Pushdo (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.pushdo (Back to overview)

Pushdo

VTCollection URLhaus

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

References

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2020-03-15 ⋅ The Shadowserver Foundation ⋅ Shadowserver Foundation
Has The Sun Set On The Necurs Botnet?
Andromeda Cutwail Kelihos Necurs Pushdo

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER

2017-04-03 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
DHL Invoice Malspam/Photo Malspam
Pushdo

2016-02-01 ⋅ Blueliv ⋅ Raashid Bhat
Tracking the footprints of PushDo Trojan
Pushdo

2009-05-22 ⋅ Trend Micro ⋅ Alice Decker, David Sancho, Loucif Kharouni, Max Goncharov, Robert McArdle
Pushdo / Cutwail Botnet
Pushdo

2007-12-16 ⋅ Secureworks ⋅ Joe Stewart
Pushdo - Analysis of a Modern Malware Distribution System
Pushdo

Yara Rules

[TLP:WHITE] win_pushdo_auto (20260504 | Detects win.pushdo.)

rule win_pushdo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pushdo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 33d2 b9ffff0000 }
            // n = 4, score = 1300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   b9ffff0000           | mov                 ecx, 0xffff

        $sequence_1 = { f7f9 33c9 ba88020000 f7e2 0f90c1 f7d9 }
            // n = 6, score = 1300
            //   f7f9                 | idiv                ecx
            //   33c9                 | xor                 ecx, ecx
            //   ba88020000           | mov                 edx, 0x288
            //   f7e2                 | mul                 edx
            //   0f90c1               | seto                cl
            //   f7d9                 | neg                 ecx

        $sequence_2 = { 60 8b45fc b10b d3c0 61 }
            // n = 5, score = 1200
            //   60                   | pushal              
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b10b                 | mov                 cl, 0xb
            //   d3c0                 | rol                 eax, cl
            //   61                   | popal               

        $sequence_3 = { 0fbe8c05f0feffff 8b45f4 0fbe8405f0feffff 03c8 81e1ff000000 }
            // n = 5, score = 800
            //   0fbe8c05f0feffff     | movsx               ecx, byte ptr [ebp + eax - 0x110]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0fbe8405f0feffff     | movsx               eax, byte ptr [ebp + eax - 0x110]
            //   03c8                 | add                 ecx, eax
            //   81e1ff000000         | and                 ecx, 0xff

        $sequence_4 = { 03c8 81e1ff000000 0fbe8c0df0feffff 33d1 8b450c 0345fc }
            // n = 6, score = 800
            //   03c8                 | add                 ecx, eax
            //   81e1ff000000         | and                 ecx, 0xff
            //   0fbe8c0df0feffff     | movsx               ecx, byte ptr [ebp + ecx - 0x110]
            //   33d1                 | xor                 edx, ecx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0345fc               | add                 eax, dword ptr [ebp - 4]

        $sequence_5 = { 8b45fc 33d2 f77518 8b4514 }
            // n = 4, score = 800
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx
            //   f77518               | div                 dword ptr [ebp + 0x18]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]

        $sequence_6 = { 8b95e8feffff 8b45fc 8a8c05f0feffff 888c15f0feffff 8b55fc }
            // n = 5, score = 800
            //   8b95e8feffff         | mov                 edx, dword ptr [ebp - 0x118]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8a8c05f0feffff       | mov                 cl, byte ptr [ebp + eax - 0x110]
            //   888c15f0feffff       | mov                 byte ptr [ebp + edx - 0x110], cl
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_7 = { f77518 8b4514 0fbe1410 03ca 81e1ff000000 898de8feffff }
            // n = 6, score = 800
            //   f77518               | div                 dword ptr [ebp + 0x18]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   0fbe1410             | movsx               edx, byte ptr [eax + edx]
            //   03ca                 | add                 ecx, edx
            //   81e1ff000000         | and                 ecx, 0xff
            //   898de8feffff         | mov                 dword ptr [ebp - 0x118], ecx

        $sequence_8 = { be???????? 56 ff75fc c745f820000000 }
            // n = 4, score = 600
            //   be????????           |                     
            //   56                   | push                esi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   c745f820000000       | mov                 dword ptr [ebp - 8], 0x20

        $sequence_9 = { 59 6a04 8945f8 8d45f8 }
            // n = 4, score = 600
            //   59                   | pop                 ecx
            //   6a04                 | push                4
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_10 = { 83ec24 33c0 8945e0 394508 0f84c1010000 }
            // n = 5, score = 600
            //   83ec24               | sub                 esp, 0x24
            //   33c0                 | xor                 eax, eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   0f84c1010000         | je                  0x1c7

        $sequence_11 = { 33c0 85ff 743a 53 8b5d0c 85db }
            // n = 6, score = 600
            //   33c0                 | xor                 eax, eax
            //   85ff                 | test                edi, edi
            //   743a                 | je                  0x3c
            //   53                   | push                ebx
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   85db                 | test                ebx, ebx

        $sequence_12 = { 8b4608 8945e0 8b4614 8945ec 8b460c 8945e4 }
            // n = 6, score = 600
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_13 = { 52 8d8588fbffff 50 e8???????? }
            // n = 4, score = 500
            //   52                   | push                edx
            //   8d8588fbffff         | lea                 eax, [ebp - 0x478]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_14 = { eb67 eb93 6a00 6a04 8d4de0 }
            // n = 5, score = 200
            //   eb67                 | jmp                 0x69
            //   eb93                 | jmp                 0xffffff95
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   8d4de0               | lea                 ecx, [ebp - 0x20]

        $sequence_15 = { 894de8 8b5514 0355e4 895514 8b4518 2b45e4 894518 }
            // n = 7, score = 200
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   0355e4               | add                 edx, dword ptr [ebp - 0x1c]
            //   895514               | mov                 dword ptr [ebp + 0x14], edx
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   2b45e4               | sub                 eax, dword ptr [ebp - 0x1c]
            //   894518               | mov                 dword ptr [ebp + 0x18], eax

        $sequence_16 = { 0fbe08 85c9 0f84ba010000 8b5508 8955fc }
            // n = 5, score = 200
            //   0fbe08               | movsx               ecx, byte ptr [eax]
            //   85c9                 | test                ecx, ecx
            //   0f84ba010000         | je                  0x1c0
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_17 = { 50 8b0d???????? 51 8b15???????? 52 8b854cfeffff 50 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   8b15????????         |                     
            //   52                   | push                edx
            //   8b854cfeffff         | mov                 eax, dword ptr [ebp - 0x1b4]
            //   50                   | push                eax

        $sequence_18 = { 7e2d 0fbe4d08 83f930 7c09 0fbe5508 83fa39 }
            // n = 6, score = 200
            //   7e2d                 | jle                 0x2f
            //   0fbe4d08             | movsx               ecx, byte ptr [ebp + 8]
            //   83f930               | cmp                 ecx, 0x30
            //   7c09                 | jl                  0xb
            //   0fbe5508             | movsx               edx, byte ptr [ebp + 8]
            //   83fa39               | cmp                 edx, 0x39

        $sequence_19 = { ff15???????? 898524feffff 83bd24feffff00 7552 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   898524feffff         | mov                 dword ptr [ebp - 0x1dc], eax
            //   83bd24feffff00       | cmp                 dword ptr [ebp - 0x1dc], 0
            //   7552                 | jne                 0x54

        $sequence_20 = { 50 e8???????? 8945b8 68???????? 8b4db8 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   68????????           |                     
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]

    condition:
        7 of them and filesize < 163840
}

Download all Yara Rules

Pushdo Propose Change

References

Yara Rules

Pushdo