SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ngioweb (Back to overview)

Ngioweb

aka: Grobios

There is no description at this point.

References
2018-08-05Check PointAlexey Bukhteyev
@online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } Ramnit’s Network of Proxy Servers
Ngioweb Ramnit
2018-05-14FireEyeIrshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi
@online{muhammad:20180514:deep:d434cb2, author = {Irshad Muhammad and Shahzad Ahmed and Hassan Faizan and Zain Gardezi}, title = {{A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan}}, date = {2018-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html}, language = {English}, urldate = {2019-12-20} } A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan
Ngioweb
Yara Rules
[TLP:WHITE] win_ngioweb_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ngioweb_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7406 837dfc02 7530 57 56 c6451270 c6451164 }
            // n = 7, score = 500
            //   7406                 | je                  8
            //   837dfc02             | cmp                 dword ptr [ebp - 4], 2
            //   7530                 | jne                 0x32
            //   57                   | push                edi
            //   56                   | push                esi
            //   c6451270             | mov                 byte ptr [ebp + 0x12], 0x70
            //   c6451164             | mov                 byte ptr [ebp + 0x11], 0x64

        $sequence_1 = { 8bc7 8bcb e8???????? 8845f9 8bcb c1c908 8bc7 }
            // n = 7, score = 500
            //   8bc7                 | mov                 eax, edi
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8845f9               | mov                 byte ptr [ebp - 7], al
            //   8bcb                 | mov                 ecx, ebx
            //   c1c908               | ror                 ecx, 8
            //   8bc7                 | mov                 eax, edi

        $sequence_2 = { 8885a8feffff 8885a9feffff c685aafeffff01 c685abfeffff01 c685acfeffffc0 c685adfeffffc2 c685aefeffff10 }
            // n = 7, score = 500
            //   8885a8feffff         | mov                 byte ptr [ebp - 0x158], al
            //   8885a9feffff         | mov                 byte ptr [ebp - 0x157], al
            //   c685aafeffff01       | mov                 byte ptr [ebp - 0x156], 1
            //   c685abfeffff01       | mov                 byte ptr [ebp - 0x155], 1
            //   c685acfeffffc0       | mov                 byte ptr [ebp - 0x154], 0xc0
            //   c685adfeffffc2       | mov                 byte ptr [ebp - 0x153], 0xc2
            //   c685aefeffff10       | mov                 byte ptr [ebp - 0x152], 0x10

        $sequence_3 = { 56 33f6 56 6a04 8975fc 8975f8 e8???????? }
            // n = 7, score = 500
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   6a04                 | push                4
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   e8????????           |                     

        $sequence_4 = { 0f8c83000000 8b4510 3bc3 747c 8b08 53 ff7508 }
            // n = 7, score = 500
            //   0f8c83000000         | jl                  0x89
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   3bc3                 | cmp                 eax, ebx
            //   747c                 | je                  0x7e
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   53                   | push                ebx
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_5 = { ffd0 68???????? 53 56 e8???????? 68???????? 688251ac44 }
            // n = 7, score = 500
            //   ffd0                 | call                eax
            //   68????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   68????????           |                     
            //   688251ac44           | push                0x44ac5182

        $sequence_6 = { e8???????? 8b7dfc 3bfb 7434 57 e8???????? 0345fc }
            // n = 7, score = 500
            //   e8????????           |                     
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   3bfb                 | cmp                 edi, ebx
            //   7434                 | je                  0x36
            //   57                   | push                edi
            //   e8????????           |                     
            //   0345fc               | add                 eax, dword ptr [ebp - 4]

        $sequence_7 = { c21000 64a130000000 85c0 53 56 57 7432 }
            // n = 7, score = 500
            //   c21000               | ret                 0x10
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   85c0                 | test                eax, eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   7432                 | je                  0x34

        $sequence_8 = { c68526feffffa8 c68527feffffaa c68528feffffc3 c68529feffffc3 c6852afeffff96 c6852bfeffff96 c6852cfeffffb7 }
            // n = 7, score = 500
            //   c68526feffffa8       | mov                 byte ptr [ebp - 0x1da], 0xa8
            //   c68527feffffaa       | mov                 byte ptr [ebp - 0x1d9], 0xaa
            //   c68528feffffc3       | mov                 byte ptr [ebp - 0x1d8], 0xc3
            //   c68529feffffc3       | mov                 byte ptr [ebp - 0x1d7], 0xc3
            //   c6852afeffff96       | mov                 byte ptr [ebp - 0x1d6], 0x96
            //   c6852bfeffff96       | mov                 byte ptr [ebp - 0x1d5], 0x96
            //   c6852cfeffffb7       | mov                 byte ptr [ebp - 0x1d4], 0xb7

        $sequence_9 = { 83fb02 7514 807c3e0100 750d 8a4513 2c41 3c19 }
            // n = 7, score = 500
            //   83fb02               | cmp                 ebx, 2
            //   7514                 | jne                 0x16
            //   807c3e0100           | cmp                 byte ptr [esi + edi + 1], 0
            //   750d                 | jne                 0xf
            //   8a4513               | mov                 al, byte ptr [ebp + 0x13]
            //   2c41                 | sub                 al, 0x41
            //   3c19                 | cmp                 al, 0x19

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules