SYMBOLCOMMON_NAMEaka. SYNONYMS
win.urlzone (Back to overview)

UrlZone

aka: Bebloh, Shiotob
URLhaus      

There is no description at this point.

References
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2019-03-12CybereasonAssaf Dahan, Cybereason Nocturnus
@online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } New Ursnif Variant targets Japan packed with new Features
ISFB UrlZone
2019-03-09InQuestAmirreza Niakanlahiji
@online{niakanlahiji:20190309:analyzing:b88d299, author = {Amirreza Niakanlahiji}, title = {{Analyzing Sophisticated PowerShell Targeting Japan}}, date = {2019-03-09}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/}, language = {English}, urldate = {2019-12-24} } Analyzing Sophisticated PowerShell Targeting Japan
UrlZone
2019-02-28Weixin360威胁情报中心
@online{360:20190228:urlzone:e1814da, author = {360威胁情报中心}, title = {{URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees}}, date = {2019-02-28}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA}, language = {Chinese}, urldate = {2019-11-27} } URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees
UrlZone
2016-02-05ProofpointProofpoint Staff
@online{staff:20160205:vawtrak:c5663f8, author = {Proofpoint Staff}, title = {{Vawtrak and UrlZone Banking Trojans Target Japan}}, date = {2016-02-05}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan}, language = {English}, urldate = {2019-11-20} } Vawtrak and UrlZone Banking Trojans Target Japan
UrlZone
2016-01-26FireEyeAyako Matsuda, Lennard Galang, Sudeep Singh, Joonho Sa, Shinsuke Honjo
@online{matsuda:20160126:urlzone:dd8e32e, author = {Ayako Matsuda and Lennard Galang and Sudeep Singh and Joonho Sa and Shinsuke Honjo}, title = {{URLZone Zones in on Japan}}, date = {2016-01-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html}, language = {English}, urldate = {2019-12-20} } URLZone Zones in on Japan
UrlZone
2015-01-12Johannes Bader
@online{bader:20150112:dga:b961e18, author = {Johannes Bader}, title = {{The DGA of Shiotob}}, date = {2015-01-12}, url = {https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/}, language = {English}, urldate = {2019-12-19} } The DGA of Shiotob
UrlZone
2013-12-17Gdata
@online{:20131217:bebloh:dcd1f5f, author = {}, title = {{Bebloh – a well-known banking Trojan with noteworthy innovations}}, date = {2013-12-17}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations}, language = {English}, urldate = {2019-10-28} } Bebloh – a well-known banking Trojan with noteworthy innovations
UrlZone
2012-09-01Virus BulletinNeo Tan
@online{tan:20120901:urlzone:7f65ffa, author = {Neo Tan}, title = {{URLZone reloaded: new evolution}}, date = {2012-09-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/}, language = {English}, urldate = {2020-01-06} } URLZone reloaded: new evolution
UrlZone
2011-07-28KrebsOnSecurityBrian Krebs
@online{krebs:20110728:trojan:2335232, author = {Brian Krebs}, title = {{Trojan Tricks Victims Into Transferring Funds}}, date = {2011-07-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/}, language = {English}, urldate = {2019-12-20} } Trojan Tricks Victims Into Transferring Funds
UrlZone
Yara Rules
[TLP:WHITE] win_urlzone_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_urlzone_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7c11 80f866 7f0c 80e861 }
            // n = 4, score = 3000
            //   7c11                 | jl                  0x13
            //   80f866               | cmp                 al, 0x66
            //   7f0c                 | jg                  0xe
            //   80e861               | sub                 al, 0x61

        $sequence_1 = { 80fc39 7f05 80ec30 eb22 }
            // n = 4, score = 3000
            //   80fc39               | cmp                 ah, 0x39
            //   7f05                 | jg                  7
            //   80ec30               | sub                 ah, 0x30
            //   eb22                 | jmp                 0x24

        $sequence_2 = { 80fc30 7c63 80fc39 7f05 }
            // n = 4, score = 3000
            //   80fc30               | cmp                 ah, 0x30
            //   7c63                 | jl                  0x65
            //   80fc39               | cmp                 ah, 0x39
            //   7f05                 | jg                  7

        $sequence_3 = { 7f05 80e830 eb22 80f841 7c23 80f846 7f08 }
            // n = 7, score = 3000
            //   7f05                 | jg                  7
            //   80e830               | sub                 al, 0x30
            //   eb22                 | jmp                 0x24
            //   80f841               | cmp                 al, 0x41
            //   7c23                 | jl                  0x25
            //   80f846               | cmp                 al, 0x46
            //   7f08                 | jg                  0xa

        $sequence_4 = { 7c11 80f866 7f0c 80e861 80c00a c0e004 }
            // n = 6, score = 3000
            //   7c11                 | jl                  0x13
            //   80f866               | cmp                 al, 0x66
            //   7f0c                 | jg                  0xe
            //   80e861               | sub                 al, 0x61
            //   80c00a               | add                 al, 0xa
            //   c0e004               | shl                 al, 4

        $sequence_5 = { eb10 80fc61 7c42 80f866 7f3d 80ec61 80c40a }
            // n = 7, score = 3000
            //   eb10                 | jmp                 0x12
            //   80fc61               | cmp                 ah, 0x61
            //   7c42                 | jl                  0x44
            //   80f866               | cmp                 al, 0x66
            //   7f3d                 | jg                  0x3f
            //   80ec61               | sub                 ah, 0x61
            //   80c40a               | add                 ah, 0xa

        $sequence_6 = { 5f 5e c3 57 51 }
            // n = 5, score = 3000
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   57                   | push                edi
            //   51                   | push                ecx

        $sequence_7 = { 7503 8a0a 42 80e930 80f909 7708 8d0480 }
            // n = 7, score = 3000
            //   7503                 | jne                 5
            //   8a0a                 | mov                 cl, byte ptr [edx]
            //   42                   | inc                 edx
            //   80e930               | sub                 cl, 0x30
            //   80f909               | cmp                 cl, 9
            //   7708                 | ja                  0xa
            //   8d0480               | lea                 eax, [eax + eax*4]

        $sequence_8 = { 80fc46 7f08 80ec41 80c40a eb10 }
            // n = 5, score = 3000
            //   80fc46               | cmp                 ah, 0x46
            //   7f08                 | jg                  0xa
            //   80ec41               | sub                 ah, 0x41
            //   80c40a               | add                 ah, 0xa
            //   eb10                 | jmp                 0x12

        $sequence_9 = { 7c63 80fc39 7f05 80ec30 eb22 80fc41 7c54 }
            // n = 7, score = 3000
            //   7c63                 | jl                  0x65
            //   80fc39               | cmp                 ah, 0x39
            //   7f05                 | jg                  7
            //   80ec30               | sub                 ah, 0x30
            //   eb22                 | jmp                 0x24
            //   80fc41               | cmp                 ah, 0x41
            //   7c54                 | jl                  0x56

    condition:
        7 of them and filesize < 704512
}
Download all Yara Rules