SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cutwail (Back to overview)

Cutwail

Actor(s): NARWHAL SPIDER


There is no description at this point.

References
2022-02-08DARKNET DIARIESDARKNET DIARIES
@online{diaries:20220208:ep:9f11b1b, author = {DARKNET DIARIES}, title = {{EP 110: Spam Botnets}}, date = {2022-02-08}, organization = {DARKNET DIARIES}, url = {https://darknetdiaries.com/episode/110/}, language = {English}, urldate = {2022-02-14} } EP 110: Spam Botnets
Cutwail Rustock
2021-03-11IBMDave McMillen, Limor Kessem
@online{mcmillen:20210311:dridex:1140b01, author = {Dave McMillen and Limor Kessem}, title = {{Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts}}, date = {2021-03-11}, organization = {IBM}, url = {https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/}, language = {English}, urldate = {2021-03-12} } Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
Cutwail Dridex
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-06MimecastMatthew Gardiner
@online{gardiner:20210106:how:b9e3a36, author = {Matthew Gardiner}, title = {{How to Slam a Door on the Cutwail Botnet: Enforce DMARC}}, date = {2021-01-06}, organization = {Mimecast}, url = {https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/}, language = {English}, urldate = {2021-01-27} } How to Slam a Door on the Cutwail Botnet: Enforce DMARC
Cutwail
2020-09-07Github (pan-unit42)Brad Duncan
@online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } Collection of recent Dridex IOCs
Cutwail Dridex
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2022-01-28} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus
Yara Rules
[TLP:WHITE] win_cutwail_auto (20230715 | Detects win.cutwail.)
rule win_cutwail_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.cutwail."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 c6455d00 ff15???????? 85c0 89452c }
            // n = 5, score = 100
            //   56                   | push                esi
            //   c6455d00             | mov                 byte ptr [ebp + 0x5d], 0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   89452c               | mov                 dword ptr [ebp + 0x2c], eax

        $sequence_1 = { 0fb74e0a 6bc03c 03c1 0fb74e0c }
            // n = 4, score = 100
            //   0fb74e0a             | movzx               ecx, word ptr [esi + 0xa]
            //   6bc03c               | imul                eax, eax, 0x3c
            //   03c1                 | add                 eax, ecx
            //   0fb74e0c             | movzx               ecx, word ptr [esi + 0xc]

        $sequence_2 = { 6a01 e8???????? 8d8d44f8ffff 83c414 57 }
            // n = 5, score = 100
            //   6a01                 | push                1
            //   e8????????           |                     
            //   8d8d44f8ffff         | lea                 ecx, [ebp - 0x7bc]
            //   83c414               | add                 esp, 0x14
            //   57                   | push                edi

        $sequence_3 = { 57 6a1c e8???????? 8b0d???????? }
            // n = 4, score = 100
            //   57                   | push                edi
            //   6a1c                 | push                0x1c
            //   e8????????           |                     
            //   8b0d????????         |                     

        $sequence_4 = { 8b85e8fdffff 8b0c8500f62004 51 e8???????? 83c410 }
            // n = 5, score = 100
            //   8b85e8fdffff         | mov                 eax, dword ptr [ebp - 0x218]
            //   8b0c8500f62004       | mov                 ecx, dword ptr [eax*4 + 0x420f600]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_5 = { 8b8d44feffff 8b9548feffff 895104 8b8544feffff c7400800c02004 6a00 6a00 }
            // n = 7, score = 100
            //   8b8d44feffff         | mov                 ecx, dword ptr [ebp - 0x1bc]
            //   8b9548feffff         | mov                 edx, dword ptr [ebp - 0x1b8]
            //   895104               | mov                 dword ptr [ecx + 4], edx
            //   8b8544feffff         | mov                 eax, dword ptr [ebp - 0x1bc]
            //   c7400800c02004       | mov                 dword ptr [eax + 8], 0x420c000
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_6 = { 753f 8d45fc 50 8d45e4 }
            // n = 4, score = 100
            //   753f                 | jne                 0x41
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_7 = { 8b01 3938 57 57 }
            // n = 4, score = 100
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   3938                 | cmp                 dword ptr [eax], edi
            //   57                   | push                edi
            //   57                   | push                edi

        $sequence_8 = { 7e0b ff15???????? 8b4d18 8901 837df800 }
            // n = 5, score = 100
            //   7e0b                 | jle                 0xd
            //   ff15????????         |                     
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0

        $sequence_9 = { c785e0fdffff00000000 c785dcfdffff00000000 8d95dcfdffff 52 }
            // n = 4, score = 100
            //   c785e0fdffff00000000     | mov    dword ptr [ebp - 0x220], 0
            //   c785dcfdffff00000000     | mov    dword ptr [ebp - 0x224], 0
            //   8d95dcfdffff         | lea                 edx, [ebp - 0x224]
            //   52                   | push                edx

        $sequence_10 = { 83c404 8985e4fdffff 6a07 e8???????? 83c404 8985e8fdffff }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   8985e4fdffff         | mov                 dword ptr [ebp - 0x21c], eax
            //   6a07                 | push                7
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8985e8fdffff         | mov                 dword ptr [ebp - 0x218], eax

        $sequence_11 = { 8b4d10 2b4df8 894d10 ebc3 6a00 }
            // n = 5, score = 100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   2b4df8               | sub                 ecx, dword ptr [ebp - 8]
            //   894d10               | mov                 dword ptr [ebp + 0x10], ecx
            //   ebc3                 | jmp                 0xffffffc5
            //   6a00                 | push                0

        $sequence_12 = { 3bcb 74f4 8b01 3bc3 74ee }
            // n = 5, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   74f4                 | je                  0xfffffff6
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   3bc3                 | cmp                 eax, ebx
            //   74ee                 | je                  0xfffffff0

        $sequence_13 = { 56 57 0f86ad000000 6874030000 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   0f86ad000000         | jbe                 0xb3
            //   6874030000           | push                0x374

        $sequence_14 = { 8b856cfeffff 8b0c851cf62004 51 e8???????? 83c404 898554feffff }
            // n = 6, score = 100
            //   8b856cfeffff         | mov                 eax, dword ptr [ebp - 0x194]
            //   8b0c851cf62004       | mov                 ecx, dword ptr [eax*4 + 0x420f61c]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   898554feffff         | mov                 dword ptr [ebp - 0x1ac], eax

        $sequence_15 = { c7400800c02004 6a00 6a00 8b8d44feffff 51 68???????? 6a00 }
            // n = 7, score = 100
            //   c7400800c02004       | mov                 dword ptr [eax + 8], 0x420c000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b8d44feffff         | mov                 ecx, dword ptr [ebp - 0x1bc]
            //   51                   | push                ecx
            //   68????????           |                     
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules