NetTraveler (Malware Family)

NetTraveler

aka: TravNet

Actor(s): NetTraveler

VTCollection

There is no description at this point.

References

2020-11-27 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Dissecting APT21 samples using a step-by-step approach
NetTraveler

2017-08-25 ⋅ Kaspersky Labs ⋅ Costin Raiu, Juan Andrés Guerrero-Saade
Walking in your Enemy's Shadow: When Fourth-Party Collection becomes Attribution Hell
NetTraveler RCS WannaCryptor Dancing Salome

2016-07-07 ⋅ Proofpoint ⋅ Axel F
NetTraveler APT Targets Russian, European Interests
NetTraveler APT21

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

Yara Rules

[TLP:WHITE] win_nettraveler_auto (20251219 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-01-05" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20260105" malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" malpedia_version = "20251219" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { ffd0 50 68???????? ff7510 ff15???????? ff7510 e8???????? } // n = 7, score = 100 // ffd0 \| call eax // 50 \| push eax // 68???????? \| // ff7510 \| push dword ptr [ebp + 0x10] // ff15???????? \| // ff7510 \| push dword ptr [ebp + 0x10] // e8???????? \| $sequence_1 = { 5e 5d 83c440 c3 56 e8???????? e8???????? } // n = 7, score = 100 // 5e \| pop esi // 5d \| pop ebp // 83c440 \| add esp, 0x40 // c3 \| ret // 56 \| push esi // e8???????? \| // e8???????? \| $sequence_2 = { 0bd1 0355b4 8dbc17aac7b6e9 8bd0 8bcf } // n = 5, score = 100 // 0bd1 \| or edx, ecx // 0355b4 \| add edx, dword ptr [ebp - 0x4c] // 8dbc17aac7b6e9 \| lea edi, [edi + edx - 0x16493856] // 8bd0 \| mov edx, eax // 8bcf \| mov ecx, edi $sequence_3 = { aa 8bca 33c0 8dbdddefffff 80a5dcf3ffff00 f3ab } // n = 6, score = 100 // aa \| stosb byte ptr es:[edi], al // 8bca \| mov ecx, edx // 33c0 \| xor eax, eax // 8dbdddefffff \| lea edi, [ebp - 0x1023] // 80a5dcf3ffff00 \| and byte ptr [ebp - 0xc24], 0 // f3ab \| rep stosd dword ptr es:[edi], eax $sequence_4 = { ff37 56 ff15???????? 53 ff37 56 ff15???????? } // n = 7, score = 100 // ff37 \| push dword ptr [edi] // 56 \| push esi // ff15???????? \| // 53 \| push ebx // ff37 \| push dword ptr [edi] // 56 \| push esi // ff15???????? \| $sequence_5 = { ffd6 bd???????? 8d442418 55 68???????? 50 ffd7 } // n = 7, score = 100 // ffd6 \| call esi // bd???????? \| // 8d442418 \| lea eax, [esp + 0x18] // 55 \| push ebp // 68???????? \| // 50 \| push eax // ffd7 \| call edi $sequence_6 = { 53 6a03 53 53 ff75c0 ff75b8 ff7510 } // n = 7, score = 100 // 53 \| push ebx // 6a03 \| push 3 // 53 \| push ebx // 53 \| push ebx // ff75c0 \| push dword ptr [ebp - 0x40] // ff75b8 \| push dword ptr [ebp - 0x48] // ff7510 \| push dword ptr [ebp + 0x10] $sequence_7 = { ff7508 ffd6 53 8d8590f6ffff 53 50 } // n = 6, score = 100 // ff7508 \| push dword ptr [ebp + 8] // ffd6 \| call esi // 53 \| push ebx // 8d8590f6ffff \| lea eax, [ebp - 0x970] // 53 \| push ebx // 50 \| push eax $sequence_8 = { 8db4850cffffff 8b4508 33d2 0fb6803c910010 8bf8 } // n = 5, score = 100 // 8db4850cffffff \| lea esi, [ebp + eax4 - 0xf4] // 8b4508 \| mov eax, dword ptr [ebp + 8] // 33d2 \| xor edx, edx // 0fb6803c910010 \| movzx eax, byte ptr [eax + 0x1000913c] // 8bf8 \| mov edi, eax $sequence_9 = { ff75fc ff15???????? 85c0 7417 8d85f4fdffff 56 } // n = 6, score = 100 // ff75fc \| push dword ptr [ebp - 4] // ff15???????? \| // 85c0 \| test eax, eax // 7417 \| je 0x19 // 8d85f4fdffff \| lea eax, [ebp - 0x20c] // 56 \| push esi condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

Download all Yara Rules

[TLP:WHITE] win_nettraveler_auto (20251219 \| Detects win.nettraveler.) rule win_nettraveler_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-01-05" version = "1" description = "Detects win.nettraveler." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_rule_date = "20260105" malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" malpedia_version = "20251219" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { ffd0 50 68???????? ff7510 ff15???????? ff7510 e8???????? } // n = 7, score = 100 // ffd0 \| call eax // 50 \| push eax // 68???????? \| // ff7510 \| push dword ptr [ebp + 0x10] // ff15???????? \| // ff7510 \| push dword ptr [ebp + 0x10] // e8???????? \| $sequence_1 = { 5e 5d 83c440 c3 56 e8???????? e8???????? } // n = 7, score = 100 // 5e \| pop esi // 5d \| pop ebp // 83c440 \| add esp, 0x40 // c3 \| ret // 56 \| push esi // e8???????? \| // e8???????? \| $sequence_2 = { 0bd1 0355b4 8dbc17aac7b6e9 8bd0 8bcf } // n = 5, score = 100 // 0bd1 \| or edx, ecx // 0355b4 \| add edx, dword ptr [ebp - 0x4c] // 8dbc17aac7b6e9 \| lea edi, [edi + edx - 0x16493856] // 8bd0 \| mov edx, eax // 8bcf \| mov ecx, edi $sequence_3 = { aa 8bca 33c0 8dbdddefffff 80a5dcf3ffff00 f3ab } // n = 6, score = 100 // aa \| stosb byte ptr es:[edi], al // 8bca \| mov ecx, edx // 33c0 \| xor eax, eax // 8dbdddefffff \| lea edi, [ebp - 0x1023] // 80a5dcf3ffff00 \| and byte ptr [ebp - 0xc24], 0 // f3ab \| rep stosd dword ptr es:[edi], eax $sequence_4 = { ff37 56 ff15???????? 53 ff37 56 ff15???????? } // n = 7, score = 100 // ff37 \| push dword ptr [edi] // 56 \| push esi // ff15???????? \| // 53 \| push ebx // ff37 \| push dword ptr [edi] // 56 \| push esi // ff15???????? \| $sequence_5 = { ffd6 bd???????? 8d442418 55 68???????? 50 ffd7 } // n = 7, score = 100 // ffd6 \| call esi // bd???????? \| // 8d442418 \| lea eax, [esp + 0x18] // 55 \| push ebp // 68???????? \| // 50 \| push eax // ffd7 \| call edi $sequence_6 = { 53 6a03 53 53 ff75c0 ff75b8 ff7510 } // n = 7, score = 100 // 53 \| push ebx // 6a03 \| push 3 // 53 \| push ebx // 53 \| push ebx // ff75c0 \| push dword ptr [ebp - 0x40] // ff75b8 \| push dword ptr [ebp - 0x48] // ff7510 \| push dword ptr [ebp + 0x10] $sequence_7 = { ff7508 ffd6 53 8d8590f6ffff 53 50 } // n = 6, score = 100 // ff7508 \| push dword ptr [ebp + 8] // ffd6 \| call esi // 53 \| push ebx // 8d8590f6ffff \| lea eax, [ebp - 0x970] // 53 \| push ebx // 50 \| push eax $sequence_8 = { 8db4850cffffff 8b4508 33d2 0fb6803c910010 8bf8 } // n = 5, score = 100 // 8db4850cffffff \| lea esi, [ebp + eax4 - 0xf4] // 8b4508 \| mov eax, dword ptr [ebp + 8] // 33d2 \| xor edx, edx // 0fb6803c910010 \| movzx eax, byte ptr [eax + 0x1000913c] // 8bf8 \| mov edi, eax $sequence_9 = { ff75fc ff15???????? 85c0 7417 8d85f4fdffff 56 } // n = 6, score = 100 // ff75fc \| push dword ptr [ebp - 4] // ff15???????? \| // 85c0 \| test eax, eax // 7417 \| je 0x19 // 8d85f4fdffff \| lea eax, [ebp - 0x20c] // 56 \| push esi condition: 7 of them and filesize < 106496 }
[TLP:WHITE] win_nettraveler_w0 (20170521 \| Identifiers for NetTraveler DLL) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule win_nettraveler_w0 { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //network strings $n1 = "?action=updated&hostid=" $n2 = "travlerbackinfo" $n3 = "?action=getcmd&hostid=" $n4 = "%s?action=gotcmd&hostid=" $n5 = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $d1 = "\x00Method1 Fail!!!!!\x00" $d2 = "\x00Method3 Fail!!!!!\x00" $d3 = "\x00method currect:\x00" $d4 = /\x00\x00[\w\-]+ is Running!\x00\x00/ $d5 = "\x00OtherTwo\x00" condition: any of them }
[TLP:WHITE] win_nettraveler_w1 (20170521 \| Identifiers for netpass variant) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_nettraveler_w1 { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif) or any of ($string*) }
[TLP:WHITE] win_nettraveler_w2 (20170521 \| Export names for dll component) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_nettraveler_w2 { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" malpedia_version = "20170521" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: //dll component exports $d1 = "?InjectDll@@YAHPAUHWND__@@K@Z" $d2 = "?UnmapDll@@YAHXZ" $d3 = "?g_bSubclassed@@3HA" condition: any of them }

NetTraveler Propose Change

References

Yara Rules

NetTraveler