SYMBOLCOMMON_NAMEaka. SYNONYMS
win.necurs (Back to overview)

Necurs

aka: nucurs

Actor(s): MONTY SPIDER

VTCollection    

There is no description at this point.

References
2021-12-01NCC GroupMichael Sandee, Nikolaos Pantazopoulos
Tracking a P2P network related to TA505
FlawedGrace Necurs
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD RIVERVIEW
Necurs GOLD RIVERVIEW
2020-07-17CERT-FRCERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-15The Shadowserver FoundationShadowserver Foundation
Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-10BitSightValter Santos
Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs
Necurs
2020-03-10MicrosoftTom Burt
New action to disrupt world’s largest online criminal network
Necurs
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-01-01SecureworksSecureWorks
GOLD RIVERVIEW
Necurs
2018-08-15CofenseDarrel Rendell, Jason Meurer
Necurs Targeting Banks with PUB File that Drops FlawedAmmyy
Necurs
2018-07-01BluelivBlueliv
Necurs Malware Overview
Necurs
2018-06-28Trend MicroTrendmicro
The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors
Necurs
2018-05-04AvastAdolf Středa, Jan Širmer
Botception with Necurs: Botnet distributes script with bot capabilities
Necurs
2018-04-26Trend MicroMiguel Ang
Necurs Evolves to Evade Spam Detection via Internet Shortcut File
Necurs QuantLoader
2018-01-12ProofpointProofpoint Staff
Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-10-06CERT.PLJarosław Jedynak, Maciej Kotowicz
Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-05-31TrustwaveHomer Pacag
Necurs Recurs
Necurs
2017-03-20Cisco TalosEarl Carter, Edmund Brumaghin, Jaeson Schultz, Sean Baird
Necurs Diversifies Its Portfolio
Necurs
2017-02-24BitSightSofia Luis
Necurs Proxy Module With DDOS Features
Necurs
2016-09-02CERT.PLAdam Krasuski
Necurs – hybrid spam botnet
Necurs
2015-02-20Johannes Bader's BlogJohannes Bader
The DGAs of Necurs
Necurs
Yara Rules
[TLP:WHITE] win_necurs_auto (20260504 | Detects win.necurs.)
rule win_necurs_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.necurs."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8935???????? 890d???????? 8bc1 5e }
            // n = 4, score = 1300
            //   8935????????         |                     
            //   890d????????         |                     
            //   8bc1                 | mov                 eax, ecx
            //   5e                   | pop                 esi

        $sequence_1 = { a1???????? 13f2 a3???????? 8935???????? }
            // n = 4, score = 1300
            //   a1????????           |                     
            //   13f2                 | adc                 esi, edx
            //   a3????????           |                     
            //   8935????????         |                     

        $sequence_2 = { 8bf2 ba06e0a636 f7e2 03c8 }
            // n = 4, score = 1300
            //   8bf2                 | mov                 esi, edx
            //   ba06e0a636           | mov                 edx, 0x36a6e006
            //   f7e2                 | mul                 edx
            //   03c8                 | add                 ecx, eax

        $sequence_3 = { f7f6 8bc2 034508 5e 5d }
            // n = 5, score = 1300
            //   f7f6                 | div                 esi
            //   8bc2                 | mov                 eax, edx
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_4 = { 8bc8 a1???????? 56 8bf2 ba06e0a636 }
            // n = 5, score = 1300
            //   8bc8                 | mov                 ecx, eax
            //   a1????????           |                     
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   ba06e0a636           | mov                 edx, 0x36a6e006

        $sequence_5 = { 33c0 eb12 e8???????? 2b7508 33d2 46 }
            // n = 6, score = 1300
            //   33c0                 | xor                 eax, eax
            //   eb12                 | jmp                 0x14
            //   e8????????           |                     
            //   2b7508               | sub                 esi, dword ptr [ebp + 8]
            //   33d2                 | xor                 edx, edx
            //   46                   | inc                 esi

        $sequence_6 = { 03c8 a1???????? 13f2 33d2 }
            // n = 4, score = 1300
            //   03c8                 | add                 ecx, eax
            //   a1????????           |                     
            //   13f2                 | adc                 esi, edx
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 8d85ecfbffff 57 50 e8???????? 83c410 }
            // n = 5, score = 1100
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_8 = { 33d7 33c1 52 50 }
            // n = 4, score = 900
            //   33d7                 | xor                 edx, edi
            //   33c1                 | xor                 eax, ecx
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_9 = { ffd6 8bf8 59 59 85ff 74df }
            // n = 6, score = 800
            //   ffd6                 | call                esi
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85ff                 | test                edi, edi
            //   74df                 | je                  0xffffffe1

        $sequence_10 = { 33c0 33d2 5e 5f }
            // n = 4, score = 800
            //   33c0                 | xor                 eax, eax
            //   33d2                 | xor                 edx, edx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_11 = { 8bd7 e9???????? 83caff 8bc2 e9???????? }
            // n = 5, score = 800
            //   8bd7                 | mov                 edx, edi
            //   e9????????           |                     
            //   83caff               | or                  edx, 0xffffffff
            //   8bc2                 | mov                 eax, edx
            //   e9????????           |                     

        $sequence_12 = { 99 6848640300 68da279b71 33d7 }
            // n = 4, score = 800
            //   99                   | cdq                 
            //   6848640300           | push                0x36448
            //   68da279b71           | push                0x719b27da
            //   33d7                 | xor                 edx, edi

        $sequence_13 = { 8bc1 0bc7 7409 8bc1 8bd7 }
            // n = 5, score = 800
            //   8bc1                 | mov                 eax, ecx
            //   0bc7                 | or                  eax, edi
            //   7409                 | je                  0xb
            //   8bc1                 | mov                 eax, ecx
            //   8bd7                 | mov                 edx, edi

        $sequence_14 = { 6a7d 50 ffd6 59 59 85c0 74ce }
            // n = 7, score = 800
            //   6a7d                 | push                0x7d
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   74ce                 | je                  0xffffffd0

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules