There is no description at this point.
rule win_fobber_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.fobber." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0fb066f5 75f6 66b80100 660fc146f9 } // n = 4, score = 1100 // 0fb066f5 | cmpxchg byte ptr [esi - 0xb], ah // 75f6 | jne 0xfffffff8 // 66b80100 | mov ax, 1 // 660fc146f9 | xadd word ptr [esi - 7], ax $sequence_1 = { 740f 8d4d08 51 ff31 ffd0 } // n = 5, score = 1100 // 740f | je 0x11 // 8d4d08 | lea ecx, [ebp + 8] // 51 | push ecx // ff31 | push dword ptr [ecx] // ffd0 | call eax $sequence_2 = { 89e5 ff750c 6800300000 ff7508 } // n = 4, score = 1100 // 89e5 | mov ebp, esp // ff750c | push dword ptr [ebp + 0xc] // 6800300000 | push 0x3000 // ff7508 | push dword ptr [ebp + 8] $sequence_3 = { 7607 49 01cf 01ce 41 } // n = 5, score = 1100 // 7607 | jbe 9 // 49 | dec ecx // 01cf | add edi, ecx // 01ce | add esi, ecx // 41 | inc ecx $sequence_4 = { 8b750c 8b4d10 39f7 760e } // n = 4, score = 1100 // 8b750c | mov esi, dword ptr [ebp + 0xc] // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 39f7 | cmp edi, esi // 760e | jbe 0x10 $sequence_5 = { ff7510 ff750c ff7508 e8???????? 85c0 7407 50 } // n = 7, score = 1100 // ff7510 | push dword ptr [ebp + 0x10] // ff750c | push dword ptr [ebp + 0xc] // ff7508 | push dword ptr [ebp + 8] // e8???????? | // 85c0 | test eax, eax // 7407 | je 9 // 50 | push eax $sequence_6 = { 760e 8d0431 39f8 7607 49 } // n = 5, score = 1100 // 760e | jbe 0x10 // 8d0431 | lea eax, [ecx + esi] // 39f8 | cmp eax, edi // 7607 | jbe 9 // 49 | dec ecx $sequence_7 = { 31c9 f7d1 fc f2ae f7d1 49 89c8 } // n = 7, score = 1100 // 31c9 | xor ecx, ecx // f7d1 | not ecx // fc | cld // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx // 49 | dec ecx // 89c8 | mov eax, ecx $sequence_8 = { 05b05ec972 0100 0000 6a08 e8???????? 59 } // n = 6, score = 100 // 05b05ec972 | add eax, 0x72c95eb0 // 0100 | add dword ptr [eax], eax // 0000 | add byte ptr [eax], al // 6a08 | push 8 // e8???????? | // 59 | pop ecx $sequence_9 = { 38d7 6a00 bc711fb37c 0474 04f0 } // n = 5, score = 100 // 38d7 | cmp bh, dl // 6a00 | push 0 // bc711fb37c | mov esp, 0x7cb31f71 // 0474 | add al, 0x74 // 04f0 | add al, 0xf0 $sequence_10 = { c072e458 c072c458 c072a458 c0728458 } // n = 4, score = 100 // c072e458 | sal byte ptr [edx - 0x1c], 0x58 // c072c458 | sal byte ptr [edx - 0x3c], 0x58 // c072a458 | sal byte ptr [edx - 0x5c], 0x58 // c0728458 | sal byte ptr [edx - 0x7c], 0x58 $sequence_11 = { 3bd6 7409 668b08 66890a 83c202 ff07 6a22 } // n = 7, score = 100 // 3bd6 | cmp edx, esi // 7409 | je 0xb // 668b08 | mov cx, word ptr [eax] // 66890a | mov word ptr [edx], cx // 83c202 | add edx, 2 // ff07 | inc dword ptr [edi] // 6a22 | push 0x22 $sequence_12 = { 6802000080 ff15???????? 8d45f8 50 68???????? 6805000080 } // n = 6, score = 100 // 6802000080 | push 0x80000002 // ff15???????? | // 8d45f8 | lea eax, [ebp - 8] // 50 | push eax // 68???????? | // 6805000080 | push 0x80000005 $sequence_13 = { ebd8 8bff 55 8bec 837d0800 56 8bf1 } // n = 7, score = 100 // ebd8 | jmp 0xffffffda // 8bff | mov edi, edi // 55 | push ebp // 8bec | mov ebp, esp // 837d0800 | cmp dword ptr [ebp + 8], 0 // 56 | push esi // 8bf1 | mov esi, ecx $sequence_14 = { 6300 0081efe2c5fe ff81c7c34c00 0081efc52500 0081efb55100 0081ef272400 } // n = 6, score = 100 // 6300 | arpl word ptr [eax], ax // 0081efe2c5fe | add byte ptr [ecx - 0x13a1d11], al // ff81c7c34c00 | inc dword ptr [ecx + 0x4cc3c7] // 0081efc52500 | add byte ptr [ecx + 0x25c5ef], al // 0081efb55100 | add byte ptr [ecx + 0x51b5ef], al // 0081ef272400 | add byte ptr [ecx + 0x2427ef], al $sequence_15 = { 81c6e9140000 81eefa360000 81eef8e4ffff 81c6507c0000 81eeb77a0000 81ee0b690000 81c6cf450000 } // n = 7, score = 100 // 81c6e9140000 | add esi, 0x14e9 // 81eefa360000 | sub esi, 0x36fa // 81eef8e4ffff | sub esi, 0xffffe4f8 // 81c6507c0000 | add esi, 0x7c50 // 81eeb77a0000 | sub esi, 0x7ab7 // 81ee0b690000 | sub esi, 0x690b // 81c6cf450000 | add esi, 0x45cf condition: 7 of them and filesize < 188416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY