SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mylobot (Back to overview)

MyloBot

aka: FakeDGA, WillExec

According to PCrisk, MyloBot is a high-risk trojan-type virus that allows cyber criminals to control the infected machine. MyloBot can be considered as a botnet, since all infected computers are connected to a single network. Depending on cyber criminals' goals, infected machines might be misused or have additional infections applied.

References
2023-02-13BitSightStanislas Arnoud
@online{arnoud:20230213:mylobot:c81a83d, author = {Stanislas Arnoud}, title = {{Mylobot: Investigating a proxy botnet}}, date = {2023-02-13}, organization = {BitSight}, url = {https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet}, language = {English}, urldate = {2023-02-14} } Mylobot: Investigating a proxy botnet
MyloBot
2021-01-13AkamaiYael Daihes
@online{daihes:20210113:detecting:a348691, author = {Yael Daihes}, title = {{Detecting Mylobot, unseen DGA based malware, using Deep Learning}}, date = {2021-01-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html}, language = {English}, urldate = {2021-01-26} } Detecting Mylobot, unseen DGA based malware, using Deep Learning
MyloBot
2018-11-15CenturylinkLabsBlack Lotus Labs
@online{labs:20181115:mylobot:4f8ccb3, author = {LabsBlack Lotus Labs}, title = {{Mylobot Continues Global Infections}}, date = {2018-11-15}, organization = {Centurylink}, url = {https://blog.centurylink.com/mylobot-continues-global-infections/}, language = {English}, urldate = {2019-12-24} } Mylobot Continues Global Infections
MyloBot
2018-06-20Deep instinctDalya Guttman
@online{guttman:20180620:meet:6ecec40, author = {Dalya Guttman}, title = {{Meet MyloBot – A New Highly Sophisticated Never-Seen-Before Botnet That’s Out In The Wild}}, date = {2018-06-20}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/}, language = {English}, urldate = {2021-11-19} } Meet MyloBot – A New Highly Sophisticated Never-Seen-Before Botnet That’s Out In The Wild
MyloBot
2017-11-08FreebufSecurity Leopard
@online{leopard:20171108:analysis:a6a1a01, author = {Security Leopard}, title = {{Analysis of an active USB flash drive virus}}, date = {2017-11-08}, organization = {Freebuf}, url = {http://www.freebuf.com/column/153424.html}, language = {Chinese}, urldate = {2020-01-13} } Analysis of an active USB flash drive virus
MyloBot
2017-10-27Cisco TalosCisco Talos
@online{talos:20171027:threat:ed694fa, author = {Cisco Talos}, title = {{Threat Round Up for Oct 20 - Oct 27}}, date = {2017-10-27}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html}, language = {English}, urldate = {2019-07-11} } Threat Round Up for Oct 20 - Oct 27
MyloBot
2017-05-27Netlabsuqitian
@online{suqitian:20170527:from:6c80cf6, author = {suqitian}, title = {{From PDNS: Another fix length of 7, a-z. tlds: [ru, com]}}, date = {2017-05-27}, organization = {Netlab}, url = {https://github.com/360netlab/DGA/issues/36}, language = {English}, urldate = {2023-05-15} } From PDNS: Another fix length of 7, a-z. tlds: [ru, com]
MyloBot
Yara Rules
[TLP:WHITE] win_mylobot_auto (20230715 | Detects win.mylobot.)
rule win_mylobot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.mylobot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83a33410000000 59 59 e9???????? ff74240c }
            // n = 6, score = 1000
            //   e8????????           |                     
            //   83a33410000000       | and                 dword ptr [ebx + 0x1034], 0
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   e9????????           |                     
            //   ff74240c             | push                dword ptr [esp + 0xc]

        $sequence_1 = { e8???????? 83c414 eb19 a1???????? 68d0070000 }
            // n = 5, score = 1000
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   eb19                 | jmp                 0x1b
            //   a1????????           |                     
            //   68d0070000           | push                0x7d0

