SYMBOLCOMMON_NAMEaka. SYNONYMS
win.urlzone (Back to overview)

UrlZone

aka: Bebloh, Shiotob
VTCollection     URLhaus      

There is no description at this point.

References
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2019-07-11ProofpointProofpoint Threat Insight Team
Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware
ISFB PandaBanker UrlZone NARWHAL SPIDER
2019-06-19ProofpointProofpoint Threat Insight Team
URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape
ISFB UrlZone NARWHAL SPIDER
2019-03-12CybereasonAssaf Dahan, Cybereason Nocturnus
New Ursnif Variant targets Japan packed with new Features
ISFB UrlZone
2019-03-09InQuestAmirreza Niakanlahiji
Analyzing Sophisticated PowerShell Targeting Japan
UrlZone
2019-02-28Weixin360威胁情报中心
URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees
UrlZone
2018-01-12ProofpointProofpoint Staff
Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2016-02-05ProofpointProofpoint Staff
Vawtrak and UrlZone Banking Trojans Target Japan
UrlZone
2016-01-26FireEyeAyako Matsuda, Joonho Sa, Lennard Galang, Shinsuke Honjo, Sudeep Singh
URLZone Zones in on Japan
UrlZone
2015-01-12Johannes Bader
The DGA of Shiotob
UrlZone
2013-12-17Gdata
Bebloh – a well-known banking Trojan with noteworthy innovations
UrlZone
2012-09-01Virus BulletinNeo Tan
URLZone reloaded: new evolution
UrlZone
2011-07-28KrebsOnSecurityBrian Krebs
Trojan Tricks Victims Into Transferring Funds
UrlZone
Yara Rules
[TLP:WHITE] win_urlzone_auto (20230808 | Detects win.urlzone.)
rule win_urlzone_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.urlzone."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7c32 80f839 7f05 80e830 eb22 }
            // n = 5, score = 3000
            //   7c32                 | jl                  0x34
            //   80f839               | cmp                 al, 0x39
            //   7f05                 | jg                  7
            //   80e830               | sub                 al, 0x30
            //   eb22                 | jmp                 0x24

        $sequence_1 = { 80fc39 7f05 80ec30 eb22 }
            // n = 4, score = 3000
            //   80fc39               | cmp                 ah, 0x39
            //   7f05                 | jg                  7
            //   80ec30               | sub                 ah, 0x30
            //   eb22                 | jmp                 0x24

        $sequence_2 = { 7f05 80ec30 eb22 80fc41 7c54 }
            // n = 5, score = 3000
            //   7f05                 | jg                  7
            //   80ec30               | sub                 ah, 0x30
            //   eb22                 | jmp                 0x24
            //   80fc41               | cmp                 ah, 0x41
            //   7c54                 | jl                  0x56

        $sequence_3 = { 80c00a eb10 80f861 7c11 80f866 }
            // n = 5, score = 3000
            //   80c00a               | add                 al, 0xa
            //   eb10                 | jmp                 0x12
            //   80f861               | cmp                 al, 0x61
            //   7c11                 | jl                  0x13
            //   80f866               | cmp                 al, 0x66

        $sequence_4 = { 5f 5e c3 57 51 89c7 }
            // n = 6, score = 3000
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   57                   | push                edi
            //   51                   | push                ecx
            //   89c7                 | mov                 edi, eax

        $sequence_5 = { 80c40a eb10 80fc61 7c42 80f866 7f3d }
            // n = 6, score = 3000
            //   80c40a               | add                 ah, 0xa
            //   eb10                 | jmp                 0x12
            //   80fc61               | cmp                 ah, 0x61
            //   7c42                 | jl                  0x44
            //   80f866               | cmp                 al, 0x66
            //   7f3d                 | jg                  0x3f

        $sequence_6 = { 7f0c 80e861 80c00a c0e004 08e0 }
            // n = 5, score = 3000
            //   7f0c                 | jg                  0xe
            //   80e861               | sub                 al, 0x61
            //   80c00a               | add                 al, 0xa
            //   c0e004               | shl                 al, 4
            //   08e0                 | or                  al, ah

        $sequence_7 = { 80f841 7c23 80f846 7f08 }
            // n = 4, score = 3000
            //   80f841               | cmp                 al, 0x41
            //   7c23                 | jl                  0x25
            //   80f846               | cmp                 al, 0x46
            //   7f08                 | jg                  0xa

        $sequence_8 = { 80f839 7f05 80e830 eb22 80f841 7c23 }
            // n = 6, score = 3000
            //   80f839               | cmp                 al, 0x39
            //   7f05                 | jg                  7
            //   80e830               | sub                 al, 0x30
            //   eb22                 | jmp                 0x24
            //   80f841               | cmp                 al, 0x41
            //   7c23                 | jl                  0x25

        $sequence_9 = { 80ec30 eb22 80fc41 7c54 }
            // n = 4, score = 3000
            //   80ec30               | sub                 ah, 0x30
            //   eb22                 | jmp                 0x24
            //   80fc41               | cmp                 ah, 0x41
            //   7c54                 | jl                  0x56

    condition:
        7 of them and filesize < 704512
}
Download all Yara Rules