SYMBOLCOMMON_NAMEaka. SYNONYMS
win.necurs (Back to overview)

Necurs

aka: nucurs

Actor(s): MONTY SPIDER


There is no description at this point.

References
2021-12-01NCC GroupNikolaos Pantazopoulos, Michael Sandee
@online{pantazopoulos:20211201:tracking:b67c8f7, author = {Nikolaos Pantazopoulos and Michael Sandee}, title = {{Tracking a P2P network related to TA505}}, date = {2021-12-01}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/}, language = {English}, urldate = {2021-12-01} } Tracking a P2P network related to TA505
FlawedGrace Necurs
2021SecureworksSecureWorks
@online{secureworks:2021:threat:6493b56, author = {SecureWorks}, title = {{Threat Profile: GOLD RIVERVIEW}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-riverview}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD RIVERVIEW
Necurs GOLD RIVERVIEW
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-10MicrosoftTom Burt
@online{burt:20200310:new:251948a, author = {Tom Burt}, title = {{New action to disrupt world’s largest online criminal network}}, date = {2020-03-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/}, language = {English}, urldate = {2020-03-11} } New action to disrupt world’s largest online criminal network
Necurs
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:76e58fb, author = {SecureWorks}, title = {{GOLD RIVERVIEW}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-riverview}, language = {English}, urldate = {2020-05-23} } GOLD RIVERVIEW
Necurs
2018-08-15CofenseJason Meurer, Darrel Rendell
@online{meurer:20180815:necurs:cfffc46, author = {Jason Meurer and Darrel Rendell}, title = {{Necurs Targeting Banks with PUB File that Drops FlawedAmmyy}}, date = {2018-08-15}, organization = {Cofense}, url = {https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/}, language = {English}, urldate = {2020-01-08} } Necurs Targeting Banks with PUB File that Drops FlawedAmmyy
Necurs
2018-07BluelivBlueliv
@techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } Necurs Malware Overview
Necurs
2018-06-28Trend MicroTrendmicro
@online{trendmicro:20180628:new:f03edd7, author = {Trendmicro}, title = {{The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors}}, date = {2018-06-28}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors}, language = {English}, urldate = {2020-01-07} } The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors
Necurs
2018-05-04AvastAdolf Středa, Jan Širmer
@online{steda:20180504:botception:3a422fe, author = {Adolf Středa and Jan Širmer}, title = {{Botception with Necurs: Botnet distributes script with bot capabilities}}, date = {2018-05-04}, organization = {Avast}, url = {https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs}, language = {English}, urldate = {2019-11-29} } Botception with Necurs: Botnet distributes script with bot capabilities
Necurs
2018-04-26Trend MicroMiguel Ang
@online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } Necurs Evolves to Evade Spam Detection via Internet Shortcut File
Necurs QuantLoader
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-05-31TrustwaveHomer Pacag
@online{pacag:20170531:necurs:07ea4cc, author = {Homer Pacag}, title = {{Necurs Recurs}}, date = {2017-05-31}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/}, language = {English}, urldate = {2019-12-19} } Necurs Recurs
Necurs
2017-03-20Cisco TalosSean Baird, Edmund Brumaghin, Earl Carter, Jaeson Schultz
@online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } Necurs Diversifies Its Portfolio
Necurs
2017-02-24BitSightSofia Luis
@online{luis:20170224:necurs:629636f, author = {Sofia Luis}, title = {{Necurs Proxy Module With DDOS Features}}, date = {2017-02-24}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features}, language = {English}, urldate = {2019-12-06} } Necurs Proxy Module With DDOS Features
Necurs
2016-09-02CERT.PLAdam Krasuski
@online{krasuski:20160902:necurs:d01f298, author = {Adam Krasuski}, title = {{Necurs – hybrid spam botnet}}, date = {2016-09-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/}, language = {English}, urldate = {2019-11-20} } Necurs – hybrid spam botnet
Necurs
Yara Rules
[TLP:WHITE] win_necurs_auto (20230125 | Detects win.necurs.)
rule win_necurs_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.necurs."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 397508 7604 33c0 eb12 }
            // n = 4, score = 1300
            //   397508               | cmp                 dword ptr [ebp + 8], esi
            //   7604                 | jbe                 6
            //   33c0                 | xor                 eax, eax
            //   eb12                 | jmp                 0x14

        $sequence_1 = { 13f2 a3???????? 8935???????? 890d???????? }
            // n = 4, score = 1300
            //   13f2                 | adc                 esi, edx
            //   a3????????           |                     
            //   8935????????         |                     
            //   890d????????         |                     

        $sequence_2 = { 890d???????? 8bc1 5e c3 55 8bec }
            // n = 6, score = 1300
            //   890d????????         |                     
            //   8bc1                 | mov                 eax, ecx
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_3 = { 0f31 8bc8 a1???????? 56 }
            // n = 4, score = 1300
            //   0f31                 | rdtsc               
            //   8bc8                 | mov                 ecx, eax
            //   a1????????           |                     
            //   56                   | push                esi

        $sequence_4 = { 33c0 eb12 e8???????? 2b7508 }
            // n = 4, score = 1300
            //   33c0                 | xor                 eax, eax
            //   eb12                 | jmp                 0x14
            //   e8????????           |                     
            //   2b7508               | sub                 esi, dword ptr [ebp + 8]

        $sequence_5 = { 33d2 030d???????? a3???????? a1???????? }
            // n = 4, score = 1300
            //   33d2                 | xor                 edx, edx
            //   030d????????         |                     
            //   a3????????           |                     
            //   a1????????           |                     

        $sequence_6 = { 56 8bf2 ba06e0a636 f7e2 }
            // n = 4, score = 1300
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   ba06e0a636           | mov                 edx, 0x36a6e006
            //   f7e2                 | mul                 edx

        $sequence_7 = { 33d2 46 f7f6 8bc2 034508 5e }
            // n = 6, score = 1300
            //   33d2                 | xor                 edx, edx
            //   46                   | inc                 esi
            //   f7f6                 | div                 esi
            //   8bc2                 | mov                 eax, edx
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   5e                   | pop                 esi

        $sequence_8 = { 8d85ecfbffff 57 50 e8???????? 83c410 }
            // n = 5, score = 1100
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_9 = { 33d7 33c1 52 50 }
            // n = 4, score = 900
            //   33d7                 | xor                 edx, edi
            //   33c1                 | xor                 eax, ecx
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_10 = { 6a7d 50 ffd6 59 }
            // n = 4, score = 800
            //   6a7d                 | push                0x7d
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   59                   | pop                 ecx

        $sequence_11 = { 57 57 8d8574ffffff 50 }
            // n = 4, score = 800
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   50                   | push                eax

        $sequence_12 = { a1???????? 33d2 f7f1 ff05???????? }
            // n = 4, score = 800
            //   a1????????           |                     
            //   33d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx
            //   ff05????????         |                     

        $sequence_13 = { 50 ffd6 8bf8 59 59 85ff 74df }
            // n = 7, score = 800
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85ff                 | test                edi, edi
            //   74df                 | je                  0xffffffe1

        $sequence_14 = { 6848640300 68da279b71 33d7 33c1 }
            // n = 4, score = 800
            //   6848640300           | push                0x36448
            //   68da279b71           | push                0x719b27da
            //   33d7                 | xor                 edx, edi
            //   33c1                 | xor                 eax, ecx

        $sequence_15 = { 5e 5f c9 c3 8b35???????? }
            // n = 5, score = 800
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b35????????         |                     

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules