SYMBOLCOMMON_NAMEaka. SYNONYMS
win.necurs (Back to overview)

Necurs

aka: nucurs

Actor(s): MONTY SPIDER


There is no description at this point.

References
2021-12-01NCC GroupNikolaos Pantazopoulos, Michael Sandee
@online{pantazopoulos:20211201:tracking:b67c8f7, author = {Nikolaos Pantazopoulos and Michael Sandee}, title = {{Tracking a P2P network related to TA505}}, date = {2021-12-01}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/}, language = {English}, urldate = {2021-12-01} } Tracking a P2P network related to TA505
FlawedGrace Necurs
2021SecureworksSecureWorks
@online{secureworks:2021:threat:6493b56, author = {SecureWorks}, title = {{Threat Profile: GOLD RIVERVIEW}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-riverview}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD RIVERVIEW
Necurs GOLD RIVERVIEW
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-15The Shadowserver FoundationShadowserver Foundation
@online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo
2020-03-10MicrosoftTom Burt
@online{burt:20200310:new:251948a, author = {Tom Burt}, title = {{New action to disrupt world’s largest online criminal network}}, date = {2020-03-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/}, language = {English}, urldate = {2020-03-11} } New action to disrupt world’s largest online criminal network
Necurs
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:76e58fb, author = {SecureWorks}, title = {{GOLD RIVERVIEW}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-riverview}, language = {English}, urldate = {2020-05-23} } GOLD RIVERVIEW
Necurs
2018-08-15CofenseJason Meurer, Darrel Rendell
@online{meurer:20180815:necurs:cfffc46, author = {Jason Meurer and Darrel Rendell}, title = {{Necurs Targeting Banks with PUB File that Drops FlawedAmmyy}}, date = {2018-08-15}, organization = {Cofense}, url = {https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/}, language = {English}, urldate = {2020-01-08} } Necurs Targeting Banks with PUB File that Drops FlawedAmmyy
Necurs
2018-07BluelivBlueliv
@techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } Necurs Malware Overview
Necurs
2018-06-28Trend MicroTrendmicro
@online{trendmicro:20180628:new:f03edd7, author = {Trendmicro}, title = {{The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors}}, date = {2018-06-28}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors}, language = {English}, urldate = {2020-01-07} } The New Face of Necurs: Noteworthy Changes to Necurs’ Behaviors
Necurs
2018-05-04AvastAdolf Středa, Jan Širmer
@online{steda:20180504:botception:3a422fe, author = {Adolf Středa and Jan Širmer}, title = {{Botception with Necurs: Botnet distributes script with bot capabilities}}, date = {2018-05-04}, organization = {Avast}, url = {https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs}, language = {English}, urldate = {2019-11-29} } Botception with Necurs: Botnet distributes script with bot capabilities
Necurs
2018-04-26Trend MicroMiguel Ang
@online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } Necurs Evolves to Evade Spam Detection via Internet Shortcut File
Necurs QuantLoader
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-05-31TrustwaveHomer Pacag
@online{pacag:20170531:necurs:07ea4cc, author = {Homer Pacag}, title = {{Necurs Recurs}}, date = {2017-05-31}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/}, language = {English}, urldate = {2019-12-19} } Necurs Recurs
Necurs
2017-03-20Cisco TalosSean Baird, Edmund Brumaghin, Earl Carter, Jaeson Schultz
@online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } Necurs Diversifies Its Portfolio
Necurs
2017-02-24BitSightSofia Luis
@online{luis:20170224:necurs:629636f, author = {Sofia Luis}, title = {{Necurs Proxy Module With DDOS Features}}, date = {2017-02-24}, organization = {BitSight}, url = {https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features}, language = {English}, urldate = {2019-12-06} } Necurs Proxy Module With DDOS Features
Necurs
2016-09-02CERT.PLAdam Krasuski
@online{krasuski:20160902:necurs:d01f298, author = {Adam Krasuski}, title = {{Necurs – hybrid spam botnet}}, date = {2016-09-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/}, language = {English}, urldate = {2019-11-20} } Necurs – hybrid spam botnet
Necurs
2015-02-20Johannes Bader's BlogJohannes Bader
@online{bader:20150220:dgas:b2e059a, author = {Johannes Bader}, title = {{The DGAs of Necurs}}, date = {2015-02-20}, organization = {Johannes Bader's Blog}, url = {https://bin.re/blog/the-dgas-of-necurs/}, language = {English}, urldate = {2023-04-27} } The DGAs of Necurs
Necurs
Yara Rules
[TLP:WHITE] win_necurs_auto (20230715 | Detects win.necurs.)
rule win_necurs_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.necurs."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 46 f7f6 8bc2 034508 5e 5d c3 }
            // n = 7, score = 1300
            //   46                   | inc                 esi
            //   f7f6                 | div                 esi
            //   8bc2                 | mov                 eax, edx
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_1 = { 0f31 8bc8 a1???????? 56 8bf2 ba06e0a636 f7e2 }
            // n = 7, score = 1300
            //   0f31                 | rdtsc               
            //   8bc8                 | mov                 ecx, eax
            //   a1????????           |                     
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   ba06e0a636           | mov                 edx, 0x36a6e006
            //   f7e2                 | mul                 edx

