SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vobfus (Back to overview)

Vobfus

aka: Beebone

Malware of this family searches for computers on a network and creates copies of itself in folders with open access. For the program to be activated, the user must first run it on the computer. The code of this malware is written in the Visual Basic programming language and uses obfuscation, which is a distinguishing feature of this family. Code obfuscation complicates attempts by anti-virus software to analyze suspected malware.

References
2015-04-09Trend MicroDianne Lagrimas
@online{lagrimas:20150409:beebone:cd0b76b, author = {Dianne Lagrimas}, title = {{Beebone Botnet Takedown: Trend Micro Solutions}}, date = {2015-04-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions}, language = {English}, urldate = {2020-08-24} } Beebone Botnet Takedown: Trend Micro Solutions
Vobfus
2012-12-07Contagio DumpMila Parkour
@online{parkour:20121207:nov:0d14c03, author = {Mila Parkour}, title = {{Nov 2012 Worm Vobfus Samples}}, date = {2012-12-07}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html}, language = {English}, urldate = {2019-12-20} } Nov 2012 Worm Vobfus Samples
Vobfus
2012-11-29Trend MicroTrend Micro
@online{micro:20121129:whats:f711a5b, author = {Trend Micro}, title = {{What’s the Fuss with WORM_VOBFUS?}}, date = {2012-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/}, language = {English}, urldate = {2020-01-09} } What’s the Fuss with WORM_VOBFUS?
Vobfus
Yara Rules
[TLP:WHITE] win_vobfus_auto (20230125 | Detects win.vobfus.)
rule win_vobfus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.vobfus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5508 8b92e8000000 8b8298060000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b8298060000         | mov                 eax, dword ptr [edx + 0x698]
            //   50                   | push                eax

        $sequence_1 = { 8b5508 8b92e8000000 8b8248230000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b8248230000         | mov                 eax, dword ptr [edx + 0x2348]
            //   50                   | push                eax

        $sequence_2 = { 8b5508 8b92e8000000 8b82ac0a0000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82ac0a0000         | mov                 eax, dword ptr [edx + 0xaac]
            //   50                   | push                eax

        $sequence_3 = { 8b5508 8b92e8000000 8b82800c0000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82800c0000         | mov                 eax, dword ptr [edx + 0xc80]
            //   50                   | push                eax

        $sequence_4 = { 8b5508 8b92e8000000 8b82ac010000 50 50 8b10 ff5204 }
            // n = 7, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82ac010000         | mov                 eax, dword ptr [edx + 0x1ac]
            //   50                   | push                eax
            //   50                   | push                eax
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   ff5204               | call                dword ptr [edx + 4]

        $sequence_5 = { 8b5508 8b92e8000000 8b8200110000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b8200110000         | mov                 eax, dword ptr [edx + 0x1100]
            //   50                   | push                eax

        $sequence_6 = { 8bec 8b5508 8b92e8000000 8b8218020000 50 }
            // n = 5, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b8218020000         | mov                 eax, dword ptr [edx + 0x218]
            //   50                   | push                eax

        $sequence_7 = { 8b5508 8b92e8000000 8b82a80b0000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82a80b0000         | mov                 eax, dword ptr [edx + 0xba8]
            //   50                   | push                eax

        $sequence_8 = { bdb000d6c2 91 00d5 c19400d6c49500d7 }
            // n = 4, score = 100
            //   bdb000d6c2           | mov                 ebp, 0xc2d600b0
            //   91                   | xchg                eax, ecx
            //   00d5                 | add                 ch, dl
            //   c19400d6c49500d7     | rcl                 dword ptr [eax + eax + 0x95c4d6], 0xd7

        $sequence_9 = { ec f3ed ebf2 ed }
            // n = 4, score = 100
            //   ec                   | in                  al, dx
            //   f3ed                 | in                  eax, dx
            //   ebf2                 | jmp                 0xfffffff4
            //   ed                   | in                  eax, dx

        $sequence_10 = { 57 de0d???????? f5 24c0 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   de0d????????         |                     
            //   f5                   | cmc                 
            //   24c0                 | and                 al, 0xc0

        $sequence_11 = { 3dae8602f8 0853ac 866cedad b909dfd18c 9d 7454 2bcd }
            // n = 7, score = 100
            //   3dae8602f8           | cmp                 eax, 0xf80286ae
            //   0853ac               | or                  byte ptr [ebx - 0x54], dl
            //   866cedad             | xchg                byte ptr [ebp + ebp*8 - 0x53], ch
            //   b909dfd18c           | mov                 ecx, 0x8cd1df09
            //   9d                   | popfd               
            //   7454                 | je                  0x56
            //   2bcd                 | sub                 ecx, ebp

