SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vawtrak (Back to overview)

Vawtrak

aka: Catch, grabnew, NeverQuest

Actor(s): Lunar Spider

URLhaus    

There is no description at this point.

References
2023-03-19Ilan Duhin
@online{duhin:20230319:vawtrak:1cccd8c, author = {Ilan Duhin}, title = {{Vawtrak Analysis}}, date = {2023-03-19}, url = {https://medium.com/@Ilandu/vawtrak-malware-824818c1837}, language = {English}, urldate = {2023-03-20} } Vawtrak Analysis
Vawtrak
2022-08-18IBMCharlotte Hammond, Ole Villadsen
@online{hammond:20220818:from:501e8ac, author = {Charlotte Hammond and Ole Villadsen}, title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}}, date = {2022-08-18}, organization = {IBM}, url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest}, language = {English}, urldate = {2022-08-28} } From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER
2018-08-09Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2017-01-22The Hacker NewsMohit Kumar
@online{kumar:20170122:russian:a19c81e, author = {Mohit Kumar}, title = {{Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain}}, date = {2017-01-22}, organization = {The Hacker News}, url = {http://thehackernews.com/2017/01/neverquest-fbi-hacker.html}, language = {English}, urldate = {2019-12-18} } Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain
Vawtrak
2016-09BluelivBlueliv
@techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } Chasing Cybercrime: Network insights into Vawtrak v2
Vawtrak
2016-07-12Fidelis CybersecurityThreat Research Team
@online{team:20160712:me:d8f4707, author = {Threat Research Team}, title = {{Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter}}, date = {2016-07-12}, organization = {Fidelis Cybersecurity}, url = {https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/}, language = {English}, urldate = {2021-07-29} } Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter
Hancitor Vawtrak
2016-04-21ThreatpostTom Spring
@online{spring:20160421:pos:008ddcb, author = {Tom Spring}, title = {{PoS Attacks Net Crooks 20 Million Stolen Bank Cards}}, date = {2016-04-21}, organization = {Threatpost}, url = {https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/}, language = {English}, urldate = {2020-01-10} } PoS Attacks Net Crooks 20 Million Stolen Bank Cards
Vawtrak
2014-12-19PhishLabsDon Jackson
@online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } The unrelenting evolution of Vawtrak
Vawtrak
2014-12-17SecureworksBrett Stone-Gross, Pallav Khandhar
@online{stonegross:20141217:dyre:8486e19, author = {Brett Stone-Gross and Pallav Khandhar}, title = {{Dyre Banking Trojan}}, date = {2014-12-17}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dyre-banking-trojan}, language = {English}, urldate = {2021-05-28} } Dyre Banking Trojan
Dyre Vawtrak WIZARD SPIDER
Yara Rules
[TLP:WHITE] win_vawtrak_auto (20230715 | Detects win.vawtrak.)
rule win_vawtrak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.vawtrak."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 ff35???????? 6a04 6a01 }
            // n = 4, score = 2700
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1

        $sequence_1 = { 6a04 6a01 50 ff15???????? 85c0 }
            // n = 5, score = 2700
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { 6a00 6a00 e8???????? 50 ff15???????? }
            // n = 5, score = 2600
            //   6a00                 | push                1
            //   6a00                 | push                4
            //   e8????????           |                     
            //   50                   | push                1
            //   ff15????????         |                     

        $sequence_3 = { 40 8901 81e900100000 75f6 }
            // n = 4, score = 2400
            //   40                   | push                1
            //   8901                 | push                eax
            //   81e900100000         | push                4
            //   75f6                 | push                1

        $sequence_4 = { ba00ff0000 8bc1 23c2 3bc2 }
            // n = 4, score = 2400
            //   ba00ff0000           | push                0
            //   8bc1                 | push                eax
            //   23c2                 | push                eax
            //   3bc2                 | push                0

        $sequence_5 = { c3 56 be???????? 33c0 }
            // n = 4, score = 2400
            //   c3                   | push                eax
            //   56                   | test                eax, eax
            //   be????????           |                     
            //   33c0                 | push                4

        $sequence_6 = { 56 ff15???????? eb01 47 }
            // n = 4, score = 2400
            //   56                   | push                eax
            //   ff15????????         |                     
            //   eb01                 | push                4
            //   47                   | push                1

        $sequence_7 = { 85c0 7516 c705????????02000000 c705????????03000000 eb14 c705????????01000000 }
            // n = 6, score = 2200
            //   85c0                 | ret                 
            //   7516                 | push                esi
            //   c705????????02000000     |     
            //   c705????????03000000     |     
            //   eb14                 | xor                 eax, eax
            //   c705????????01000000     |     

