SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cutwail (Back to overview)

Cutwail

Actor(s): NARWHAL SPIDER

There is no description at this point.

References
2020-09-07Github (pan-unit42)Brad Duncan
@online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } Collection of recent Dridex IOCs
Cutwail Dridex
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
Yara Rules
[TLP:WHITE] win_cutwail_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_cutwail_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7403 c60000 53 6800040000 bb???????? }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   c60000               | mov                 byte ptr [eax], 0
            //   53                   | push                ebx
            //   6800040000           | push                0x400
            //   bb????????           |                     

        $sequence_1 = { ff30 e8???????? e8???????? 8b06 ff30 }
            // n = 5, score = 100
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ff30                 | push                dword ptr [eax]

        $sequence_2 = { 83bdf0fdffff46 0f8d23010000 6800020000 6a00 }
            // n = 4, score = 100
            //   83bdf0fdffff46       | cmp                 dword ptr [ebp - 0x210], 0x46
            //   0f8d23010000         | jge                 0x129
            //   6800020000           | push                0x200
            //   6a00                 | push                0

        $sequence_3 = { 8b7d10 3bfb 746b 8b4508 33c9 6a04 }
            // n = 6, score = 100
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   3bfb                 | cmp                 edi, ebx
            //   746b                 | je                  0x6d
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   6a04                 | push                4

        $sequence_4 = { f775f4 8955d8 e8???????? 33d2 f775e4 8955dc }
            // n = 6, score = 100
            //   f775f4               | div                 dword ptr [ebp - 0xc]
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   f775e4               | div                 dword ptr [ebp - 0x1c]
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx

        $sequence_5 = { 0f84b3030000 48 0f846af9ffff 48 0f84c5faffff }
            // n = 5, score = 100
            //   0f84b3030000         | je                  0x3b9
            //   48                   | dec                 eax
            //   0f846af9ffff         | je                  0xfffff970
            //   48                   | dec                 eax
            //   0f84c5faffff         | je                  0xfffffacb

        $sequence_6 = { 2b45f8 894510 eb9a 837d1400 7408 8b4d14 }
            // n = 6, score = 100
            //   2b45f8               | sub                 eax, dword ptr [ebp - 8]
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   eb9a                 | jmp                 0xffffff9c
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   7408                 | je                  0xa
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]

        $sequence_7 = { 56 57 8b7c240c 8b07 8b4804 33f6 2bce }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c240c             | mov                 edi, dword ptr [esp + 0xc]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   33f6                 | xor                 esi, esi
            //   2bce                 | sub                 ecx, esi

        $sequence_8 = { 8b442410 85c0 740f 894629 894e10 c7461801000000 eb07 }
            // n = 7, score = 100
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   85c0                 | test                eax, eax
            //   740f                 | je                  0x11
            //   894629               | mov                 dword ptr [esi + 0x29], eax
            //   894e10               | mov                 dword ptr [esi + 0x10], ecx
            //   c7461801000000       | mov                 dword ptr [esi + 0x18], 1
            //   eb07                 | jmp                 9

        $sequence_9 = { eb0d 6a01 ff15???????? e9???????? }
            // n = 4, score = 100
            //   eb0d                 | jmp                 0xf
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_10 = { ff15???????? 8b4dfc c7410400000000 6830750000 ff15???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c7410400000000       | mov                 dword ptr [ecx + 4], 0
            //   6830750000           | push                0x7530
            //   ff15????????         |                     

        $sequence_11 = { 8b8d64feffff 038d4cfeffff 8b9544feffff 8b048d30f62004 }
            // n = 4, score = 100
            //   8b8d64feffff         | mov                 ecx, dword ptr [ebp - 0x19c]
            //   038d4cfeffff         | add                 ecx, dword ptr [ebp - 0x1b4]
            //   8b9544feffff         | mov                 edx, dword ptr [ebp - 0x1bc]
            //   8b048d30f62004       | mov                 eax, dword ptr [ecx*4 + 0x420f630]

        $sequence_12 = { 7905 48 83c8fe 40 752a }
            // n = 5, score = 100
            //   7905                 | jns                 7
            //   48                   | dec                 eax
            //   83c8fe               | or                  eax, 0xfffffffe
            //   40                   | inc                 eax
            //   752a                 | jne                 0x2c

        $sequence_13 = { 83fa01 0f859d010000 8b856cfeffff 8b0c851cf62004 51 e8???????? }
            // n = 6, score = 100
            //   83fa01               | cmp                 edx, 1
            //   0f859d010000         | jne                 0x1a3
            //   8b856cfeffff         | mov                 eax, dword ptr [ebp - 0x194]
            //   8b0c851cf62004       | mov                 ecx, dword ptr [eax*4 + 0x420f61c]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_14 = { 8a8a7c310004 8808 ebc1 8b5508 03550c c60200 c745fc01000000 }
            // n = 7, score = 100
            //   8a8a7c310004         | mov                 cl, byte ptr [edx + 0x400317c]
            //   8808                 | mov                 byte ptr [eax], cl
            //   ebc1                 | jmp                 0xffffffc3
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   03550c               | add                 edx, dword ptr [ebp + 0xc]
            //   c60200               | mov                 byte ptr [edx], 0
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

        $sequence_15 = { 817df096000000 0f87a6000000 c745ec00000000 8d55ec }
            // n = 4, score = 100
            //   817df096000000       | cmp                 dword ptr [ebp - 0x10], 0x96
            //   0f87a6000000         | ja                  0xac
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   8d55ec               | lea                 edx, [ebp - 0x14]

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules