SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vobfus (Back to overview)

Vobfus

aka: Beebone

There is no description at this point.

References
2015-04-09Trend MicroDianne Lagrimas
@online{lagrimas:20150409:beebone:cd0b76b, author = {Dianne Lagrimas}, title = {{Beebone Botnet Takedown: Trend Micro Solutions}}, date = {2015-04-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions}, language = {English}, urldate = {2020-08-24} } Beebone Botnet Takedown: Trend Micro Solutions
Vobfus
2012-12-07Contagio DumpMila Parkour
@online{parkour:20121207:nov:0d14c03, author = {Mila Parkour}, title = {{Nov 2012 Worm Vobfus Samples}}, date = {2012-12-07}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html}, language = {English}, urldate = {2019-12-20} } Nov 2012 Worm Vobfus Samples
Vobfus
2012-11-29Trend MicroTrend Micro
@online{micro:20121129:whats:f711a5b, author = {Trend Micro}, title = {{What’s the Fuss with WORM_VOBFUS?}}, date = {2012-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/}, language = {English}, urldate = {2020-01-09} } What’s the Fuss with WORM_VOBFUS?
Vobfus
Yara Rules
[TLP:WHITE] win_vobfus_auto (20210616 | Detects win.vobfus.)
rule win_vobfus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.vobfus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5508 8b92e8000000 8b829c050000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b829c050000         | mov                 eax, dword ptr [edx + 0x59c]
            //   50                   | push                eax

        $sequence_1 = { 8b5508 8b92e8000000 8b82a81d0000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82a81d0000         | mov                 eax, dword ptr [edx + 0x1da8]
            //   50                   | push                eax

        $sequence_2 = { 8b5508 8b92e8000000 8b82a80b0000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82a80b0000         | mov                 eax, dword ptr [edx + 0xba8]
            //   50                   | push                eax

        $sequence_3 = { 8b5508 8b92e8000000 8b8260140000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b8260140000         | mov                 eax, dword ptr [edx + 0x1460]
            //   50                   | push                eax

        $sequence_4 = { 8bec 8b5508 8b92e8000000 8b82640a0000 50 }
            // n = 5, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82640a0000         | mov                 eax, dword ptr [edx + 0xa64]
            //   50                   | push                eax

        $sequence_5 = { 8b5508 8b92e8000000 8b8248080000 50 }
            // n = 4, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b8248080000         | mov                 eax, dword ptr [edx + 0x848]
            //   50                   | push                eax

        $sequence_6 = { 8b5508 8b92e8000000 8b82d00a0000 50 50 }
            // n = 5, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b92e8000000         | mov                 edx, dword ptr [edx + 0xe8]
            //   8b82d00a0000         | mov                 eax, dword ptr [edx + 0xad0]
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_7 = { 8b82d41b0000 50 50 8b10 ff5204 }
            // n = 5, score = 200
            //   8b82d41b0000         | mov                 eax, dword ptr [edx + 0x1bd4]
            //   50                   | push                eax
            //   50                   | push                eax
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   ff5204               | call                dword ptr [edx + 4]

        $sequence_8 = { e752 47 625403a7 78f5 }
            // n = 4, score = 100
            //   e752                 | out                 0x52, eax
            //   47                   | inc                 edi
            //   625403a7             | bound               edx, qword ptr [ebx + eax - 0x59]
            //   78f5                 | js                  0xfffffff7

        $sequence_9 = { f2ed ec f2ed ec f2ed ec }
            // n = 6, score = 100
            //   f2ed                 | in                  eax, dx
            //   ec                   | in                  al, dx
            //   f2ed                 | in                  eax, dx
            //   ec                   | in                  al, dx
            //   f2ed                 | in                  eax, dx
            //   ec                   | in                  al, dx

        $sequence_10 = { 1001 ff06 0200 0100 8a00 }
            // n = 5, score = 100
            //   1001                 | adc                 byte ptr [ecx], al
            //   ff06                 | inc                 dword ptr [esi]
            //   0200                 | add                 al, byte ptr [eax]
            //   0100                 | add                 dword ptr [eax], eax
            //   8a00                 | mov                 al, byte ptr [eax]

        $sequence_11 = { c19400d6c49500d7 c59900dac999 00e0 c9 8f00 e3ce 97 }
            // n = 7, score = 100
            //   c19400d6c49500d7     | rcl                 dword ptr [eax + eax + 0x95c4d6], -0x29
            //   c59900dac999         | lds                 ebx, ptr [ecx - 0x66362600]
            //   00e0                 | add                 al, ah
            //   c9                   | leave               
            //   8f00                 | pop                 dword ptr [eax]
            //   e3ce                 | jecxz               0xffffffd0
            //   97                   | xchg                eax, edi

