SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vawtrak (Back to overview)

Vawtrak

aka: Catch, grabnew, NeverQuest

Actor(s): Lunar Spider

URLhaus    

There is no description at this point.

References
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER
2018-08-09Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2017-01-22The Hacker NewsMohit Kumar
@online{kumar:20170122:russian:a19c81e, author = {Mohit Kumar}, title = {{Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain}}, date = {2017-01-22}, organization = {The Hacker News}, url = {http://thehackernews.com/2017/01/neverquest-fbi-hacker.html}, language = {English}, urldate = {2019-12-18} } Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain
Vawtrak
2016-09BluelivBlueliv
@techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } Chasing Cybercrime: Network insights into Vawtrak v2
Vawtrak
2016-07-12Fidelis CybersecurityThreat Research Team
@online{team:20160712:me:d8f4707, author = {Threat Research Team}, title = {{Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter}}, date = {2016-07-12}, organization = {Fidelis Cybersecurity}, url = {https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/}, language = {English}, urldate = {2021-07-29} } Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter
Hancitor Vawtrak
2016-04-21ThreatpostTom Spring
@online{spring:20160421:pos:008ddcb, author = {Tom Spring}, title = {{PoS Attacks Net Crooks 20 Million Stolen Bank Cards}}, date = {2016-04-21}, organization = {Threatpost}, url = {https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/}, language = {English}, urldate = {2020-01-10} } PoS Attacks Net Crooks 20 Million Stolen Bank Cards
Vawtrak
2014-12-19PhishLabsDon Jackson
@online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } The unrelenting evolution of Vawtrak
Vawtrak
2014-12-17SecureworksBrett Stone-Gross, Pallav Khandhar
@online{stonegross:20141217:dyre:8486e19, author = {Brett Stone-Gross and Pallav Khandhar}, title = {{Dyre Banking Trojan}}, date = {2014-12-17}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dyre-banking-trojan}, language = {English}, urldate = {2021-05-28} } Dyre Banking Trojan
Dyre Vawtrak WIZARD SPIDER
Yara Rules
[TLP:WHITE] win_vawtrak_auto (20210616 | Detects win.vawtrak.)
rule win_vawtrak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.vawtrak."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 ff35???????? 6a04 6a01 }
            // n = 4, score = 2600
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1

        $sequence_1 = { 6a04 6a01 50 ff15???????? 85c0 }
            // n = 5, score = 2600
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { 50 6a00 6a00 e8???????? 50 ff15???????? }
            // n = 6, score = 2600
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { ff15???????? 85c0 740a 50 ff15???????? 33c0 40 }
            // n = 7, score = 2400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax

        $sequence_4 = { ff15???????? 6800000001 6aff 68???????? }
            // n = 4, score = 2400
            //   ff15????????         |                     
            //   6800000001           | push                0x1000000
            //   6aff                 | push                -1
            //   68????????           |                     

        $sequence_5 = { ff15???????? eb01 47 81ff00280000 }
            // n = 4, score = 2400
            //   ff15????????         |                     
            //   eb01                 | jmp                 3
            //   47                   | inc                 edi
            //   81ff00280000         | cmp                 edi, 0x2800

        $sequence_6 = { ff15???????? f7d8 1bc0 f7d8 eb02 33c0 8be5 }
            // n = 7, score = 2400
            //   ff15????????         |                     
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp

        $sequence_7 = { ffd7 33f6 46 eb02 }
            // n = 4, score = 2400
            //   ffd7                 | call                edi
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   eb02                 | jmp                 4

        $sequence_8 = { ba00ff0000 8bc1 23c2 3bc2 }
            // n = 4, score = 2400
            //   ba00ff0000           | push                4
            //   8bc1                 | push                1
            //   23c2                 | push                eax
            //   3bc2                 | test                eax, eax

        $sequence_9 = { a802 7407 e8???????? eb09 }
            // n = 4, score = 2200
            //   a802                 | push                4
            //   7407                 | push                1
            //   e8????????           |                     
            //   eb09                 | push                eax

        $sequence_10 = { a804 7405 e8???????? 803d????????00 }
            // n = 4, score = 2200
            //   a804                 | mov                 eax, ecx
            //   7405                 | and                 eax, edx
            //   e8????????           |                     
            //   803d????????00       |                     

        $sequence_11 = { b8ff0f0000 6623e8 b800400000 660be8 }
            // n = 4, score = 2200
            //   b8ff0f0000           | mov                 ecx, 0x80000000
            //   6623e8               | inc                 eax
            //   b800400000           | mov                 dword ptr [ecx], eax
            //   660be8               | sub                 ecx, 0x1000

