SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fobber (Back to overview)

Fobber

There is no description at this point.

References
2015-09-11GovCERT.chGovCERT.ch
@online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } Analysing a new eBanking Trojan called Fobber
Fobber
2015-09-11GovCERT.chGovCERT.ch
@techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } Fobber Analysis
Fobber
2015-08-18ByteAtlasDaniel Plohmann
@online{plohmann:20150818:knowledge:78bb6cf, author = {Daniel Plohmann}, title = {{Knowledge Fragment: Unwrapping Fobber}}, date = {2015-08-18}, organization = {ByteAtlas}, url = {http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html}, language = {English}, urldate = {2020-01-10} } Knowledge Fragment: Unwrapping Fobber
Fobber
2015-08-10Coding StuffsSergio Paganoni
@online{paganoni:20150810:fobber:ac48fa7, author = {Sergio Paganoni}, title = {{Fobber Code Decryption}}, date = {2015-08-10}, organization = {Coding Stuffs}, url = {http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html}, language = {English}, urldate = {2020-01-10} } Fobber Code Decryption
Fobber
2015-06-24MalwarebytesJérôme Segura
@online{segura:20150624:elusive:0df6ca6, author = {Jérôme Segura}, title = {{Elusive HanJuan EK Drops New Tinba Version (updated)}}, date = {2015-06-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/}, language = {English}, urldate = {2019-12-20} } Elusive HanJuan EK Drops New Tinba Version (updated)
Fobber
Yara Rules
[TLP:WHITE] win_fobber_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_fobber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89e5 57 51 8b7d08 }
            // n = 4, score = 1100
            //   89e5                 | mov                 ebp, esp
            //   57                   | push                edi
            //   51                   | push                ecx
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]

        $sequence_1 = { 49 89c8 59 5f }
            // n = 4, score = 1100
            //   49                   | dec                 ecx
            //   89c8                 | mov                 eax, ecx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi

        $sequence_2 = { 55 89e5 ff750c 6800300000 }
            // n = 4, score = 1100
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6800300000           | push                0x3000

        $sequence_3 = { 6685c0 7515 0fb646f8 50 }
            // n = 4, score = 1100
            //   6685c0               | test                ax, ax
            //   7515                 | jne                 0x17
            //   0fb646f8             | movzx               eax, byte ptr [esi - 8]
            //   50                   | push                eax

        $sequence_4 = { 0fb066f5 75f6 66b80100 660fc146f9 6685c0 }
            // n = 5, score = 1100
            // 
            //   75f6                 | jne                 0xfffffff8
            //   66b80100             | mov                 ax, 1
            //   660fc146f9           | xadd                word ptr [esi - 7], ax
            //   6685c0               | test                ax, ax

        $sequence_5 = { 30c0 31c9 f7d1 fc }
            // n = 4, score = 1100
            //   30c0                 | xor                 al, al
            //   31c9                 | xor                 ecx, ecx
            //   f7d1                 | not                 ecx
            //   fc                   | cld                 

        $sequence_6 = { c0c803 0453 42 e2f6 59 }
            // n = 5, score = 1100
            //   c0c803               | ror                 al, 3
            //   0453                 | add                 al, 0x53
            //   42                   | inc                 edx
            //   e2f6                 | loop                0xfffffff8
            //   59                   | pop                 ecx

        $sequence_7 = { 8b5508 8b4d0c 3002 c0c803 }
            // n = 4, score = 1100
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   3002                 | xor                 byte ptr [edx], al
            //   c0c803               | ror                 al, 3

        $sequence_8 = { 8b5d08 56 33f6 8975f8 }
            // n = 4, score = 100
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   8975f8               | mov                 dword ptr [ebp - 8], esi

        $sequence_9 = { 55 8bec 689484ec61 687d0f1a47 685b4b0fe3 }
            // n = 5, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   689484ec61           | push                0x61ec8494
            //   687d0f1a47           | push                0x471a0f7d
            //   685b4b0fe3           | push                0xe30f4b5b

        $sequence_10 = { a9a3c189c2 7fb2 9d 7154 0312 38494a }
            // n = 6, score = 100
            //   a9a3c189c2           | test                eax, 0xc289c1a3
            //   7fb2                 | jg                  0xffffffb4
            //   9d                   | popfd               
            //   7154                 | jno                 0x56
            //   0312                 | add                 edx, dword ptr [edx]
            //   38494a               | cmp                 byte ptr [ecx + 0x4a], cl

        $sequence_11 = { fa 15f291431f c853021f 5a f73c26 e074 }
            // n = 6, score = 100
            //   fa                   | cli                 
            //   15f291431f           | adc                 eax, 0x1f4391f2
            //   c853021f             | enter               0x253, 0x1f
            //   5a                   | pop                 edx
            //   f73c26               | idiv                dword ptr [esi]
            //   e074                 | loopne              0x76

        $sequence_12 = { 0f84a8ef0100 57 ff7510 6a00 ff750c 50 }
            // n = 6, score = 100
            //   0f84a8ef0100         | je                  0x1efae
            //   57                   | push                edi
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   50                   | push                eax

        $sequence_13 = { b3bf 8c4c89f5 55 45 0012 }
            // n = 5, score = 100
            //   b3bf                 | mov                 bl, 0xbf
            //   8c4c89f5             | mov                 word ptr [ecx + ecx*4 - 0xb], cs
            //   55                   | push                ebp
            //   45                   | inc                 ebp
            //   0012                 | add                 byte ptr [edx], dl

        $sequence_14 = { 61 6c 61 7220 }
            // n = 4, score = 100
            //   61                   | popal               
            //   6c                   | insb                byte ptr es:[edi], dx
            //   61                   | popal               
            //   7220                 | jb                  0x22

        $sequence_15 = { 3975fc 0f8778960100 8b4510 85c0 }
            // n = 4, score = 100
            //   3975fc               | cmp                 dword ptr [ebp - 4], esi
            //   0f8778960100         | ja                  0x1967e
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules