win.necurs (Back to overview)

Necurs

aka: nucurs

There is no description at this point.

References
2018-08-15 ⋅ CofenseJason Meurer, Darrel Rendell
@online{meurer:20180815:necurs:cfffc46, author = {Jason Meurer and Darrel Rendell}, title = {{Necurs Targeting Banks with PUB File that Drops FlawedAmmyy}}, date = {2018-08-15}, organization = {Cofense}, url = {https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/}, language = {English}, urldate = {2020-01-08} } Necurs Targeting Banks with PUB File that Drops FlawedAmmyy
Necurs
2018-07 ⋅ BluelivBlueliv
@techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } Necurs Malware Overview
Necurs
2018-06-28 ⋅ Trend MicroTrendmicro
@online{trendmicro:20180628:new:f03edd7, author = {Trendmicro}, title = {{The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors}}, date = {2018-06-28}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors}, language = {English}, urldate = {2020-01-07} } The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors
Necurs
2018-05-04 ⋅ AvastAdolf Středa, Jan Širmer
@online{steda:20180504:botception:3a422fe, author = {Adolf Středa and Jan Širmer}, title = {{Botception with Necurs: Botnet distributes script with bot capabilities}}, date = {2018-05-04}, organization = {Avast}, url = {https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs}, language = {English}, urldate = {2019-11-29} } Botception with Necurs: Botnet distributes script with bot capabilities
Necurs
2018-04-26 ⋅ Trend MicroMiguel Ang
@online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } Necurs Evolves to Evade Spam Detection via Internet Shortcut File
Necurs QuantLoader
2017-05-31 ⋅ TrustwaveHomer Pacag
@online{pacag:20170531:necurs:07ea4cc, author = {Homer Pacag}, title = {{Necurs Recurs}}, date = {2017-05-31}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/}, language = {English}, urldate = {2019-12-19} } Necurs Recurs
Necurs
2017-03-20 ⋅ Cisco TalosSean Baird, Edmund Brumaghin, Earl Carter, Jaeson Schultz
@online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } Necurs Diversifies Its Portfolio
Necurs
2017-02-24 ⋅ BitSightSofia Luis
@online{luis:20170224:necurs:629636f, author = {Sofia Luis}, title = {{Necurs Proxy Module With DDOS Features}}, date = {2017-02-24}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features}, language = {English}, urldate = {2019-12-06} } Necurs Proxy Module With DDOS Features
Necurs
2016-09-02 ⋅ CERT.PLAdam Krasuski
@online{krasuski:20160902:necurs:d01f298, author = {Adam Krasuski}, title = {{Necurs – hybrid spam botnet}}, date = {2016-09-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/}, language = {English}, urldate = {2019-11-20} } Necurs – hybrid spam botnet
Necurs
Yara Rules
[TLP:WHITE] win_necurs_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_necurs_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 56 8bf2 ba06e0a636 f7e2 03c8 a1???????? }
            // n = 6, score = 1100
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   ba06e0a636           | mov                 edx, 0x36a6e006
            //   f7e2                 | mul                 edx
            //   03c8                 | add                 ecx, eax
            //   a1????????           |                     

        $sequence_1 = { 397508 7604 33c0 eb12 e8???????? 2b7508 33d2 }
            // n = 7, score = 1100
            //   397508               | cmp                 dword ptr [ebp + 8], esi
            //   7604                 | jbe                 6
            //   33c0                 | xor                 eax, eax
            //   eb12                 | jmp                 0x14
            //   e8????????           |                     
            //   2b7508               | sub                 esi, dword ptr [ebp + 8]
            //   33d2                 | xor                 edx, edx

        $sequence_2 = { 13f2 33d2 030d???????? a3???????? a1???????? }
            // n = 5, score = 1100
            //   13f2                 | adc                 esi, edx
            //   33d2                 | xor                 edx, edx
            //   030d????????         |                     
            //   a3????????           |                     
            //   a1????????           |                     

        $sequence_3 = { a3???????? 8935???????? 890d???????? 8bc1 5e }
            // n = 5, score = 1100
            //   a3????????           |                     
            //   8935????????         |                     
            //   890d????????         |                     
            //   8bc1                 | mov                 eax, ecx
            //   5e                   | pop                 esi

        $sequence_4 = { 8bc8 a1???????? 56 8bf2 }
            // n = 4, score = 1100
            //   8bc8                 | mov                 ecx, eax
            //   a1????????           |                     
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx

        $sequence_5 = { f7f6 8bc2 034508 5e 5d c3 }
            // n = 6, score = 1100
            //   f7f6                 | div                 esi
            //   8bc2                 | mov                 eax, edx
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_6 = { a3???????? a1???????? 13f2 a3???????? 8935???????? }
            // n = 5, score = 1100
            //   a3????????           |                     
            //   a1????????           |                     
            //   13f2                 | adc                 esi, edx
            //   a3????????           |                     
            //   8935????????         |                     

        $sequence_7 = { 03c8 a1???????? 13f2 33d2 }
            // n = 4, score = 1100
            //   03c8                 | add                 ecx, eax
            //   a1????????           |                     
            //   13f2                 | adc                 esi, edx
            //   33d2                 | xor                 edx, edx

        $sequence_8 = { 8d85ecfbffff 57 50 e8???????? 83c410 }
            // n = 5, score = 1000
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_9 = { 3bf0 7408 56 ff15???????? 59 }
            // n = 5, score = 900
            //   3bf0                 | cmp                 esi, eax
            //   7408                 | je                  0xa
            //   56                   | push                esi
            //   ff15????????         |                     
            //   59                   | pop                 ecx

        $sequence_10 = { 33d7 33c1 52 50 e8???????? }
            // n = 5, score = 800
            //   33d7                 | xor                 edx, edi
            //   33c1                 | xor                 eax, ecx
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_11 = { 50 ffd6 8bf8 59 59 }
            // n = 5, score = 700
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_12 = { 33d2 5e 5f c9 }
            // n = 4, score = 700
            //   33d2                 | xor                 edx, edx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c9                   | leave               

        $sequence_13 = { 59 59 85c0 74ce }
            // n = 4, score = 700
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   74ce                 | je                  0xffffffd0

        $sequence_14 = { 8bc1 0bc7 7409 8bc1 8bd7 e9???????? }
            // n = 6, score = 700
            //   8bc1                 | mov                 eax, ecx
            //   0bc7                 | or                  eax, edi
            //   7409                 | je                  0xb
            //   8bc1                 | mov                 eax, ecx
            //   8bd7                 | mov                 edx, edi
            //   e9????????           |                     

        $sequence_15 = { 99 6848640300 68da279b71 33d7 33c1 }
            // n = 5, score = 700
            //   99                   | cdq                 
            //   6848640300           | push                0x36448
            //   68da279b71           | push                0x719b27da
            //   33d7                 | xor                 edx, edi
            //   33c1                 | xor                 eax, ecx

    condition:
        7 of them
}
Download all Yara Rules