Anchor (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.anchor (Back to overview)

Anchor

Actor(s): WIZARD SPIDER

VTCollection

Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

References

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2022-04-15 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot

2021-07-15 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
Adjusting the Anchor
Anchor

2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike

2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-01-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Anchor and Lazarus together again?
Anchor TrickBot

2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan, Brittany Barbehenn, Doel Santos
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot

2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
AnchorDNS Anchor BazarBackdoor Ryuk

2020-10-26 ⋅ Arbor Networks ⋅ Suweera De Souza
Dropping the Anchor
AnchorDNS Anchor TrickBot

2020-05-19 ⋅ AlienLabs ⋅ Ofer Caspi
TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot

2020-04-08 ⋅ SentinelOne ⋅ Jason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot

2020-04-07 ⋅ SecurityIntelligence ⋅ Ole Villadsen
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2019-12-11 ⋅ Cybereason ⋅ Assaf Dahan, Eli Salem, Lior Rochberger, Mary Zhao, Matt Hart, Niv Yona, Omer Yampel
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
Anchor WIZARD SPIDER

2019-12-10 ⋅ Sentinel LABS ⋅ Jason Reaves, Joshua Platt, Vitali Kremez
Anchor Project | The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT
Anchor

2019-10-18 ⋅ NTT ⋅ NTT Security
TrickBot variant “Anchor_DNS” communicating over DNS
Anchor

Yara Rules

[TLP:WHITE] win_anchor_auto (20260504 | Detects win.anchor.)

rule win_anchor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.anchor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66c740016578 c6400365 eb0a 66c74001646c }
            // n = 4, score = 800
            //   66c740016578         | mov                 word ptr [eax + 1], 0x7865
            //   c6400365             | mov                 byte ptr [eax + 3], 0x65
            //   eb0a                 | jmp                 0xc
            //   66c74001646c         | mov                 word ptr [eax + 1], 0x6c64

        $sequence_1 = { e8???????? 660f6ec0 f30fe6c0 f20f5e05???????? f20f5905???????? e8???????? }
            // n = 6, score = 600
            //   e8????????           |                     
            //   660f6ec0             | movd                xmm0, eax
            //   f30fe6c0             | cvtdq2pd            xmm0, xmm0
            //   f20f5e05????????     |                     
            //   f20f5905????????     |                     
            //   e8????????           |                     

        $sequence_2 = { 33c9 8bf8 f7e6 0f90c1 f7d9 0bc8 51 }
            // n = 7, score = 600
            //   33c9                 | xor                 ecx, ecx
            //   8bf8                 | mov                 edi, eax
            //   f7e6                 | mul                 esi
            //   0f90c1               | seto                cl
            //   f7d9                 | neg                 ecx
            //   0bc8                 | or                  ecx, eax
            //   51                   | push                ecx

        $sequence_3 = { 33c9 8b4608 6689581a 8b4608 5b 6689481c }
            // n = 6, score = 600
            //   33c9                 | xor                 ecx, ecx
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   6689581a             | mov                 word ptr [eax + 0x1a], bx
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   5b                   | pop                 ebx
            //   6689481c             | mov                 word ptr [eax + 0x1c], cx

        $sequence_4 = { 66894830 33c9 8b4610 66894832 }
            // n = 4, score = 600
            //   66894830             | mov                 word ptr [eax + 1], 0x7865
            //   33c9                 | mov                 byte ptr [eax + 3], 0x65
            //   8b4610               | jmp                 0x10
            //   66894832             | mov                 word ptr [eax + 1], 0x6c64

        $sequence_5 = { f2e965020000 e9???????? 53 56 57 6a00 68a00f0000 }
            // n = 7, score = 600
            //   f2e965020000         | bnd jmp             0x26b
            //   e9????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a00                 | push                0
            //   68a00f0000           | push                0xfa0

        $sequence_6 = { 56 e8???????? 8b30 833e00 }
            // n = 4, score = 600
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   833e00               | cmp                 dword ptr [esi], 0

        $sequence_7 = { b101 e8???????? e8???????? 84c0 }
            // n = 4, score = 600
            //   b101                 | mov                 cl, 1
            //   e8????????           |                     
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_8 = { 66894304 33c0 6a01 894306 }
            // n = 4, score = 600
            //   66894304             | mov                 word ptr [ebx + 4], ax
            //   33c0                 | xor                 eax, eax
            //   6a01                 | push                1
            //   894306               | mov                 dword ptr [ebx + 6], eax

        $sequence_9 = { 0bc1 488b4d48 8801 488b4548 }
            // n = 4, score = 200
            //   0bc1                 | mov                 eax, dword ptr [ebp + 8]
            //   488b4d48             | add                 eax, 0x493e0
            //   8801                 | mov                 dword ptr [ebp + 0x44], eax
            //   488b4548             | mov                 edx, dword ptr [ebp + 0x44]

        $sequence_10 = { 4c89742420 4c8d4dbb 4533c0 488b4d2f ff15???????? 8b4db7 }
            // n = 6, score = 200
            //   4c89742420           | dec                 eax
            //   4c8d4dbb             | cwde                
            //   4533c0               | dec                 eax
            //   488b4d2f             | lea                 ecx, [0x29212]
            //   ff15????????         |                     
            //   8b4db7               | dec                 eax

        $sequence_11 = { 00040f 830905 0000 83bd641a0000ff }
            // n = 4, score = 200
            //   00040f               | mov                 eax, 0x11
            //   830905               | mov                 edx, 2
            //   0000                 | add                 byte ptr [edi + ecx], al
            //   83bd641a0000ff       | or                  dword ptr [ecx], 5