        $sequence_12 = { 0d50004900 3e3cff 46 14ff 0470 }
            // n = 5, score = 100
            //   0d50004900           | or                  eax, 0x490050
            //   3e3cff               | cmp                 al, 0xff
            //   46                   | inc                 esi
            //   14ff                 | adc                 al, 0xff
            //   0470                 | add                 al, 0x70

        $sequence_13 = { f2e8fae6d5f6 d2b5f2bb8ff3 ae 73f3 aa 5c }
            // n = 6, score = 100
            //   f2e8fae6d5f6         | bnd call            0xf6d5e700
            //   d2b5f2bb8ff3         | sal                 byte ptr [ebp - 0xc70440e], cl
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   73f3                 | jae                 0xfffffff5
            //   aa                   | stosb               byte ptr es:[edi], al
            //   5c                   | pop                 esp

        $sequence_14 = { aa 5c f6ac4ff8b54ffb c058fcca 61 }
            // n = 5, score = 100
            //   aa                   | stosb               byte ptr es:[edi], al
            //   5c                   | pop                 esp
            //   f6ac4ff8b54ffb       | imul                byte ptr [edi + ecx*2 - 0x4b04a08]
            //   c058fcca             | rcr                 byte ptr [eax - 4], 0xca
            //   61                   | popal               

        $sequence_15 = { 14ff 0470 fe0a d6 }
            // n = 4, score = 100
            //   14ff                 | adc                 al, 0xff
            //   0470                 | add                 al, 0x70
            //   fe0a                 | dec                 byte ptr [edx]
            //   d6                   | salc                

        $sequence_16 = { 00e0 d4b4 00d1 c9 c200d5 cdc5 00d8 }
            // n = 7, score = 100
            //   00e0                 | add                 al, ah
            //   d4b4                 | aam                 0xb4
            //   00d1                 | add                 cl, dl
            //   c9                   | leave               
            //   c200d5               | ret                 0xd500
            //   cdc5                 | int                 0xc5
            //   00d8                 | add                 al, bl

        $sequence_17 = { 1400 48 0008 78ff 0d50004900 3e3cff }
            // n = 6, score = 100
            //   1400                 | adc                 al, 0
            //   48                   | dec                 eax
            //   0008                 | add                 byte ptr [eax], cl
            //   78ff                 | js                  1
            //   0d50004900           | or                  eax, 0x490050
            //   3e3cff               | cmp                 al, 0xff

        $sequence_18 = { d127 8b8ec9322003 26c1a5d9924bb222 56 a1???????? ec 54 }
            // n = 7, score = 100
            //   d127                 | shl                 dword ptr [edi], 1
            //   8b8ec9322003         | mov                 ecx, dword ptr [esi + 0x32032c9]
            //   26c1a5d9924bb222     | shl                 dword ptr es:[ebp - 0x4db46d27], 0x22
            //   56                   | push                esi
            //   a1????????           |                     
            //   ec                   | in                  al, dx
            //   54                   | push                esp

        $sequence_19 = { f2ed ec f2ed ec f2ed }
            // n = 5, score = 100
            //   f2ed                 | in                  eax, dx
            //   ec                   | in                  al, dx
            //   f2ed                 | in                  eax, dx
            //   ec                   | in                  al, dx
            //   f2ed                 | in                  eax, dx

        $sequence_20 = { 7cc8 dc7acd e291 d2e8 }
            // n = 4, score = 100
            //   7cc8                 | jl                  0xffffffca
            //   dc7acd               | fdivr               qword ptr [edx - 0x33]
            //   e291                 | loop                0xffffff93
            //   d2e8                 | shr                 al, cl

        $sequence_21 = { 0006 3401 41 06 1001 ff06 }
            // n = 6, score = 100
            //   0006                 | add                 byte ptr [esi], al
            //   3401                 | xor                 al, 1
            //   41                   | inc                 ecx
            //   06                   | push                es
            //   1001                 | adc                 byte ptr [ecx], al
            //   ff06                 | inc                 dword ptr [esi]

        $sequence_22 = { 66f2eb32 8631 96 0a7f25 }
            // n = 4, score = 100
            //   66f2eb32             | bnd jmp             0x36
            //   8631                 | xchg                byte ptr [ecx], dh
            //   96                   | xchg                eax, esi
            //   0a7f25               | or                  bh, byte ptr [edi + 0x25]

        $sequence_23 = { 8161d356b32dee 57 7df8 ab }
            // n = 4, score = 100
            //   8161d356b32dee       | and                 dword ptr [ecx - 0x2d], 0xee2db356
            //   57                   | push                edi
            //   7df8                 | jge                 0xfffffffa
            //   ab                   | stosd               dword ptr es:[edi], eax

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules