmp                 edi, dword ptr [ebp + 0xc]

        $sequence_9 = { 8bec a1???????? 80383f 7414 }
            // n = 4, score = 100
            //   8bec                 | mov                 ebp, esp
            //   a1????????           |                     
            //   80383f               | cmp                 byte ptr [eax], 0x3f
            //   7414                 | je                  0x16

        $sequence_10 = { 0f846b4d0100 8d45e4 50 8d45dc }
            // n = 4, score = 100
            //   0f846b4d0100         | je                  0x14d71
            //   8d45e4               | lea                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]

        $sequence_11 = { 3c2b 0f8454010000 3c2d 0f844c010000 3ac3 }
            // n = 5, score = 100
            //   3c2b                 | cmp                 al, 0x2b
            //   0f8454010000         | je                  0x15a
            //   3c2d                 | cmp                 al, 0x2d
            //   0f844c010000         | je                  0x152
            //   3ac3                 | cmp                 al, bl

        $sequence_12 = { 24ff 44 a0???????? bfdf021850 }
            // n = 4, score = 100
            //   24ff                 | and                 al, 0xff
            //   44                   | inc                 esp
            //   a0????????           |                     
            //   bfdf021850           | mov                 edi, 0x501802df

        $sequence_13 = { fe00 006683 7b02 3a750f 0fb703 }
            // n = 5, score = 100
            //   fe00                 | inc                 byte ptr [eax]
            //   006683               | add                 byte ptr [esi - 0x7d], ah
            //   7b02                 | jnp                 4
            //   3a750f               | cmp                 dh, byte ptr [ebp + 0xf]
            //   0fb703               | movzx               eax, word ptr [ebx]

        $sequence_14 = { fa 03740789 48 045d }
            // n = 4, score = 100
            //   fa                   | cli                 
            //   03740789             | add                 esi, dword ptr [edi + eax - 0x77]
            //   48                   | dec                 eax
            //   045d                 | add                 al, 0x5d

        $sequence_15 = { 724c d58e 57 33714b 8aa07b74cafc }
            // n = 5, score = 100
            //   724c                 | jb                  0x4e
            //   d58e                 | aad                 0x8e
            //   57                   | push                edi
            //   33714b               | xor                 esi, dword ptr [ecx + 0x4b]
            //   8aa07b74cafc         | mov                 ah, byte ptr [eax - 0x3358b85]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules