SYMBOLCOMMON_NAMEaka. SYNONYMS
win.onliner (Back to overview)

OnlinerSpambot

aka: SBot, Onliner

A spambot that has been observed being used for spreading Ursnif, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.

References
2019-07-29BluelivAlberto Marín
@online{marn:20190729:analysis:c32955f, author = {Alberto Marín}, title = {{An analysis of a spam distribution botnet: the inner workings of Onliner Spambot}}, date = {2019-07-29}, organization = {Blueliv}, url = {https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/}, language = {English}, urldate = {2019-12-17} } An analysis of a spam distribution botnet: the inner workings of Onliner Spambot
OnlinerSpambot
2017-08-29Benkow LabBenoît Ancel
@online{ancel:20170829:from:7ef6dac, author = {Benoît Ancel}, title = {{From Onliner Spambot to millions of email's lists and credentials}}, date = {2017-08-29}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html}, language = {English}, urldate = {2020-01-06} } From Onliner Spambot to millions of email's lists and credentials
OnlinerSpambot
2017-02-27Benkow LabBenoît Ancel
@online{ancel:20170227:spambot:b40e584, author = {Benoît Ancel}, title = {{Spambot safari #2 - Online Mail System}}, date = {2017-02-27}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html}, language = {English}, urldate = {2020-01-09} } Spambot safari #2 - Online Mail System
OnlinerSpambot
Yara Rules
[TLP:WHITE] win_onliner_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_onliner_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b45f8 50 8bce 33d2 8bc3 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   33d2                 | xor                 edx, edx
            //   8bc3                 | mov                 eax, ebx

        $sequence_1 = { 68???????? 64ff30 648920 8b8308020000 80781400 }
            // n = 5, score = 100
            //   68????????           |                     
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8b8308020000         | mov                 eax, dword ptr [ebx + 0x208]
            //   80781400             | cmp                 byte ptr [eax + 0x14], 0

        $sequence_2 = { 8b8da8feffff 8bd3 8bc6 8b38 ff5720 8d8d98feffff 8bd3 }
            // n = 7, score = 100
            //   8b8da8feffff         | mov                 ecx, dword ptr [ebp - 0x158]
            //   8bd3                 | mov                 edx, ebx
            //   8bc6                 | mov                 eax, esi
            //   8b38                 | mov                 edi, dword ptr [eax]
            //   ff5720               | call                dword ptr [edi + 0x20]
            //   8d8d98feffff         | lea                 ecx, [ebp - 0x168]
            //   8bd3                 | mov                 edx, ebx

        $sequence_3 = { b201 a1???????? e8???????? 8945b4 33c0 }
            // n = 5, score = 100
            //   b201                 | mov                 dl, 1
            //   a1????????           |                     
            //   e8????????           |                     
            //   8945b4               | mov                 dword ptr [ebp - 0x4c], eax
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 41 007599 41 00a2994100cf 99 }
            // n = 5, score = 100
            //   41                   | inc                 ecx
            //   007599               | add                 byte ptr [ebp - 0x67], dh
            //   41                   | inc                 ecx
            //   00a2994100cf         | add                 byte ptr [edx - 0x30ffbe67], ah
            //   99                   | cdq                 

        $sequence_5 = { 5d c3 894634 8bc6 5e }
            // n = 5, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   894634               | mov                 dword ptr [esi + 0x34], eax
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi

        $sequence_6 = { 750f 66c7030000 8d4308 e8???????? eb46 6681fe0101 }
            // n = 6, score = 100
            //   750f                 | jne                 0x11
            //   66c7030000           | mov                 word ptr [ebx], 0
            //   8d4308               | lea                 eax, [ebx + 8]
            //   e8????????           |                     
            //   eb46                 | jmp                 0x48
            //   6681fe0101           | cmp                 si, 0x101

        $sequence_7 = { 750c 8bc7 ba???????? e8???????? f645cd80 7511 8b07 }
            // n = 7, score = 100
            //   750c                 | jne                 0xe
            //   8bc7                 | mov                 eax, edi
            //   ba????????           |                     
            //   e8????????           |                     
            //   f645cd80             | test                byte ptr [ebp - 0x33], 0x80
            //   7511                 | jne                 0x13
            //   8b07                 | mov                 eax, dword ptr [edi]

    condition:
        7 of them and filesize < 1736704
}
Download all Yara Rules