SYMBOLCOMMON_NAMEaka. SYNONYMS
win.carbanak (Back to overview)

Carbanak

aka: Anunak, Sekur RAT

Actor(s): FIN7

VTCollection    

MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.

The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:

References
2024-07-02SekoiaQuentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar
2023-12-13cocomelonccocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer
2022-12-22PRODAFTPRODAFT
Fin7 Unveiled: A deep dive into notorious cybercrime gang
Carbanak
2022-07-30cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
2022-07-18Palo Alto Networks Unit 42Unit 42
Mule Libra
Carbanak Cobalt
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-22MandiantMandiant
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
POWERTRASH Carbanak DICELOADER STONEBOAT
2022-04-04MandiantBrendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2021-09-06cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-02The RecordCatalin Cimpanu
Two Carbanak hackers sentenced to eight years in prison in Kazakhstan
Carbanak
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2020-12-22TRUESECMattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-09-01PRODAFT Threat IntelligencePRODAFT
OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks
Bella Carbanak FIN7
2020-07-31PRODAFT Threat IntelligencePRODAFT
OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil FIN7
2020-03-23Kaspersky LabsFélix Aime, Yury Namestnikov
Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2019-04-24FireEyeJames T. Bennett, Michael Bailey
CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak
2019-04-22FireEyeJames T. Bennett, Michael Bailey
CARBANAK Week Part One: A Rare Occurrence
Carbanak
2018-10-01FireEyeKatie Nickels, Regina Elwell
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-06-12FireEyeBarry Vengerik, James T. Bennett
Behind the CARBANAK Backdoor
Carbanak DRIFTPIN
2015-02-01Kaspersky SASGReAT
Carbanak APT: The Great Bank Robbery
Carbanak FIN7
Yara Rules
[TLP:WHITE] win_carbanak_auto (20241030 | Detects win.carbanak.)
rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.carbanak."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 3d2c5c0700 750a e8???????? e9???????? }
            // n = 5, score = 500
            //   e9????????           |                     
            //   3d2c5c0700           | cmp                 eax, 0x75c2c
            //   750a                 | jne                 0xc
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_1 = { 85c0 7509 e8???????? b001 }
            // n = 4, score = 500
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb
            //   e8????????           |                     
            //   b001                 | mov                 al, 1

        $sequence_2 = { 7c0d e8???????? 84c0 7504 33c0 }
            // n = 5, score = 500
            //   7c0d                 | jl                  0xf
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 7907 32c0 e9???????? 7507 b001 }
            // n = 5, score = 500
            //   7907                 | jns                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   7507                 | jne                 9
            //   b001                 | mov                 al, 1

        $sequence_4 = { ba31af8402 8d6b09 8bcd e8???????? 33d2 33c9 }
            // n = 6, score = 300
            //   ba31af8402           | mov                 edx, 0x284af31
            //   8d6b09               | lea                 ebp, [ebx + 9]
            //   8bcd                 | mov                 ecx, ebp
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx

        $sequence_5 = { 450f44fc e8???????? 488b8d20010000 ffd0 488d4c2460 }
            // n = 5, score = 300
            //   450f44fc             | dec                 ecx
            //   e8????????           |                     
            //   488b8d20010000       | mov                 esi, eax
            //   ffd0                 | inc                 ecx
            //   488d4c2460           | or                  ecx, 0xffffffff

        $sequence_6 = { 4183c9ff 4d8bc7 488bc8 458d7921 418bd7 e8???????? }
            // n = 6, score = 300
            //   4183c9ff             | mov                 ebp, esp
            //   4d8bc7               | dec                 eax
            //   488bc8               | sub                 esp, 0x40
            //   458d7921             | inc                 ecx
            //   418bd7               | mov                 edi, ecx
            //   e8????????           |                     

        $sequence_7 = { 8b8614020000 8b4d10 83c40c 40 69c084000000 890c30 }
            // n = 6, score = 200
            //   8b8614020000         | add                 eax, 0x27
            //   8b4d10               | sub                 edx, ecx
            //   83c40c               | sub                 ecx, 0x1021
            //   40                   | mov                 eax, ecx
            //   69c084000000         | sar                 eax, 0xe
            //   890c30               | ret                 

        $sequence_8 = { e8???????? 8b00 8b7004 eb0b c6043e00 46 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b00                 | je                  0xa
            //   8b7004               | test                eax, eax
            //   eb0b                 | jg                  7
            //   c6043e00             | add                 eax, 0x61
            //   46                   | jmp                 5

        $sequence_9 = { 8d8d2cfeffff e8???????? ff35???????? 8d45fc 50 e8???????? }
            // n = 6, score = 200
            //   8d8d2cfeffff         | lea                 eax, [ecx + 0x20]
            //   e8????????           |                     
            //   ff35????????         |                     
            //   8d45fc               | cmp                 al, 0x1f
            //   50                   | ja                  0xc
            //   e8????????           |                     

        $sequence_10 = { 56 8b7510 8bc6 83e001 83e602 57 }
            // n = 6, score = 200
            //   56                   | jne                 7
            //   8b7510               | mov                 eax, dword ptr [esi + 8]
            //   8bc6                 | jmp                 4
            //   83e001               | mov                 eax, ebx
            //   83e602               | call                eax
            //   57                   | cmp                 eax, 0xb7

    condition:
        7 of them and filesize < 658432
}
Download all Yara Rules