SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cutwail (Back to overview)

Cutwail

Actor(s): NARWHAL SPIDER


There is no description at this point.

References
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-01-10} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
Yara Rules
[TLP:WHITE] win_cutwail_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_cutwail_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894510 eb9a 837d1400 7408 }
            // n = 4, score = 100
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   eb9a                 | jmp                 0xffffff9c
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   7408                 | je                  0xa

        $sequence_1 = { 7429 834e20ff 33c0 833f05 0f94c0 }
            // n = 5, score = 100
            //   7429                 | je                  0x2b
            //   834e20ff             | or                  dword ptr [esi + 0x20], 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   833f05               | cmp                 dword ptr [edi], 5
            //   0f94c0               | sete                al

        $sequence_2 = { 8b8decfdffff 51 e8???????? eb0d 6a01 ff15???????? e9???????? }
            // n = 7, score = 100
            //   8b8decfdffff         | mov                 ecx, dword ptr [ebp - 0x214]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   eb0d                 | jmp                 0xf
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_3 = { 83e004 8d440801 6a00 50 e8???????? 8b4e1c 8b5620 }
            // n = 7, score = 100
            //   83e004               | and                 eax, 4
            //   8d440801             | lea                 eax, [eax + ecx + 1]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4e1c               | mov                 ecx, dword ptr [esi + 0x1c]
            //   8b5620               | mov                 edx, dword ptr [esi + 0x20]

        $sequence_4 = { 8b5d18 3bdf 7434 e8???????? 680000a000 6a42 }
            // n = 6, score = 100
            //   8b5d18               | mov                 ebx, dword ptr [ebp + 0x18]
            //   3bdf                 | cmp                 ebx, edi
            //   7434                 | je                  0x36
            //   e8????????           |                     
            //   680000a000           | push                0xa00000
            //   6a42                 | push                0x42

        $sequence_5 = { 83c40c 8945fc 8b07 50 }
            // n = 4, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   50                   | push                eax

        $sequence_6 = { eb30 0fbe7c3d60 8b4570 57 }
            // n = 4, score = 100
            //   eb30                 | jmp                 0x32
            //   0fbe7c3d60           | movsx               edi, byte ptr [ebp + edi + 0x60]
            //   8b4570               | mov                 eax, dword ptr [ebp + 0x70]
            //   57                   | push                edi

        $sequence_7 = { 8b4d14 ff75fc 8901 8d450c 50 56 e8???????? }
            // n = 7, score = 100
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_8 = { 39855cfeffff 7633 8b8d5cfeffff 898d68feffff e8???????? }
            // n = 5, score = 100
            //   39855cfeffff         | cmp                 dword ptr [ebp - 0x1a4], eax
            //   7633                 | jbe                 0x35
            //   8b8d5cfeffff         | mov                 ecx, dword ptr [ebp - 0x1a4]
            //   898d68feffff         | mov                 dword ptr [ebp - 0x198], ecx
            //   e8????????           |                     

        $sequence_9 = { 6a50 e8???????? 59 894718 }
            // n = 4, score = 100
            //   6a50                 | push                0x50
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   894718               | mov                 dword ptr [edi + 0x18], eax

        $sequence_10 = { 51 8b5508 52 e8???????? 8945f8 837d1800 7419 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837d1800             | cmp                 dword ptr [ebp + 0x18], 0
            //   7419                 | je                  0x1b

        $sequence_11 = { 8b9554feffff 895104 8b8550feffff c7400800c02004 6a00 }
            // n = 5, score = 100
            //   8b9554feffff         | mov                 edx, dword ptr [ebp - 0x1ac]
            //   895104               | mov                 dword ptr [ecx + 4], edx
            //   8b8550feffff         | mov                 eax, dword ptr [ebp - 0x1b0]
            //   c7400800c02004       | mov                 dword ptr [eax + 8], 0x420c000
            //   6a00                 | push                0

        $sequence_12 = { 837d0800 745e 837d0c00 7458 c745f800000000 eb09 }
            // n = 6, score = 100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   745e                 | je                  0x60
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   7458                 | je                  0x5a
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   eb09                 | jmp                 0xb

        $sequence_13 = { 833900 0f84ba000000 c745f000000000 817df096000000 }
            // n = 4, score = 100
            //   833900               | cmp                 dword ptr [ecx], 0
            //   0f84ba000000         | je                  0xc0
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   817df096000000       | cmp                 dword ptr [ebp - 0x10], 0x96

        $sequence_14 = { 8b0c8500f62004 51 e8???????? 83c410 }
            // n = 4, score = 100
            //   8b0c8500f62004       | mov                 ecx, dword ptr [eax*4 + 0x420f600]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_15 = { e8???????? 85c0 59 59 753f 56 8d4db2 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   753f                 | jne                 0x41
            //   56                   | push                esi
            //   8d4db2               | lea                 ecx, [ebp - 0x4e]

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules