SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cutwail (Back to overview)

Cutwail

Actor(s): NARWHAL SPIDER


There is no description at this point.

References
2020-09-07Github (pan-unit42)Brad Duncan
@online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } Collection of recent Dridex IOCs
Cutwail Dridex
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
Yara Rules
[TLP:WHITE] win_cutwail_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cutwail_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f80c 0f8427010000 837f1400 0f851d010000 83f806 }
            // n = 5, score = 100
            //   83f80c               | cmp                 eax, 0xc
            //   0f8427010000         | je                  0x12d
            //   837f1400             | cmp                 dword ptr [edi + 0x14], 0
            //   0f851d010000         | jne                 0x123
            //   83f806               | cmp                 eax, 6

        $sequence_1 = { 57 50 ff75fc e8???????? 85c0 753b }
            // n = 6, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   753b                 | jne                 0x3d

        $sequence_2 = { 8b4608 3bc3 c6466001 7444 8338ff }
            // n = 5, score = 100
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   3bc3                 | cmp                 eax, ebx
            //   c6466001             | mov                 byte ptr [esi + 0x60], 1
            //   7444                 | je                  0x46
            //   8338ff               | cmp                 dword ptr [eax], -1

        $sequence_3 = { 7513 6a6b 8d8d30faffff e8???????? 83c004 8945e8 }
            // n = 6, score = 100
            //   7513                 | jne                 0x15
            //   6a6b                 | push                0x6b
            //   8d8d30faffff         | lea                 ecx, [ebp - 0x5d0]
            //   e8????????           |                     
            //   83c004               | add                 eax, 4
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_4 = { 897c0804 8b4604 8b0e 6bc00c ff750c }
            // n = 5, score = 100
            //   897c0804             | mov                 dword ptr [eax + ecx + 4], edi
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   6bc00c               | imul                eax, eax, 0xc
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_5 = { 57 57 57 ff757c e8???????? }
            // n = 5, score = 100
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   ff757c               | push                dword ptr [ebp + 0x7c]
            //   e8????????           |                     

        $sequence_6 = { 33db 395d0c 56 8bf1 7508 83c8ff e9???????? }
            // n = 7, score = 100
            //   33db                 | xor                 ebx, ebx
            //   395d0c               | cmp                 dword ptr [ebp + 0xc], ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   7508                 | jne                 0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_7 = { 83c004 ff35???????? 50 e8???????? a1???????? }
            // n = 5, score = 100
            //   83c004               | add                 eax, 4
            //   ff35????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   a1????????           |                     

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules