SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fobber (Back to overview)

Fobber


There is no description at this point.

References
2015-09-11GovCERT.chGovCERT.ch
@online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } Analysing a new eBanking Trojan called Fobber
Fobber
2015-09-11GovCERT.chGovCERT.ch
@techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } Fobber Analysis
Fobber
2015-08-18ByteAtlasDaniel Plohmann
@online{plohmann:20150818:knowledge:78bb6cf, author = {Daniel Plohmann}, title = {{Knowledge Fragment: Unwrapping Fobber}}, date = {2015-08-18}, organization = {ByteAtlas}, url = {http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html}, language = {English}, urldate = {2020-01-10} } Knowledge Fragment: Unwrapping Fobber
Fobber
2015-08-10Coding StuffsSergio Paganoni
@online{paganoni:20150810:fobber:ac48fa7, author = {Sergio Paganoni}, title = {{Fobber Code Decryption}}, date = {2015-08-10}, organization = {Coding Stuffs}, url = {http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html}, language = {English}, urldate = {2020-01-10} } Fobber Code Decryption
Fobber
2015-06-24MalwarebytesJérôme Segura
@online{segura:20150624:elusive:0df6ca6, author = {Jérôme Segura}, title = {{Elusive HanJuan EK Drops New Tinba Version (updated)}}, date = {2015-06-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/}, language = {English}, urldate = {2019-12-20} } Elusive HanJuan EK Drops New Tinba Version (updated)
Fobber
Yara Rules
[TLP:WHITE] win_fobber_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_fobber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89e5 51 57 8b7d08 57 }
            // n = 5, score = 1100
            //   89e5                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   57                   | push                edi

        $sequence_1 = { 51 8b7d08 30c0 31c9 f7d1 }
            // n = 5, score = 1100
            //   51                   | push                ecx
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   30c0                 | xor                 al, al
            //   31c9                 | xor                 ecx, ecx
            //   f7d1                 | not                 ecx

        $sequence_2 = { 89e5 50 51 52 }
            // n = 4, score = 1100
            //   89e5                 | mov                 ebp, esp
            //   50                   | push                eax
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_3 = { 8b4d0c 3002 c0c803 0453 42 e2f6 }
            // n = 6, score = 1100
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   3002                 | xor                 byte ptr [edx], al
            //   c0c803               | ror                 al, 3
            //   0453                 | add                 al, 0x53
            //   42                   | inc                 edx
            //   e2f6                 | loop                0xfffffff8

        $sequence_4 = { 8b4d10 39f7 760e 8d0431 39f8 7607 49 }
            // n = 7, score = 1100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   39f7                 | cmp                 edi, esi
            //   760e                 | jbe                 0x10
            //   8d0431               | lea                 eax, [ecx + esi]
            //   39f8                 | cmp                 eax, edi
            //   7607                 | jbe                 9
            //   49                   | dec                 ecx

        $sequence_5 = { 85c0 740f 8d4d08 51 ff31 ffd0 85c0 }
            // n = 7, score = 1100
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   51                   | push                ecx
            //   ff31                 | push                dword ptr [ecx]
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax

        $sequence_6 = { f2ae 31c0 e303 4f }
            // n = 4, score = 1100
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   31c0                 | xor                 eax, eax
            //   e303                 | jecxz               5
            //   4f                   | dec                 edi

        $sequence_7 = { fc f2ae f7d1 49 89c8 59 }
            // n = 6, score = 1100
            //   fc                   | cld                 
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   89c8                 | mov                 eax, ecx
            //   59                   | pop                 ecx

        $sequence_8 = { 83f9ff 0f8587840100 2bc2 8a0a }
            // n = 4, score = 100
            //   83f9ff               | cmp                 ecx, -1
            //   0f8587840100         | jne                 0x1848d
            //   2bc2                 | sub                 eax, edx
            //   8a0a                 | mov                 cl, byte ptr [edx]

        $sequence_9 = { 750a e8???????? 8b4dec 8908 3bf7 0f85b1500100 397dfc }
            // n = 7, score = 100
            //   750a                 | jne                 0xc
            //   e8????????           |                     
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   3bf7                 | cmp                 esi, edi
            //   0f85b1500100         | jne                 0x150b7
            //   397dfc               | cmp                 dword ptr [ebp - 4], edi

        $sequence_10 = { ff897de4897d d88b5d0883fb 0b7f4b 7415 8bc3 6a02 }
            // n = 6, score = 100
            //   ff897de4897d         | dec                 dword ptr [ecx + 0x7d89e47d]
            //   d88b5d0883fb         | fmul                dword ptr [ebx - 0x47cf7a3]
            //   0b7f4b               | or                  edi, dword ptr [edi + 0x4b]
            //   7415                 | je                  0x17
            //   8bc3                 | mov                 eax, ebx
            //   6a02                 | push                2

        $sequence_11 = { 81c0ab690000 81c0e1380000 81e81b020000 e9???????? }
            // n = 4, score = 100
            //   81c0ab690000         | add                 eax, 0x69ab
            //   81c0e1380000         | add                 eax, 0x38e1
            //   81e81b020000         | sub                 eax, 0x21b
            //   e9????????           |                     

        $sequence_12 = { 81c6f90f0000 81c6f3730000 81c63b200000 81ee4b220000 81c6506b0000 81c626290000 81c67f0e0000 }
            // n = 7, score = 100
            //   81c6f90f0000         | add                 esi, 0xff9
            //   81c6f3730000         | add                 esi, 0x73f3
            //   81c63b200000         | add                 esi, 0x203b
            //   81ee4b220000         | sub                 esi, 0x224b
            //   81c6506b0000         | add                 esi, 0x6b50
            //   81c626290000         | add                 esi, 0x2926
            //   81c67f0e0000         | add                 esi, 0xe7f

        $sequence_13 = { 93 4f 41 9c 91 a3???????? 236fc7 }
            // n = 7, score = 100
            //   93                   | xchg                eax, ebx
            //   4f                   | dec                 edi
            //   41                   | inc                 ecx
            //   9c                   | pushfd              
            //   91                   | xchg                eax, ecx
            //   a3????????           |                     
            //   236fc7               | and                 ebp, dword ptr [edi - 0x39]

        $sequence_14 = { 59 c3 68d015c072 e9???????? 7368 }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   68d015c072           | push                0x72c015d0
            //   e9????????           |                     
            //   7368                 | jae                 0x6a

        $sequence_15 = { 03740789 48 045d c20400 }
            // n = 4, score = 100
            //   03740789             | add                 esi, dword ptr [edi + eax - 0x77]
            //   48                   | dec                 eax
            //   045d                 | add                 al, 0x5d
            //   c20400               | ret                 4

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules