SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lobshot (Back to overview)

LOBSHOT


According to PCrisk, LOBSHOT is a type of malware with a feature called hVNC (Hidden Virtual Network Computing) that allows attackers to access a victim's computer without being noticed. The hVNC component is effective in evading fraud detection systems. Also, LOBSHOT is being used to carry out financial crimes through the use of banking trojan and information-stealing functionalities.

References
2023-07-16OALabsSergei Frankoff
@online{frankoff:20230716:lobshot:fc9d3c4, author = {Sergei Frankoff}, title = {{Lobshot: Lobshot a basic hVNC bot}}, date = {2023-07-16}, organization = {OALabs}, url = {https://research.openanalysis.net/lobshot/bot/hvnc/triage/2023/07/16/lobshot.html}, language = {English}, urldate = {2023-07-21} } Lobshot: Lobshot a basic hVNC bot
LOBSHOT
2023-04-25ElasticDaniel Stepanic
@online{stepanic:20230425:elastic:ba5ce00, author = {Daniel Stepanic}, title = {{Elastic Security Labs discovers the LOBSHOT malware}}, date = {2023-04-25}, organization = {Elastic}, url = {https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware}, language = {English}, urldate = {2023-04-26} } Elastic Security Labs discovers the LOBSHOT malware
LOBSHOT
Yara Rules
[TLP:WHITE] win_lobshot_auto (20230715 | Detects win.lobshot.)
rule win_lobshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.lobshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55e8 8b430c 893c88 41 83ea01 75f4 8b55f0 }
            // n = 7, score = 100
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]
            //   893c88               | mov                 dword ptr [eax + ecx*4], edi
            //   41                   | inc                 ecx
            //   83ea01               | sub                 edx, 1
            //   75f4                 | jne                 0xfffffff6
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]

        $sequence_1 = { 7d04 3bc3 7461 3bf2 8b5508 7d0a 6601b481740a0000 }
            // n = 7, score = 100
            //   7d04                 | jge                 6
            //   3bc3                 | cmp                 eax, ebx
            //   7461                 | je                  0x63
            //   3bf2                 | cmp                 esi, edx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   7d0a                 | jge                 0xc
            //   6601b481740a0000     | add                 word ptr [ecx + eax*4 + 0xa74], si

        $sequence_2 = { 8d5f14 8b13 668bc6 66d3e0 660987b0160000 8d4708 8b08 }
            // n = 7, score = 100
            //   8d5f14               | lea                 ebx, [edi + 0x14]
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   668bc6               | mov                 ax, si
            //   66d3e0               | shl                 ax, cl
            //   660987b0160000       | or                  word ptr [edi + 0x16b0], ax
            //   8d4708               | lea                 eax, [edi + 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_3 = { 56 57 660fefc8 50 0f114c2410 ffd3 8bf8 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   660fefc8             | pxor                xmm1, xmm0
            //   50                   | push                eax
            //   0f114c2410           | movups              xmmword ptr [esp + 0x10], xmm1
            //   ffd3                 | call                ebx
            //   8bf8                 | mov                 edi, eax

        $sequence_4 = { e8???????? 85c0 7409 8b5c2414 e9???????? 33c9 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   e9????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_5 = { 0f42c8 33ff 894d08 47 8b4e6c 3bcf 771f }
            // n = 7, score = 100
            //   0f42c8               | cmovb               ecx, eax
            //   33ff                 | xor                 edi, edi
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   47                   | inc                 edi
            //   8b4e6c               | mov                 ecx, dword ptr [esi + 0x6c]
            //   3bcf                 | cmp                 ecx, edi
            //   771f                 | ja                  0x21

        $sequence_6 = { 68???????? c605????????06 893d???????? 891d???????? ff15???????? 5b }
            // n = 6, score = 100
            //   68????????           |                     
            //   c605????????06       |                     
            //   893d????????         |                     
            //   891d????????         |                     
            //   ff15????????         |                     
            //   5b                   | pop                 ebx

        $sequence_7 = { 8b8600034100 8b3c85307a4100 8d842458020000 57 50 ffd3 57 }
            // n = 7, score = 100
            //   8b8600034100         | mov                 eax, dword ptr [esi + 0x410300]
            //   8b3c85307a4100       | mov                 edi, dword ptr [eax*4 + 0x417a30]
            //   8d842458020000       | lea                 eax, [esp + 0x258]
            //   57                   | push                edi
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   57                   | push                edi

        $sequence_8 = { 8b4df8 6a10 5a 2bd0 0fb7c1 8b4dec 8945dc }
            // n = 7, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   6a10                 | push                0x10
            //   5a                   | pop                 edx
            //   2bd0                 | sub                 edx, eax
            //   0fb7c1               | movzx               eax, cx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_9 = { 6a1d 6aff 6a00 6689836c030000 ff15???????? 84c0 7407 }
            // n = 7, score = 100
            //   6a1d                 | push                0x1d
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   6689836c030000       | mov                 word ptr [ebx + 0x36c], ax
            //   ff15????????         |                     
            //   84c0                 | test                al, al
            //   7407                 | je                  9

    condition:
        7 of them and filesize < 247808
}
Download all Yara Rules