SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mylobot (Back to overview)

MyloBot

aka: FakeDGA, WillExec

There is no description at this point.

References
2021-01-13AkamaiYael Daihes
@online{daihes:20210113:detecting:a348691, author = {Yael Daihes}, title = {{Detecting Mylobot, unseen DGA based malware, using Deep Learning}}, date = {2021-01-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html}, language = {English}, urldate = {2021-01-26} } Detecting Mylobot, unseen DGA based malware, using Deep Learning
MyloBot
2018-11-15CenturylinkLabsBlack Lotus Labs
@online{labs:20181115:mylobot:4f8ccb3, author = {LabsBlack Lotus Labs}, title = {{Mylobot Continues Global Infections}}, date = {2018-11-15}, organization = {Centurylink}, url = {https://blog.centurylink.com/mylobot-continues-global-infections/}, language = {English}, urldate = {2019-12-24} } Mylobot Continues Global Infections
MyloBot
2018-06-20Deep instinctDalya Guttman
@online{guttman:20180620:meet:6ecec40, author = {Dalya Guttman}, title = {{Meet MyloBot – A New Highly Sophisticated Never-Seen-Before Botnet That’s Out In The Wild}}, date = {2018-06-20}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/}, language = {English}, urldate = {2021-11-19} } Meet MyloBot – A New Highly Sophisticated Never-Seen-Before Botnet That’s Out In The Wild
MyloBot
2017-11-08FreebufSecurity Leopard
@online{leopard:20171108:analysis:a6a1a01, author = {Security Leopard}, title = {{Analysis of an active USB flash drive virus}}, date = {2017-11-08}, organization = {Freebuf}, url = {http://www.freebuf.com/column/153424.html}, language = {Chinese}, urldate = {2020-01-13} } Analysis of an active USB flash drive virus
MyloBot
2017-10-27Cisco TalosCisco Talos
@online{talos:20171027:threat:ed694fa, author = {Cisco Talos}, title = {{Threat Round Up for Oct 20 - Oct 27}}, date = {2017-10-27}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html}, language = {English}, urldate = {2019-07-11} } Threat Round Up for Oct 20 - Oct 27
MyloBot
2017-05-27360netlabsuqitian
@online{suqitian:20170527:from:6c80cf6, author = {suqitian}, title = {{From PDNS: Another fix length of 7, a-z. tlds: [ru, com]}}, date = {2017-05-27}, organization = {360netlab}, url = {https://github.com/360netlab/DGA/issues/36}, language = {English}, urldate = {2019-10-23} } From PDNS: Another fix length of 7, a-z. tlds: [ru, com]
MyloBot
Yara Rules
[TLP:WHITE] win_mylobot_auto (20220411 | Detects win.mylobot.)
rule win_mylobot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.mylobot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7d04 c6062d 46 c60600 4e eb0a 8a0f }
            // n = 7, score = 1000
            //   7d04                 | jge                 6
            //   c6062d               | mov                 byte ptr [esi], 0x2d
            //   46                   | inc                 esi
            //   c60600               | mov                 byte ptr [esi], 0
            //   4e                   | dec                 esi
            //   eb0a                 | jmp                 0xc
            //   8a0f                 | mov                 cl, byte ptr [edi]

        $sequence_1 = { 81c41c040000 c20400 55 8d44241c 50 a1???????? ffb070010000 }
            // n = 7, score = 1000
            //   81c41c040000         | add                 esp, 0x41c
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8d44241c             | lea                 eax, dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   a1????????           |                     
            //   ffb070010000         | push                dword ptr [eax + 0x170]

        $sequence_2 = { 5e 8bc1 5b c3 55 8bec 51 }
            // n = 7, score = 1000
            //   5e                   | pop                 esi
            //   8bc1                 | mov                 eax, ecx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx

        $sequence_3 = { 7522 43 3b5c2410 76a4 a1???????? 57 ff9084000000 }
            // n = 7, score = 1000
            //   7522                 | jne                 0x24
            //   43                   | inc                 ebx
            //   3b5c2410             | cmp                 ebx, dword ptr [esp + 0x10]
            //   76a4                 | jbe                 0xffffffa6
            //   a1????????           |                     
            //   57                   | push                edi
            //   ff9084000000         | call                dword ptr [eax + 0x84]

        $sequence_4 = { 56 ffd3 8b0d???????? 55 89813c010000 8d442414 50 }
            // n = 7, score = 1000
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   8b0d????????         |                     
            //   55                   | push                ebp
            //   89813c010000         | mov                 dword ptr [ecx + 0x13c], eax
            //   8d442414             | lea                 eax, dword ptr [esp + 0x14]
            //   50                   | push                eax

        $sequence_5 = { 85c0 7557 56 8d85f8fdffff 6804010000 50 e8???????? }
            // n = 7, score = 1000
            //   85c0                 | test                eax, eax
            //   7557                 | jne                 0x59
            //   56                   | push                esi
            //   8d85f8fdffff         | lea                 eax, dword ptr [ebp - 0x208]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 85c0 74d5 3975fc 75d0 8d45f8 50 6a40 }
            // n = 7, score = 1000
            //   85c0                 | test                eax, eax
            //   74d5                 | je                  0xffffffd7
            //   3975fc               | cmp                 dword ptr [ebp - 4], esi
            //   75d0                 | jne                 0xffffffd2
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   6a40                 | push                0x40

        $sequence_7 = { 56 8b7510 56 6a00 ff750c e8???????? 8b5d08 }
            // n = 7, score = 1000
            //   56                   | push                esi
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   56                   | push                esi
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]

        $sequence_8 = { 83e201 8d8578f9ffff 51 52 50 8d8db4fbffff }
            // n = 6, score = 800
            //   83e201               | and                 edx, 1
            //   8d8578f9ffff         | lea                 eax, dword ptr [ebp - 0x688]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d8db4fbffff         | lea                 ecx, dword ptr [ebp - 0x44c]

        $sequence_9 = { 3c02 740a b857000000 5e 8be5 5d c3 }
            // n = 7, score = 800
            //   3c02                 | cmp                 al, 2
            //   740a                 | je                  0xc
            //   b857000000           | mov                 eax, 0x57
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_10 = { 7c05 b805400080 5f 5e 5b }
            // n = 5, score = 800
            //   7c05                 | jl                  7
            //   b805400080           | mov                 eax, 0x80004005
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_11 = { 8bf0 85f6 787f 8b45f4 85c0 }
            // n = 5, score = 800
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   787f                 | js                  0x81
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   85c0                 | test                eax, eax

        $sequence_12 = { 85c0 0f88e1000000 6a00 6a00 6a00 6a03 }
            // n = 6, score = 800
            //   85c0                 | test                eax, eax
            //   0f88e1000000         | js                  0xe7
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a03                 | push                3

        $sequence_13 = { c745f400000000 c745f000000000 743d 8b45fc 8b10 }
            // n = 5, score = 800
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   743d                 | je                  0x3f
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_14 = { 8b4508 8b480c 83b9f800000000 7540 68???????? }
            // n = 5, score = 800
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   83b9f800000000       | cmp                 dword ptr [ecx + 0xf8], 0
            //   7540                 | jne                 0x42
            //   68????????           |                     

        $sequence_15 = { 50 ffd6 83c802 50 8d8dd8fdffff 51 }
            // n = 6, score = 800
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   83c802               | or                  eax, 2
            //   50                   | push                eax
            //   8d8dd8fdffff         | lea                 ecx, dword ptr [ebp - 0x228]
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 8028160
}
Download all Yara Rules