SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cutwail (Back to overview)

Cutwail

Actor(s): NARWHAL SPIDER

There is no description at this point.

References
2021-03-11IBMDave McMillen, Limor Kessem
@online{mcmillen:20210311:dridex:1140b01, author = {Dave McMillen and Limor Kessem}, title = {{Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts}}, date = {2021-03-11}, organization = {IBM}, url = {https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/}, language = {English}, urldate = {2021-03-12} } Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
Cutwail Dridex
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-06MimecastMatthew Gardiner
@online{gardiner:20210106:how:b9e3a36, author = {Matthew Gardiner}, title = {{How to Slam a Door on the Cutwail Botnet: Enforce DMARC}}, date = {2021-01-06}, organization = {Mimecast}, url = {https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/}, language = {English}, urldate = {2021-01-27} } How to Slam a Door on the Cutwail Botnet: Enforce DMARC
Cutwail
2020-09-07Github (pan-unit42)Brad Duncan
@online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } Collection of recent Dridex IOCs
Cutwail Dridex
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2021-05-11} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Kraken Poison Ivy Rustock Sinowal Szribi Zeus
Yara Rules
[TLP:WHITE] win_cutwail_auto (20210616 | Detects win.cutwail.)
rule win_cutwail_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.cutwail."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b9554feffff 52 e8???????? 83c408 6a0c e8???????? 83c404 }
            // n = 7, score = 100
            //   8b9554feffff         | mov                 edx, dword ptr [ebp - 0x1ac]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6a0c                 | push                0xc
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 837dac14 732e 6a04 8d5e04 }
            // n = 4, score = 100
            //   837dac14             | cmp                 dword ptr [ebp - 0x54], 0x14
            //   732e                 | jae                 0x30
            //   6a04                 | push                4
            //   8d5e04               | lea                 ebx, dword ptr [esi + 4]

        $sequence_2 = { 53 57 e8???????? 8345f804 8bc6 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   57                   | push                edi
            //   e8????????           |                     
            //   8345f804             | add                 dword ptr [ebp - 8], 4
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 8b06 8d4dec 51 8b4e04 }
            // n = 4, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d4dec               | lea                 ecx, dword ptr [ebp - 0x14]
            //   51                   | push                ecx
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]

        $sequence_4 = { 0560ea0000 39855cfeffff 7633 8b8d5cfeffff }
            // n = 4, score = 100
            //   0560ea0000           | add                 eax, 0xea60
            //   39855cfeffff         | cmp                 dword ptr [ebp - 0x1a4], eax
            //   7633                 | jbe                 0x35
            //   8b8d5cfeffff         | mov                 ecx, dword ptr [ebp - 0x1a4]

        $sequence_5 = { 83c404 898554feffff 83bd54feffff00 747b }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   898554feffff         | mov                 dword ptr [ebp - 0x1ac], eax
            //   83bd54feffff00       | cmp                 dword ptr [ebp - 0x1ac], 0
            //   747b                 | je                  0x7d

        $sequence_6 = { 8b45f0 83c001 8945f0 8b4dfc 83790800 7416 8b55fc }
            // n = 7, score = 100
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c001               | add                 eax, 1
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83790800             | cmp                 dword ptr [ecx + 8], 0
            //   7416                 | je                  0x18
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_7 = { e8???????? 83c004 50 a1???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c004               | add                 eax, 4
            //   50                   | push                eax
            //   a1????????           |                     

        $sequence_8 = { c68563feffff01 0fb69563feffff 83fa01 0f859d010000 8b856cfeffff 8b0c851cf62004 51 }
            // n = 7, score = 100
            //   c68563feffff01       | mov                 byte ptr [ebp - 0x19d], 1
            //   0fb69563feffff       | movzx               edx, byte ptr [ebp - 0x19d]
            //   83fa01               | cmp                 edx, 1
            //   0f859d010000         | jne                 0x1a3
            //   8b856cfeffff         | mov                 eax, dword ptr [ebp - 0x194]
            //   8b0c851cf62004       | mov                 ecx, dword ptr [eax*4 + 0x420f61c]
            //   51                   | push                ecx

        $sequence_9 = { 8906 8b4520 8938 e9???????? }
            // n = 4, score = 100
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   8938                 | mov                 dword ptr [eax], edi
            //   e9????????           |                     

        $sequence_10 = { 03c8 83c418 83c706 3bf1 0f8252ffffff }
            // n = 5, score = 100
            //   03c8                 | add                 ecx, eax
            //   83c418               | add                 esp, 0x18
            //   83c706               | add                 edi, 6
            //   3bf1                 | cmp                 esi, ecx
            //   0f8252ffffff         | jb                  0xffffff58

        $sequence_11 = { 837d1000 7d04 32c0 eb57 c745fc00000000 837d1000 7437 }
            // n = 7, score = 100
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7d04                 | jge                 6
            //   32c0                 | xor                 al, al
            //   eb57                 | jmp                 0x59
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7437                 | je                  0x39

        $sequence_12 = { eb46 8b8568feffff 0560ea0000 39855cfeffff }
            // n = 4, score = 100
            //   eb46                 | jmp                 0x48
            //   8b8568feffff         | mov                 eax, dword ptr [ebp - 0x198]
            //   0560ea0000           | add                 eax, 0xea60
            //   39855cfeffff         | cmp                 dword ptr [ebp - 0x1a4], eax

        $sequence_13 = { e8???????? 83c410 ff45f0 8945fc }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_14 = { 33c0 e9???????? 53 bba5000000 }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   53                   | push                ebx
            //   bba5000000           | mov                 ebx, 0xa5

        $sequence_15 = { ff15???????? 8985d8fdffff 8b95e4fdffff 52 8d85f8fdffff 50 8b8decfdffff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8985d8fdffff         | mov                 dword ptr [ebp - 0x228], eax
            //   8b95e4fdffff         | mov                 edx, dword ptr [ebp - 0x21c]
            //   52                   | push                edx
            //   8d85f8fdffff         | lea                 eax, dword ptr [ebp - 0x208]
            //   50                   | push                eax
            //   8b8decfdffff         | mov                 ecx, dword ptr [ebp - 0x214]

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules