SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ngioweb (Back to overview)

Ngioweb

aka: Grobios

There is no description at this point.

References
2018-08-05Check PointAlexey Bukhteyev
@online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } Ramnit’s Network of Proxy Servers
Ngioweb Ramnit
2018-05-14FireEyeIrshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi
@online{muhammad:20180514:deep:d434cb2, author = {Irshad Muhammad and Shahzad Ahmed and Hassan Faizan and Zain Gardezi}, title = {{A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan}}, date = {2018-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html}, language = {English}, urldate = {2019-12-20} } A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan
Ngioweb
Yara Rules
[TLP:WHITE] win_ngioweb_auto (20220808 | Detects win.ngioweb.)
rule win_ngioweb_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.ngioweb."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 33db 3bc3 56 895dfc }
            // n = 5, score = 500
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   3bc3                 | cmp                 eax, ebx
            //   56                   | push                esi
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_1 = { 50 e8???????? 53 ff75f8 e8???????? ff75f8 }
            // n = 6, score = 500
            //   50                   | push                eax
            //   e8????????           |                     
            //   53                   | push                ebx
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_2 = { 5b 5d c21400 57 8b7c2408 85ff 7437 }
            // n = 7, score = 500
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c21400               | ret                 0x14
            //   57                   | push                edi
            //   8b7c2408             | mov                 edi, dword ptr [esp + 8]
            //   85ff                 | test                edi, edi
            //   7437                 | je                  0x39

        $sequence_3 = { 53 53 ffd0 85c0 0f8cba000000 53 53 }
            // n = 7, score = 500
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   0f8cba000000         | jl                  0xc0
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_4 = { 3bc1 0f8e94000000 8d44be40 8d1439 3b55fc 0f8d84000000 8bd1 }
            // n = 7, score = 500
            //   3bc1                 | cmp                 eax, ecx
            //   0f8e94000000         | jle                 0x9a
            //   8d44be40             | lea                 eax, [esi + edi*4 + 0x40]
            //   8d1439               | lea                 edx, [ecx + edi]
            //   3b55fc               | cmp                 edx, dword ptr [ebp - 4]
            //   0f8d84000000         | jge                 0x8a
            //   8bd1                 | mov                 edx, ecx

        $sequence_5 = { 66c745d27000 66c745d07500 66c745ce6b00 66c745cc6300 66c745ca6100 66c745c84200 668975c6 }
            // n = 7, score = 500
            //   66c745d27000         | mov                 word ptr [ebp - 0x2e], 0x70
            //   66c745d07500         | mov                 word ptr [ebp - 0x30], 0x75
            //   66c745ce6b00         | mov                 word ptr [ebp - 0x32], 0x6b
            //   66c745cc6300         | mov                 word ptr [ebp - 0x34], 0x63
            //   66c745ca6100         | mov                 word ptr [ebp - 0x36], 0x61
            //   66c745c84200         | mov                 word ptr [ebp - 0x38], 0x42
            //   668975c6             | mov                 word ptr [ebp - 0x3a], si

        $sequence_6 = { ff7508 e8???????? 8bd8 85db 74b3 eb05 bbfb2a0000 }
            // n = 7, score = 500
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   74b3                 | je                  0xffffffb5
            //   eb05                 | jmp                 7
            //   bbfb2a0000           | mov                 ebx, 0x2afb

        $sequence_7 = { 6a50 6a01 6a00 ff75f4 8d4df8 51 ffd0 }
            // n = 7, score = 500
            //   6a50                 | push                0x50
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   51                   | push                ecx
            //   ffd0                 | call                eax

        $sequence_8 = { 85c0 7554 397d10 7416 6a01 ff7510 8d85c0fdffff }
            // n = 7, score = 500
            //   85c0                 | test                eax, eax
            //   7554                 | jne                 0x56
            //   397d10               | cmp                 dword ptr [ebp + 0x10], edi
            //   7416                 | je                  0x18
            //   6a01                 | push                1
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8d85c0fdffff         | lea                 eax, [ebp - 0x240]

        $sequence_9 = { bb90f98572 53 be029fe66a 56 e8???????? 8d6f04 55 }
            // n = 7, score = 500
            //   bb90f98572           | mov                 ebx, 0x7285f990
            //   53                   | push                ebx
            //   be029fe66a           | mov                 esi, 0x6ae69f02
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d6f04               | lea                 ebp, [edi + 4]
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules