SYMBOLCOMMON_NAMEaka. SYNONYMS
win.carbanak (Back to overview)

Carbanak

aka: Anunak

Actor(s): Anunak


There is no description at this point.

References
2020-09-01threatintel.blogYusuf Arslan Polat
@online{polat:20200901:opblueraven:ca6fb44, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks}}, date = {2020-09-01}, organization = {threatintel.blog}, url = {https://threatintel.blog/OPBlueRaven-Part2/}, language = {English}, urldate = {2020-09-15} } OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks
Bella Carbanak Anunak
2020-07-31PRODAFT Threat IntelligenceYusuf Arslan Polat
@online{polat:20200731:opblueraven:9e58e0c, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2020-08-05} } OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil Anunak
2020-03-23Kaspersky LabsFélix Aime, Yury Namestnikov
@online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak
2019-04-24FireEyeJames T. Bennett, Michael Bailey
@online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak
2019-04-22FireEyeMichael Bailey, James T. Bennett
@online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part One: A Rare Occurrence
Carbanak
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-06-12FireEyeBarry Vengerik, James T. Bennett
@online{vengerik:20170612:behind:14b4edc, author = {Barry Vengerik and James T. Bennett}, title = {{Behind the CARBANAK Backdoor}}, date = {2017-06-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html}, language = {English}, urldate = {2019-12-20} } Behind the CARBANAK Backdoor
Carbanak DRIFTPIN
2015-02Kaspersky SASGReAT
@online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } Carbanak APT: The Great Bank Robbery
Carbanak Anunak
Yara Rules
[TLP:WHITE] win_carbanak_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3913 7415 8b4104 52 52 ff33 ff30 }
            // n = 7, score = 200
            //   3913                 | cmp                 dword ptr [ebx], edx
            //   7415                 | je                  0x17
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   52                   | push                edx
            //   52                   | push                edx
            //   ff33                 | push                dword ptr [ebx]
            //   ff30                 | push                dword ptr [eax]

        $sequence_1 = { 57 68a68b0700 6a06 e8???????? 59 59 ffd0 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   68a68b0700           | push                0x78ba6
            //   6a06                 | push                6
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ffd0                 | call                eax

        $sequence_2 = { 7415 ff7518 8d4610 50 8d4620 50 6a00 }
            // n = 7, score = 200
            //   7415                 | je                  0x17
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   8d4610               | lea                 eax, [esi + 0x10]
            //   50                   | push                eax
            //   8d4620               | lea                 eax, [esi + 0x20]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_3 = { 8802 42 49 75f7 8bc7 5f 5e }
            // n = 7, score = 200
            //   8802                 | mov                 byte ptr [edx], al
            //   42                   | inc                 edx
            //   49                   | dec                 ecx
            //   75f7                 | jne                 0xfffffff9
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { 83610400 8bc1 c3 55 8bec 8d4510 50 }
            // n = 7, score = 200
            //   83610400             | and                 dword ptr [ecx + 4], 0
            //   8bc1                 | mov                 eax, ecx
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax

        $sequence_5 = { 51 52 68???????? e8???????? 83c424 837e2000 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   68????????           |                     
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   837e2000             | cmp                 dword ptr [esi + 0x20], 0

        $sequence_6 = { 8bf8 6880000000 57 e8???????? 56 ff750c }
            // n = 6, score = 200
            //   8bf8                 | mov                 edi, eax
            //   6880000000           | push                0x80
            //   57                   | push                edi
            //   e8????????           |                     
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_7 = { c3 55 8bec 51 51 8d45ff 56 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8d45ff               | lea                 eax, [ebp - 1]
            //   56                   | push                esi

        $sequence_8 = { 4e 79f6 c60200 5e c9 c3 55 }
            // n = 7, score = 200
            //   4e                   | dec                 esi
            //   79f6                 | jns                 0xfffffff8
            //   c60200               | mov                 byte ptr [edx], 0
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_9 = { ff750c 6814bbf609 6a02 e8???????? 59 59 ffd0 }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6814bbf609           | push                0x9f6bb14
            //   6a02                 | push                2
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ffd0                 | call                eax

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules