SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grabbot (Back to overview)

GrabBot


There is no description at this point.

References
2017-03-17FortinetDavid Wang, He Xu
@online{wang:20170317:grabbot:e8dde0d, author = {David Wang and He Xu}, title = {{Grabbot is Back to Nab Your Data}}, date = {2017-03-17}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data}, language = {English}, urldate = {2020-01-06} } Grabbot is Back to Nab Your Data
GrabBot
Yara Rules
[TLP:WHITE] win_grabbot_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_grabbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ffd0 c20400 b8ff1f7cc9 50 e8???????? 50 }
            // n = 6, score = 1100
            //   ffd0                 | push                ecx
            //   c20400               | push                1
            //   b8ff1f7cc9           | add                 esp, 0xc
            //   50                   | pop                 ebp
            //   e8????????           |                     
            //   50                   | ret                 

        $sequence_1 = { 663b4706 7362 eb04 8b542414 }
            // n = 4, score = 1100
            //   663b4706             | pop                 ecx
            //   7362                 | test                al, al
            //   eb04                 | je                  0x6d
            //   8b542414             | xor                 edi, edi

        $sequence_2 = { 034540 83c002 51 50 51 e8???????? 59 }
            // n = 7, score = 1100
            //   034540               | add                 esp, 0x14
            //   83c002               | jmp                 0x74
            //   51                   | push                0x1f281f4
            //   50                   | push                eax
            //   51                   | add                 esp, 0x14
            //   e8????????           |                     
            //   59                   | jmp                 0xa7

        $sequence_3 = { 51 668945de 6a00 8d45dc 50 52 ff55f4 }
            // n = 7, score = 1100
            //   51                   | mov                 dword ptr [esp + 0x18], esi
            //   668945de             | dec                 eax
            //   6a00                 | mov                 eax, edi
            //   8d45dc               | dec                 eax
            //   50                   | add                 esp, 0x20
            //   52                   | pop                 edi
            //   ff55f4               | ret                 

        $sequence_4 = { 8b4d0c 8b10 51 8b4d08 2bfe 51 }
            // n = 6, score = 1100
            //   8b4d0c               | or                  dword ptr [esi + 0x14], 0xffffffff
            //   8b10                 | mov                 dword ptr [esi + 0xc], eax
            //   51                   | mov                 eax, dword ptr [ebp - 8]
            //   8b4d08               | test                esi, esi
            //   2bfe                 | je                  0x99
            //   51                   | lea                 eax, [ebp - 8]

        $sequence_5 = { 7523 8b8c18a0000000 85c9 0f8489000000 }
            // n = 4, score = 1100
            //   7523                 | dec                 eax
            //   8b8c18a0000000       | cmp                 dword ptr [ebp + 0x3c8], ebx
            //   85c9                 | je                  0x155
            //   0f8489000000         | mov                 dl, byte ptr [ecx]

        $sequence_6 = { 8bec 51 53 52 }
            // n = 4, score = 1100
            //   8bec                 | push                0x75
            //   51                   | pop                 eax
            //   53                   | push                0x72
            //   52                   | mov                 ebx, dword ptr [ebp + 0xc]

        $sequence_7 = { 55 8bec 51 56 8b4508 03403c }
            // n = 6, score = 1100
            //   55                   | lea                 ecx, [ebp + eax + 0x140]
            //   8bec                 | test                ecx, ecx
            //   51                   | je                  0xeed
            //   56                   | dec                 esp
            //   8b4508               | cmp                 dword ptr [ebp + 0x48], edi
            //   03403c               | je                  0xddd

        $sequence_8 = { 8b55fc 85d2 0f84ab000000 8b33 }
            // n = 4, score = 1100
            //   8b55fc               | xor                 eax, eax
            //   85d2                 | mov                 dword ptr [esi + 4], edi
            //   0f84ab000000         | cmp                 eax, edi
            //   8b33                 | jne                 0xa0b

        $sequence_9 = { 51 53 52 684b49a851 e8???????? 50 }
            // n = 6, score = 1100
            //   51                   | xor                 edx, edx
            //   53                   | dec                 eax
            //   52                   | cmp                 dword ptr [ebp + 0x18], 0
            //   684b49a851           | je                  0x4c7
            //   e8????????           |                     
            //   50                   | dec                 esp

    condition:
        7 of them
}
Download all Yara Rules