SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gaboon_grabber (Back to overview)

GaboonGrabber


According to ANY.RUN, the GaboonGrabber is a malware developed in .NET that grabs its embedded resources to prepare multiple fileless stages. Additionally, it has the tendency to camouflage itself as a legitimate application, going so far as to mimic legitimate applications in its decompiled code. It also includes a steganographic image used to prepare further payloads.

GaboonGrabber's final stage can deploy various types of malware, including Snake Keylogger, AgentTesla, Redline, Lokibot, and more.

References
2024-06-06ANY.RUNANY.RUN
Example Run on ANY.RUN for GaboonGrabber
GaboonGrabber
2024-03-25ANY.RUNLena (LambdaMamba)
Reverse Engineering Snake Keylogger: Full .NET Malware Analysis Walkthrough
404 Keylogger GaboonGrabber
Yara Rules
[TLP:WHITE] win_gaboon_grabber_w0 (20240610 | Detects GaboonGrabber that grabs its embedded resource to stage further payloads.)
rule win_gaboon_grabber_w0 {
    meta:
        description = "Detects GaboonGrabber that grabs its embedded resource to stage further payloads."
        author = "Lena Yu aka LambdaMamba"
        reference = "https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/"
        date = "2024-05-29"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaboon_grabber"
        malpedia_rule_date = "20240610"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20240610"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $4d5a = "4D5A9" ascii wide
        $a5d4 = "9A5D4" ascii wide
        $us_section = {
        00 00 
        ?? ?? ( 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 )
        00 23 55 53 00
        }

        $decrypt_one = {
            1F 16
            5D
            91
            61
        }

        $decrypt_two = {
            1F 16
            5D
            6F ?? ?? ?? ??
            61 
        }

        $steg_png = {
            40 00 01 00 00 00 
            FF FF FF FF
            01 00 00 00 00 00 00 00
            0C 02 00 00
            00 51 53 79 73 74 65 6D 2E 44 72 61 77 69 6E 67 2C 
            20 56 65 72 73 69 6F 6E 3D 34 2E 30 2E 30 2E 30 2C 
            20 43 75 6C 74 75 72 65 3D 6E 65 75 74 72 61 6C 2C 
            20 50 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 62 30 33 66 35 66 37 66 31 31 64 35 30 61 33 61
            05 01 00 00 00
            15 53 79 73 74 65 6D 2E 44 72 61 77 69 6E 67 2E 42 69 74 6D 61 70 
            01 00 00 00 
            04 44 61 74 61
            07 02 02 00 00 00 
            09 03 00 00 00 
            0F 03 00 00 00 
            ?? ??
            06 00 02
            89 50 4E 47 0D 0A 1A 0A
            00 00 00 0D 49 48 44 52
            ( 00 00 01 ?? 00 00 01 ?? | 00 00 02 ?? 00 00 02 ?? )  
            08 06 00 00 00      
            ?? ?? ?? ??   
            00 00 00 04 67 41 4D 41  
            00 00 B1 8F              
            0B FC 61 05              
            00 00 00 09 70 48 59 73   
            00 00 0E C3 00 00 0E C3  
            01 C7 6F A8 64 00 00 FF B2 49 44 41 54 78 5E EC  
}

    condition:
        ((uint16(0) == 0x5A4D)) and         
        ($steg_png) and                                
        (($decrypt_one or $decrypt_two) or      
        ($us_section and ($4d5a or $a5d4)))   
}
Download all Yara Rules