        $sequence_12 = { 17 c1b8cc92aed3d4 9d 0e 06 ec 3bce }
            // n = 7, score = 100
            //   17                   | pop                 ss
            //   c1b8cc92aed3d4       | sar                 dword ptr [eax - 0x2c516d34], -0x2c
            //   9d                   | popfd               
            //   0e                   | push                cs
            //   06                   | push                es
            //   ec                   | in                  al, dx
            //   3bce                 | cmp                 ecx, esi

        $sequence_13 = { ec f2ed ec f3ed ebf2 ed }
            // n = 6, score = 100
            //   ec                   | in                  al, dx
            //   f2ed                 | in                  eax, dx
            //   ec                   | in                  al, dx
            //   f3ed                 | in                  eax, dx
            //   ebf2                 | jmp                 0xfffffff4
            //   ed                   | in                  eax, dx

        $sequence_14 = { 1400 48 0008 78ff 0d50004900 }
            // n = 5, score = 100
            //   1400                 | adc                 al, 0
            //   48                   | dec                 eax
            //   0008                 | add                 byte ptr [eax], cl
            //   78ff                 | js                  1
            //   0d50004900           | or                  eax, 0x490050

        $sequence_15 = { 0006 3401 41 06 1005???????? 0100 6c }
            // n = 7, score = 100
            //   0006                 | add                 byte ptr [esi], al
            //   3401                 | xor                 al, 1
            //   41                   | inc                 ecx
            //   06                   | push                es
            //   1005????????         |                     
            //   0100                 | add                 dword ptr [eax], eax
            //   6c                   | insb                byte ptr es:[edi], dx

        $sequence_16 = { 0d50004900 3e3cff 46 14ff }
            // n = 4, score = 100
            //   0d50004900           | or                  eax, 0x490050
            //   3e3cff               | cmp                 al, 0xff
            //   46                   | inc                 esi
            //   14ff                 | adc                 al, 0xff

        $sequence_17 = { c8c46952 10043b 51 d4a4 }
            // n = 4, score = 100
            //   c8c46952             | enter               0x69c4, 0x52
            //   10043b               | adc                 byte ptr [ebx + edi], al
            //   51                   | push                ecx
            //   d4a4                 | aam                 0xa4

        $sequence_18 = { 94 e1ed 4b cf }
            // n = 4, score = 100
            //   94                   | xchg                eax, esp
            //   e1ed                 | loope               0xffffffef
            //   4b                   | dec                 ebx
            //   cf                   | iretd               

        $sequence_19 = { f2e8fae6d5f6 d2b5f2bb8ff3 ae 73f3 }
            // n = 4, score = 100
            //   f2e8fae6d5f6         | bnd call            0xf6d5e700
            //   d2b5f2bb8ff3         | sal                 byte ptr [ebp - 0xc70440e], cl
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   73f3                 | jae                 0xfffffff5

        $sequence_20 = { aa 5c f6ac4ff8b54ffb c058fcca }
            // n = 4, score = 100
            //   aa                   | stosb               byte ptr es:[edi], al
            //   5c                   | pop                 esp
            //   f6ac4ff8b54ffb       | imul                byte ptr [edi + ecx*2 - 0x4b04a08]
            //   c058fcca             | rcr                 byte ptr [eax - 4], 0xca

        $sequence_21 = { 46 14ff 0470 fe0a d6 }
            // n = 5, score = 100
            //   46                   | inc                 esi
            //   14ff                 | adc                 al, 0xff
            //   0470                 | add                 al, 0x70
            //   fe0a                 | dec                 byte ptr [edx]
            //   d6                   | salc                

        $sequence_22 = { ae 73f3 aa 5c }
            // n = 4, score = 100
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   73f3                 | jae                 0xfffffff5
            //   aa                   | stosb               byte ptr es:[edi], al
            //   5c                   | pop                 esp

        $sequence_23 = { 49 e278 8161d356b32dee 57 }
            // n = 4, score = 100
            //   49                   | dec                 ecx
            //   e278                 | loop                0x7a
            //   8161d356b32dee       | and                 dword ptr [ecx - 0x2d], 0xee2db356
            //   57                   | push                edi

    condition:
        7 of them and filesize < 409600
}
Download all Yara Rules