        $sequence_2 = { 50 e8???????? 83c414 33c0 40 eb02 33c0 }
            // n = 7, score = 1000
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 50 43 e8???????? d1e8 59 3bd8 72db }
            // n = 7, score = 1000
            //   50                   | push                eax
            //   43                   | inc                 ebx
            //   e8????????           |                     
            //   d1e8                 | shr                 eax, 1
            //   59                   | pop                 ecx
            //   3bd8                 | cmp                 ebx, eax
            //   72db                 | jb                  0xffffffdd

        $sequence_4 = { 7535 8bdf 83fb78 7417 68e8030000 43 ff15???????? }
            // n = 7, score = 1000
            //   7535                 | jne                 0x37
            //   8bdf                 | mov                 ebx, edi
            //   83fb78               | cmp                 ebx, 0x78
            //   7417                 | je                  0x19
            //   68e8030000           | push                0x3e8
            //   43                   | inc                 ebx
            //   ff15????????         |                     

        $sequence_5 = { 50 a1???????? 55 ff742438 56 }
            // n = 5, score = 1000
            //   50                   | push                eax
            //   a1????????           |                     
            //   55                   | push                ebp
            //   ff742438             | push                dword ptr [esp + 0x38]
            //   56                   | push                esi

        $sequence_6 = { 33ed 8b03 8b5304 89542418 0fb74814 }
            // n = 5, score = 1000
            //   33ed                 | xor                 ebp, ebp
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   0fb74814             | movzx               ecx, word ptr [eax + 0x14]

        $sequence_7 = { 7422 6a09 57 ff15???????? }
            // n = 4, score = 1000
            //   7422                 | je                  0x24
            //   6a09                 | push                9
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_8 = { 8995e8feffff c785e0feffff02000000 6a00 6a00 8d8de0feffff }
            // n = 5, score = 800
            //   8995e8feffff         | mov                 dword ptr [ebp - 0x118], edx
            //   c785e0feffff02000000     | mov    dword ptr [ebp - 0x120], 2
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d8de0feffff         | lea                 ecx, [ebp - 0x120]

        $sequence_9 = { 668986d6000000 7508 ff44240c 33db eb7c 50 }
            // n = 6, score = 800
            //   668986d6000000       | mov                 word ptr [esi + 0xd6], ax
            //   7508                 | jne                 0xa
            //   ff44240c             | inc                 dword ptr [esp + 0xc]
            //   33db                 | xor                 ebx, ebx
            //   eb7c                 | jmp                 0x7e
            //   50                   | push                eax

        $sequence_10 = { 53 53 52 ff15???????? 8b75ec 3bf3 }
            // n = 6, score = 800
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   3bf3                 | cmp                 esi, ebx

        $sequence_11 = { 8dbdf0fdffff 83c7fe 8d9b00000000 668b4702 }
            // n = 4, score = 800
            //   8dbdf0fdffff         | lea                 edi, [ebp - 0x210]
            //   83c7fe               | add                 edi, -2
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   668b4702             | mov                 ax, word ptr [edi + 2]

        $sequence_12 = { 8b4610 8b4e18 6a00 6800800000 50 }
            // n = 5, score = 800
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   6a00                 | push                0
            //   6800800000           | push                0x8000
            //   50                   | push                eax

        $sequence_13 = { 53 56 57 68ff000000 8d85ddfdffff 32db }
            // n = 6, score = 800
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   68ff000000           | push                0xff
            //   8d85ddfdffff         | lea                 eax, [ebp - 0x223]
            //   32db                 | xor                 bl, bl

        $sequence_14 = { 6a02 6a2a ff15???????? 8b1d???????? 83c408 }
            // n = 5, score = 800
            //   6a02                 | push                2
            //   6a2a                 | push                0x2a
            //   ff15????????         |                     
            //   8b1d????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_15 = { c1e810 56 85c0 750e 81e2ffff0000 2b5310 e9???????? }
            // n = 7, score = 800
            //   c1e810               | shr                 eax, 0x10
            //   56                   | push                esi
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   81e2ffff0000         | and                 edx, 0xffff
            //   2b5310               | sub                 edx, dword ptr [ebx + 0x10]
            //   e9????????           |                     

    condition:
        7 of them and filesize < 8028160
}
Download all Yara Rules