        $sequence_8 = { 7515 2105???????? c705????????04000000 e9???????? }
            // n = 4, score = 2200
            //   7515                 | sub                 ecx, 0x1000
            //   2105????????         |                     
            //   c705????????04000000     |     
            //   e9????????           |                     

        $sequence_9 = { a802 7407 e8???????? eb09 a804 7405 }
            // n = 6, score = 2200
            //   a802                 | push                0
            //   7407                 | push                eax
            //   e8????????           |                     
            //   eb09                 | push                esi
            //   a804                 | jmp                 3
            //   7405                 | inc                 edi

        $sequence_10 = { ff15???????? a3???????? 85c0 74e7 }
            // n = 4, score = 2100
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   74e7                 | je                  0xffffffe9

        $sequence_11 = { 7528 68???????? ff15???????? 85c0 7504 33c0 }
            // n = 6, score = 2100
            //   7528                 | jne                 0x2a
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_12 = { 6a08 68???????? 56 ffd7 85c0 }
            // n = 5, score = 2100
            //   6a08                 | push                8
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_13 = { 59 57 8bf0 ff15???????? 8bc6 }
            // n = 5, score = 2000
            //   59                   | pop                 ecx
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_14 = { e8???????? 33d2 b9ff3f0000 f7f1 }
            // n = 4, score = 2000
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b9ff3f0000           | mov                 ecx, 0x3fff
            //   f7f1                 | div                 ecx

        $sequence_15 = { 8bc6 8703 3bc6 74f8 }
            // n = 4, score = 1900
            //   8bc6                 | mov                 eax, esi
            //   8703                 | xchg                dword ptr [ebx], eax
            //   3bc6                 | cmp                 eax, esi
            //   74f8                 | je                  0xfffffffa

        $sequence_16 = { 56 6a04 53 57 }
            // n = 4, score = 1800
            //   56                   | push                esi
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   57                   | push                edi

        $sequence_17 = { 80ea61 eb0a 8d42bf 3c0f }
            // n = 4, score = 1700
            //   80ea61               | jne                 0x19
            //   eb0a                 | test                eax, eax
            //   8d42bf               | jne                 0x1a
            //   3c0f                 | jmp                 0x1a

        $sequence_18 = { c1e910 e9???????? 8ac1 c1e904 c0e004 }
            // n = 5, score = 1200
            //   c1e910               | shr                 ecx, 0x10
            //   e9????????           |                     
            //   8ac1                 | mov                 al, cl
            //   c1e904               | shr                 ecx, 4
            //   c0e004               | shl                 al, 4

        $sequence_19 = { 8ac8 240f 80e1f0 80c110 32c8 }
            // n = 5, score = 900
            //   8ac8                 | mov                 cl, al
            //   240f                 | and                 al, 0xf
            //   80e1f0               | and                 cl, 0xf0
            //   80c110               | add                 cl, 0x10
            //   32c8                 | xor                 cl, al

        $sequence_20 = { 3c41 7c11 3c46 7f0d }
            // n = 4, score = 800
            //   3c41                 | cmp                 al, 0x41
            //   7c11                 | jl                  0x13
            //   3c46                 | cmp                 al, 0x46
            //   7f0d                 | jg                  0xf

        $sequence_21 = { 2bca 3bcf 7c2e 03fa 4883c602 03ea 03ff }
            // n = 7, score = 700
            //   2bca                 | dec                 eax
            //   3bcf                 | mov                 edi, ecx
            //   7c2e                 | mov                 ecx, 0x10
            //   03fa                 | dec                 eax
            //   4883c602             | mov                 esi, eax
            //   03ea                 | dec                 eax
            //   03ff                 | mov                 ebx, eax

        $sequence_22 = { 488905???????? 4885c0 74dd 488bd3 }
            // n = 4, score = 700
            //   488905????????       |                     
            //   4885c0               | sub                 ecx, edx
            //   74dd                 | cmp                 ecx, edi
            //   488bd3               | jl                  0x32

        $sequence_23 = { 4883ec30 488bf9 e8???????? b910000000 488bf0 e8???????? 488bd8 }
            // n = 7, score = 700
            //   4883ec30             | mov                 ecx, esi
            //   488bf9               | dec                 esp
            //   e8????????           |                     
            //   b910000000           | mov                 eax, edi
            //   488bf0               | dec                 eax
            //   e8????????           |                     
            //   488bd8               | sub                 esp, 0x30

        $sequence_24 = { 4885c0 74e3 448bce 4c8bc7 }
            // n = 4, score = 700
            //   4885c0               | dec                 eax
            //   74e3                 | test                eax, eax
            //   448bce               | je                  0xffffffe5
            //   4c8bc7               | inc                 esp

    condition:
        7 of them and filesize < 1027072
}
Download all Yara Rules