SYMBOLCOMMON_NAMEaka. SYNONYMS
win.urlzone (Back to overview)

UrlZone

aka: Bebloh, Shiotob
URLhaus      

There is no description at this point.

References
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2019-07-11ProofpointProofpoint Threat Insight Team
@online{team:20190711:threat:00e0a1a, author = {Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware}}, date = {2019-07-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware}, language = {English}, urldate = {2021-05-31} } Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware
ISFB PandaBanker UrlZone NARWHAL SPIDER
2019-06-19ProofpointProofpoint Threat Insight Team
@online{team:20190619:urlzone:9163ce0, author = {Proofpoint Threat Insight Team}, title = {{URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape}}, date = {2019-06-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0}, language = {English}, urldate = {2021-05-31} } URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape
ISFB UrlZone NARWHAL SPIDER
2019-03-12CybereasonAssaf Dahan, Cybereason Nocturnus
@online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } New Ursnif Variant targets Japan packed with new Features
ISFB UrlZone
2019-03-09InQuestAmirreza Niakanlahiji
@online{niakanlahiji:20190309:analyzing:b88d299, author = {Amirreza Niakanlahiji}, title = {{Analyzing Sophisticated PowerShell Targeting Japan}}, date = {2019-03-09}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/}, language = {English}, urldate = {2019-12-24} } Analyzing Sophisticated PowerShell Targeting Japan
UrlZone
2019-02-28Weixin360威胁情报中心
@online{360:20190228:urlzone:e1814da, author = {360威胁情报中心}, title = {{URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees}}, date = {2019-02-28}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA}, language = {Chinese}, urldate = {2019-11-27} } URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees
UrlZone
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2016-02-05ProofpointProofpoint Staff
@online{staff:20160205:vawtrak:c5663f8, author = {Proofpoint Staff}, title = {{Vawtrak and UrlZone Banking Trojans Target Japan}}, date = {2016-02-05}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan}, language = {English}, urldate = {2019-11-20} } Vawtrak and UrlZone Banking Trojans Target Japan
UrlZone
2016-01-26FireEyeAyako Matsuda, Lennard Galang, Sudeep Singh, Joonho Sa, Shinsuke Honjo
@online{matsuda:20160126:urlzone:dd8e32e, author = {Ayako Matsuda and Lennard Galang and Sudeep Singh and Joonho Sa and Shinsuke Honjo}, title = {{URLZone Zones in on Japan}}, date = {2016-01-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html}, language = {English}, urldate = {2019-12-20} } URLZone Zones in on Japan
UrlZone
2015-01-12Johannes Bader
@online{bader:20150112:dga:b961e18, author = {Johannes Bader}, title = {{The DGA of Shiotob}}, date = {2015-01-12}, url = {https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/}, language = {English}, urldate = {2019-12-19} } The DGA of Shiotob
UrlZone
2013-12-17Gdata
@online{:20131217:bebloh:dcd1f5f, author = {}, title = {{Bebloh – a well-known banking Trojan with noteworthy innovations}}, date = {2013-12-17}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations}, language = {English}, urldate = {2019-10-28} } Bebloh – a well-known banking Trojan with noteworthy innovations
UrlZone
2012-09-01Virus BulletinNeo Tan
@online{tan:20120901:urlzone:7f65ffa, author = {Neo Tan}, title = {{URLZone reloaded: new evolution}}, date = {2012-09-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/}, language = {English}, urldate = {2020-01-06} } URLZone reloaded: new evolution
UrlZone
2011-07-28KrebsOnSecurityBrian Krebs
@online{krebs:20110728:trojan:2335232, author = {Brian Krebs}, title = {{Trojan Tricks Victims Into Transferring Funds}}, date = {2011-07-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/}, language = {English}, urldate = {2019-12-20} } Trojan Tricks Victims Into Transferring Funds
UrlZone
Yara Rules
[TLP:WHITE] win_urlzone_auto (20220516 | Detects win.urlzone.)
rule win_urlzone_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.urlzone."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b119 b20d b005 e8???????? }
            // n = 4, score = 3000
            //   b119                 | mov                 cl, 0x19
            //   b20d                 | mov                 dl, 0xd
            //   b005                 | mov                 al, 5
            //   e8????????           |                     

        $sequence_1 = { 80fc39 7f05 80ec30 eb22 }
            // n = 4, score = 3000
            //   80fc39               | cmp                 ah, 0x39
            //   7f05                 | jg                  7
            //   80ec30               | sub                 ah, 0x30
            //   eb22                 | jmp                 0x24

        $sequence_2 = { 80fc30 7c63 80fc39 7f05 }
            // n = 4, score = 3000
            //   80fc30               | cmp                 ah, 0x30
            //   7c63                 | jl                  0x65
            //   80fc39               | cmp                 ah, 0x39
            //   7f05                 | jg                  7

        $sequence_3 = { 7c63 80fc39 7f05 80ec30 eb22 }
            // n = 5, score = 3000
            //   7c63                 | jl                  0x65
            //   80fc39               | cmp                 ah, 0x39
            //   7f05                 | jg                  7
            //   80ec30               | sub                 ah, 0x30
            //   eb22                 | jmp                 0x24

        $sequence_4 = { 7503 8a0a 42 80e930 80f909 }
            // n = 5, score = 3000
            //   7503                 | jne                 5
            //   8a0a                 | mov                 cl, byte ptr [edx]
            //   42                   | inc                 edx
            //   80e930               | sub                 cl, 0x30
            //   80f909               | cmp                 cl, 9

        $sequence_5 = { 7c23 80f846 7f08 80e841 80c00a eb10 }
            // n = 6, score = 3000
            //   7c23                 | jl                  0x25
            //   80f846               | cmp                 al, 0x46
            //   7f08                 | jg                  0xa
            //   80e841               | sub                 al, 0x41
            //   80c00a               | add                 al, 0xa
            //   eb10                 | jmp                 0x12

        $sequence_6 = { 80f866 7f0c 80e861 80c00a c0e004 08e0 c3 }
            // n = 7, score = 3000
            //   80f866               | cmp                 al, 0x66
            //   7f0c                 | jg                  0xe
            //   80e861               | sub                 al, 0x61
            //   80c00a               | add                 al, 0xa
            //   c0e004               | shl                 al, 4
            //   08e0                 | or                  al, ah
            //   c3                   | ret                 

        $sequence_7 = { 11e0 31c8 034424f8 d1d0 31c8 }
            // n = 5, score = 3000
            //   11e0                 | adc                 eax, esp
            //   31c8                 | xor                 eax, ecx
            //   034424f8             | add                 eax, dword ptr [esp - 8]
            //   d1d0                 | rcl                 eax, 1
            //   31c8                 | xor                 eax, ecx

        $sequence_8 = { 50 68???????? 6a00 6a00 a1???????? 50 }
            // n = 6, score = 3000
            //   50                   | push                eax
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   a1????????           |                     
            //   50                   | push                eax

        $sequence_9 = { 80f841 7c23 80f846 7f08 }
            // n = 4, score = 3000
            //   80f841               | cmp                 al, 0x41
            //   7c23                 | jl                  0x25
            //   80f846               | cmp                 al, 0x46
            //   7f08                 | jg                  0xa

    condition:
        7 of them and filesize < 704512
}
Download all Yara Rules