        $sequence_12 = { ff15???????? a3???????? 85c0 74e7 }
            // n = 4, score = 2000
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | push                4
            //   74e7                 | push                1

        $sequence_13 = { 7528 68???????? ff15???????? 85c0 7504 33c0 }
            // n = 6, score = 2000
            //   7528                 | push                1
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | push                eax
            //   7504                 | test                eax, eax
            //   33c0                 | push                0

        $sequence_14 = { 6a08 68???????? 56 ffd7 85c0 }
            // n = 5, score = 2000
            //   6a08                 | jne                 0xa
            //   68????????           |                     
            //   56                   | jne                 0x2a
            //   ffd7                 | test                eax, eax
            //   85c0                 | jne                 8

        $sequence_15 = { 59 57 8bf0 ff15???????? 8bc6 }
            // n = 5, score = 1900
            //   59                   | xor                 eax, eax
            //   57                   | push                eax
            //   8bf0                 | test                eax, eax
            //   ff15????????         |                     
            //   8bc6                 | je                  0xffffffeb

        $sequence_16 = { 8bc6 8703 3bc6 74f8 }
            // n = 4, score = 1900
            //   8bc6                 | mov                 eax, esi
            //   8703                 | xchg                dword ptr [ebx], eax
            //   3bc6                 | cmp                 eax, esi
            //   74f8                 | je                  0xfffffffa

        $sequence_17 = { e8???????? 33d2 b9ff3f0000 f7f1 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   33d2                 | jne                 0x2a
            //   b9ff3f0000           | test                eax, eax
            //   f7f1                 | jne                 0xa

        $sequence_18 = { 3c0f 7705 80ea61 eb0a 8d42bf }
            // n = 5, score = 1700
            //   3c0f                 | mov                 esi, eax
            //   7705                 | mov                 eax, esi
            //   80ea61               | push                esi
            //   eb0a                 | push                4
            //   8d42bf               | push                ebx

        $sequence_19 = { e9???????? 8ac1 c1e904 c0e004 }
            // n = 4, score = 1200
            //   e9????????           |                     
            //   8ac1                 | mov                 al, cl
            //   c1e904               | shr                 ecx, 4
            //   c0e004               | shl                 al, 4

        $sequence_20 = { 8ac8 240f 80e1f0 80c110 32c8 }
            // n = 5, score = 900
            //   8ac8                 | mov                 cl, al
            //   240f                 | and                 al, 0xf
            //   80e1f0               | and                 cl, 0xf0
            //   80c110               | add                 cl, 0x10
            //   32c8                 | xor                 cl, al

        $sequence_21 = { 3c41 7c11 3c46 7f0d }
            // n = 4, score = 800
            //   3c41                 | cmp                 al, 0x41
            //   7c11                 | jl                  0x13
            //   3c46                 | cmp                 al, 0x46
            //   7f0d                 | jg                  0xf

        $sequence_22 = { 488d5520 4533c9 4533c0 ff15???????? 85c0 }
            // n = 5, score = 700
            //   488d5520             | push                edi
            //   4533c9               | dec                 eax
            //   4533c0               | lea                 ebp, dword ptr [eax - 0x4a8]
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_23 = { 4883ec20 488bd9 488bca 488bea }
            // n = 4, score = 700
            //   4883ec20             | sub                 esp, 0x580
            //   488bd9               | dec                 eax
            //   488bca               | lea                 eax, dword ptr [esp + 0x60]
            //   488bea               | dec                 eax

        $sequence_24 = { 458d4104 48897c2428 c74424200c001000 ff15???????? 488903 }
            // n = 5, score = 700
            //   458d4104             | inc                 ebp
            //   48897c2428           | lea                 eax, dword ptr [ecx + 4]
            //   c74424200c001000     | dec                 eax
            //   ff15????????         |                     
            //   488903               | mov                 dword ptr [esp + 0x28], edi

        $sequence_25 = { 4157 488da858fbffff 4881ec80050000 488d442460 }
            // n = 4, score = 700
            //   4157                 | mov                 dword ptr [esp + 0x20], 0x10000c
            //   488da858fbffff       | dec                 eax
            //   4881ec80050000       | mov                 dword ptr [ebx], eax
            //   488d442460           | inc                 ecx

    condition:
        7 of them and filesize < 1027072
}
Download all Yara Rules