        $sequence_12 = { 85c0 0f8401010000 488d05bffd0000 4a8b04e8 42f644303880 }
            // n = 5, score = 200
            //   85c0                 | mov                 edx, dword ptr [ebp + 0x28]
            //   0f8401010000         | movzx               eax, byte ptr [ecx + eax]
            //   488d05bffd0000       | or                  eax, ecx
            //   4a8b04e8             | dec                 eax
            //   42f644303880         | cwde                

        $sequence_13 = { 488b4338 6689480c 8d4f53 488b4338 6689480e }
            // n = 5, score = 200
            //   488b4338             | dec                 eax
            //   6689480c             | lea                 ecx, [0x29212]
            //   8d4f53               | dec                 eax
            //   488b4338             | mov                 edx, dword ptr [ebp + 0x28]
            //   6689480e             | movzx               eax, byte ptr [ecx + eax]

        $sequence_14 = { 03c2 c1f802 6bc003 894504 }
            // n = 4, score = 200
            //   03c2                 | mov                 dword ptr [ebp + 0xf4], 0
            //   c1f802               | movzx               eax, byte ptr [ebp + 0xf4]
            //   6bc003               | add                 eax, edx
            //   894504               | sar                 eax, 2

        $sequence_15 = { 0bc1 4898 488d0d12920200 488b5528 }
            // n = 4, score = 200
            //   0bc1                 | mov                 byte ptr [ecx], al
            //   4898                 | dec                 eax
            //   488d0d12920200       | mov                 eax, dword ptr [ebp + 0x48]
            //   488b5528             | dec                 eax

        $sequence_16 = { 66894810 8d4f7a 488b4320 6644894812 }
            // n = 4, score = 200
            //   66894810             | dec                 eax
            //   8d4f7a               | cwde                
            //   488b4320             | dec                 eax
            //   6644894812           | lea                 ecx, [0x29212]

        $sequence_17 = { 03c8 8bc1 8985a4000000 488d8da8010000 }
            // n = 4, score = 200
            //   03c8                 | inc                 eax
            //   8bc1                 | add                 eax, edx
            //   8985a4000000         | sar                 eax, 2
            //   488d8da8010000       | imul                eax, eax, 3

        $sequence_18 = { e8???????? 90 488d0d06f50000 e9???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   90                   | mov                 byte ptr [edx], al
            //   488d0d06f50000       | or                  eax, ecx
            //   e9????????           |                     

        $sequence_19 = { 4903c9 488b4360 418d5012 66891448 488b4360 66897c4802 }
            // n = 6, score = 200
            //   4903c9               | cwde                
            //   488b4360             | dec                 eax
            //   418d5012             | lea                 ecx, [0x29212]
            //   66891448             | dec                 eax
            //   488b4360             | mov                 edx, dword ptr [ebp + 0x28]
            //   66897c4802           | or                  eax, ecx

        $sequence_20 = { 05e0930400 894544 8b5544 488b4508 }
            // n = 4, score = 200
            //   05e0930400           | add                 ecx, eax
            //   894544               | mov                 eax, ecx
            //   8b5544               | mov                 dword ptr [ebp + 0xa4], eax
            //   488b4508             | dec                 eax

        $sequence_21 = { 0000 83bd641a0000ff 0f85fc040000 c6859412000000 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   83bd641a0000ff       | cmp                 dword ptr [ebp + 0x1a64], -1
            //   0f85fc040000         | jne                 0x502
            //   c6859412000000       | mov                 byte ptr [ebp + 0x1294], 0

        $sequence_22 = { 034524 3b8520010000 760c c785f400000001000000 }
            // n = 4, score = 200
            //   034524               | mov                 byte ptr [ebp + 0x1294], 0
            //   3b8520010000         | mov                 byte ptr [ebp + 0x12b4], 0
            //   760c                 | add                 eax, dword ptr [ebp + 0x24]
            //   c785f400000001000000     | cmp    eax, dword ptr [ebp + 0x120]

    condition:
        7 of them and filesize < 778240
}

[TLP:WHITE] win_anchor_w0 (20200413 | For x86 Anchor)

rule win_anchor_w0 {
    meta:
        author = "Jason Reaves"
        description = "For x86 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide
        $hexlify = {0f be ?? ?? b8 f0 00 00 00 0f 45 ?? 8b ?? c1 e1 02 23 d0}
        $sdecode = {8a 04 0a 0f be c0 83 e8 ?? 88 04 0a 42 83}
        $xor_data = {80 b4 05 ?? ?? ff ff ?? 40 3b c6}

    condition:
        3 of them
}

[TLP:WHITE] win_anchor_w1 (20200413 | For x64 Anchor)

rule win_anchor_w1 {
    meta:
        author = "Jason Reaves"
        description = "For x64 Anchor"
        source = "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor"
        malpedia_version = "20200413"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $xor_data = {80 ?4 0? ?? ?? 48 ?? c? 48}
        $hexlify = {81 c1 f0 00 00 00 23 d1 41 8? ?? c1 e1 02}
        $a1 = "/1001/" ascii wide
        $a2 = ":$GUID" ascii wide
        $a3 = ":$TASK" ascii wide
        $ua = "WinHTTP loader/1.0" ascii wide

    condition:
       3 of them
}

Download all Yara Rules

Anchor Propose Change

References

Yara Rules

Anchor