        $sequence_2 = { eb12 e8???????? 2b7508 33d2 46 f7f6 8bc2 }
            // n = 7, score = 1300
            //   eb12                 | jmp                 0x14
            //   e8????????           |                     
            //   2b7508               | sub                 esi, dword ptr [ebp + 8]
            //   33d2                 | xor                 edx, edx
            //   46                   | inc                 esi
            //   f7f6                 | div                 esi
            //   8bc2                 | mov                 eax, edx

        $sequence_3 = { ba06e0a636 f7e2 03c8 a1???????? }
            // n = 4, score = 1300
            //   ba06e0a636           | mov                 edx, 0x36a6e006
            //   f7e2                 | mul                 edx
            //   03c8                 | add                 ecx, eax
            //   a1????????           |                     

        $sequence_4 = { 13f2 33d2 030d???????? a3???????? a1???????? 13f2 }
            // n = 6, score = 1300
            //   13f2                 | adc                 esi, edx
            //   33d2                 | xor                 edx, edx
            //   030d????????         |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   13f2                 | adc                 esi, edx

        $sequence_5 = { 397508 7604 33c0 eb12 e8???????? }
            // n = 5, score = 1300
            //   397508               | cmp                 dword ptr [ebp + 8], esi
            //   7604                 | jbe                 6
            //   33c0                 | xor                 eax, eax
            //   eb12                 | jmp                 0x14
            //   e8????????           |                     

        $sequence_6 = { 13f2 a3???????? 8935???????? 890d???????? 8bc1 5e c3 }
            // n = 7, score = 1300
            //   13f2                 | adc                 esi, edx
            //   a3????????           |                     
            //   8935????????         |                     
            //   890d????????         |                     
            //   8bc1                 | mov                 eax, ecx
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_7 = { 03c8 a1???????? 13f2 33d2 }
            // n = 4, score = 1300
            //   03c8                 | add                 ecx, eax
            //   a1????????           |                     
            //   13f2                 | adc                 esi, edx
            //   33d2                 | xor                 edx, edx

        $sequence_8 = { 8d85ecfbffff 57 50 e8???????? 83c410 }
            // n = 5, score = 1100
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_9 = { 33d7 33c1 52 50 e8???????? }
            // n = 5, score = 900
            //   33d7                 | xor                 edx, edi
            //   33c1                 | xor                 eax, ecx
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_10 = { 8bc1 0bc7 7409 8bc1 8bd7 e9???????? }
            // n = 6, score = 800
            //   8bc1                 | mov                 eax, ecx
            //   0bc7                 | or                  eax, edi
            //   7409                 | je                  0xb
            //   8bc1                 | mov                 eax, ecx
            //   8bd7                 | mov                 edx, edi
            //   e9????????           |                     

        $sequence_11 = { 33c0 33d2 5e 5f c9 }
            // n = 5, score = 800
            //   33c0                 | xor                 eax, eax
            //   33d2                 | xor                 edx, edx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c9                   | leave               

        $sequence_12 = { 8bd7 e9???????? 83caff 8bc2 }
            // n = 4, score = 800
            //   8bd7                 | mov                 edx, edi
            //   e9????????           |                     
            //   83caff               | or                  edx, 0xffffffff
            //   8bc2                 | mov                 eax, edx

        $sequence_13 = { 50 ffd6 8bf8 59 59 }
            // n = 5, score = 800
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_14 = { 53 ff15???????? 59 33c0 5e }
            // n = 5, score = 800
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi

        $sequence_15 = { 57 57 57 8d8574ffffff 50 }
            // n = 5, score = 800
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules