SYMBOLCOMMON_NAMEaka. SYNONYMS
win.carbanak (Back to overview)

Carbanak

aka: Anunak

Actor(s): Anunak


There is no description at this point.

References
2020-07-31PRODAFT Threat IntelligenceYusuf Arslan Polat
@online{polat:20200731:opblueraven:9e58e0c, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2020-08-05} } OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil
2020-03-23Kaspersky LabsFélix Aime, Yury Namestnikov
@online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak
2019-04-24FireEyeJames T. Bennett, Michael Bailey
@online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak
2019-04-22FireEyeMichael Bailey, James T. Bennett
@online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part One: A Rare Occurrence
Carbanak
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-06-12FireEyeBarry Vengerik, James T. Bennett
@online{vengerik:20170612:behind:14b4edc, author = {Barry Vengerik and James T. Bennett}, title = {{Behind the CARBANAK Backdoor}}, date = {2017-06-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html}, language = {English}, urldate = {2019-12-20} } Behind the CARBANAK Backdoor
Carbanak DRIFTPIN
2015-02Kaspersky SASGReAT
@online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } Carbanak APT: The Great Bank Robbery
Carbanak Anunak
Yara Rules
[TLP:WHITE] win_carbanak_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 385d08 7410 68e8030000 e8???????? 59 }
            // n = 5, score = 200
            //   385d08               | cmp                 byte ptr [ebp + 8], bl
            //   7410                 | je                  0x12
            //   68e8030000           | push                0x3e8
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_1 = { 8b4704 83e6fc 48 c7470808000000 }
            // n = 4, score = 200
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   83e6fc               | and                 esi, 0xfffffffc
            //   48                   | dec                 eax
            //   c7470808000000       | mov                 dword ptr [edi + 8], 8

        $sequence_2 = { 1ac0 fec0 5d c20c00 55 8bec 83ec68 }
            // n = 7, score = 200
            //   1ac0                 | sbb                 al, al
            //   fec0                 | inc                 al
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec68               | sub                 esp, 0x68

        $sequence_3 = { 46 3b75f8 7c8b eb1a 8b4d08 6bf62c 6aff }
            // n = 7, score = 200
            //   46                   | inc                 esi
            //   3b75f8               | cmp                 esi, dword ptr [ebp - 8]
            //   7c8b                 | jl                  0xffffff8d
            //   eb1a                 | jmp                 0x1c
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6bf62c               | imul                esi, esi, 0x2c
            //   6aff                 | push                -1

        $sequence_4 = { 68336cd907 6a00 e8???????? 59 59 ffd0 c3 }
            // n = 7, score = 200
            //   68336cd907           | push                0x7d96c33
            //   6a00                 | push                0
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ffd0                 | call                eax
            //   c3                   | ret                 

        $sequence_5 = { 89be84020000 e8???????? 8d8640020000 50 e8???????? 8d8660020000 }
            // n = 6, score = 200
            //   89be84020000         | mov                 dword ptr [esi + 0x284], edi
            //   e8????????           |                     
            //   8d8640020000         | lea                 eax, [esi + 0x240]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8660020000         | lea                 eax, [esi + 0x260]

        $sequence_6 = { 56 e8???????? eb12 8d4645 50 }
            // n = 5, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   eb12                 | jmp                 0x14
            //   8d4645               | lea                 eax, [esi + 0x45]
            //   50                   | push                eax

        $sequence_7 = { e9???????? 55 8bec 81eccc000000 53 }
            // n = 5, score = 200
            //   e9????????           |                     
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81eccc000000         | sub                 esp, 0xcc
            //   53                   | push                ebx

        $sequence_8 = { 8b5624 ebb9 8b450c ebb7 55 8bec }
            // n = 6, score = 200
            //   8b5624               | mov                 edx, dword ptr [esi + 0x24]
            //   ebb9                 | jmp                 0xffffffbb
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ebb7                 | jmp                 0xffffffb9
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_9 = { 8bec 8b4d0c 56 8b4104 8b7508 48 57 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   48                   | dec                 eax
            //   57                   | push                edi

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules