SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lobshot (Back to overview)

LOBSHOT

VTCollection    

According to PCrisk, LOBSHOT is a type of malware with a feature called hVNC (Hidden Virtual Network Computing) that allows attackers to access a victim's computer without being noticed. The hVNC component is effective in evading fraud detection systems. Also, LOBSHOT is being used to carry out financial crimes through the use of banking trojan and information-stealing functionalities.

References
2023-07-16OALabsSergei Frankoff
Lobshot: Lobshot a basic hVNC bot
LOBSHOT
2023-04-25ElasticDaniel Stepanic
Elastic Security Labs discovers the LOBSHOT malware
LOBSHOT
Yara Rules
[TLP:WHITE] win_lobshot_auto (20260504 | Detects win.lobshot.)
rule win_lobshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lobshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744241800000000 c744241c00000000 ff15???????? 8bf8 }
            // n = 4, score = 200
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_1 = { 46 8b94b1540b0000 8b4dfc 0fb70499 }
            // n = 4, score = 200
            //   46                   | inc                 esi
            //   8b94b1540b0000       | mov                 edx, dword ptr [ecx + esi*4 + 0xb54]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   0fb70499             | movzx               eax, word ptr [ecx + ebx*4]

        $sequence_2 = { 8b35???????? 8d44240c 50 57 c744241457545351 c744241875657279 }
            // n = 6, score = 200
            //   8b35????????         |                     
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   50                   | push                eax
            //   57                   | push                edi
            //   c744241457545351     | mov                 dword ptr [esp + 0x14], 0x51535457
            //   c744241875657279     | mov                 dword ptr [esp + 0x18], 0x79726575

        $sequence_3 = { 50 ff15???????? 8bd8 85db 7477 8b3d???????? }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7477                 | je                  0x79
            //   8b3d????????         |                     

        $sequence_4 = { 6a00 56 ff15???????? 85c0 7417 50 ff15???????? }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7417                 | je                  0x19
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_5 = { 7571 8b4c2414 33d2 668911 8d4c244c 51 }
            // n = 6, score = 200
            //   7571                 | jne                 0x73
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   33d2                 | xor                 edx, edx
            //   668911               | mov                 word ptr [ecx], dx
            //   8d4c244c             | lea                 ecx, [esp + 0x4c]
            //   51                   | push                ecx

        $sequence_6 = { 33ed 66893c01 8b0d???????? 88540102 83c003 3b05???????? 7291 }
            // n = 7, score = 200
            //   33ed                 | xor                 ebp, ebp
            //   66893c01             | mov                 word ptr [ecx + eax], di
            //   8b0d????????         |                     
            //   88540102             | mov                 byte ptr [ecx + eax + 2], dl
            //   83c003               | add                 eax, 3
            //   3b05????????         |                     
            //   7291                 | jb                  0xffffff93

        $sequence_7 = { 8a5a01 8d5202 80eb61 85ff 7417 c0e004 2c10 }
            // n = 7, score = 200
            //   8a5a01               | mov                 bl, byte ptr [edx + 1]
            //   8d5202               | lea                 edx, [edx + 2]
            //   80eb61               | sub                 bl, 0x61
            //   85ff                 | test                edi, edi
            //   7417                 | je                  0x19
            //   c0e004               | shl                 al, 4
            //   2c10                 | sub                 al, 0x10

        $sequence_8 = { 894d08 66890c70 8b5740 8b4f3c }
            // n = 4, score = 200
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   66890c70             | mov                 word ptr [eax + esi*2], cx
            //   8b5740               | mov                 edx, dword ptr [edi + 0x40]
            //   8b4f3c               | mov                 ecx, dword ptr [edi + 0x3c]

        $sequence_9 = { 88040a ff4614 33c0 2186b4160000 668986b0160000 5e c3 }
            // n = 7, score = 200
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   ff4614               | inc                 dword ptr [esi + 0x14]
            //   33c0                 | xor                 eax, eax
            //   2186b4160000         | and                 dword ptr [esi + 0x16b4], eax
            //   668986b0160000       | mov                 word ptr [esi + 0x16b0], ax
            //   5e                   | pop                 esi
            //   c3                   | ret                 

    condition:
        7 of them and filesize < 247808
}
Download all Yara Rules