SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vawtrak (Back to overview)

Vawtrak

aka: Catch, grabnew, NeverQuest

Actor(s): Lunar Spider

URLhaus    

There is no description at this point.

References
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2018-08-09Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2017-01-22The Hacker NewsMohit Kumar
@online{kumar:20170122:russian:a19c81e, author = {Mohit Kumar}, title = {{Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain}}, date = {2017-01-22}, organization = {The Hacker News}, url = {http://thehackernews.com/2017/01/neverquest-fbi-hacker.html}, language = {English}, urldate = {2019-12-18} } Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain
Vawtrak
2016-09BluelivBlueliv
@techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } Chasing Cybercrime: Network insights into Vawtrak v2
Vawtrak
2016-04-21ThreatpostTom Spring
@online{spring:20160421:pos:008ddcb, author = {Tom Spring}, title = {{PoS Attacks Net Crooks 20 Million Stolen Bank Cards}}, date = {2016-04-21}, organization = {Threatpost}, url = {https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/}, language = {English}, urldate = {2020-01-10} } PoS Attacks Net Crooks 20 Million Stolen Bank Cards
Vawtrak
2014-12-19PhishLabsDon Jackson
@online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } The unrelenting evolution of Vawtrak
Vawtrak
Yara Rules
[TLP:WHITE] win_vawtrak_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_vawtrak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 ff35???????? 6a04 6a01 50 }
            // n = 5, score = 2600
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax

        $sequence_1 = { 50 6a00 6a00 e8???????? 50 ff15???????? }
            // n = 6, score = 2600
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_2 = { 6a02 59 e8???????? 85c0 75f4 40 }
            // n = 6, score = 2400
            //   6a02                 | push                2
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75f4                 | jne                 0xfffffff6
            //   40                   | inc                 eax

        $sequence_3 = { ff15???????? f7d8 1bc0 f7d8 eb02 33c0 8be5 }
            // n = 7, score = 2400
            //   ff15????????         |                     
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp

        $sequence_4 = { ba00ff0000 8bc1 23c2 3bc2 }
            // n = 4, score = 2400
            //   ba00ff0000           | mov                 edx, 0xff00
            //   8bc1                 | mov                 eax, ecx
            //   23c2                 | and                 eax, edx
            //   3bc2                 | cmp                 eax, edx

        $sequence_5 = { 40 8706 83f801 74f6 e8???????? }
            // n = 5, score = 2400
            //   40                   | inc                 eax
            //   8706                 | xchg                dword ptr [esi], eax
            //   83f801               | cmp                 eax, 1
            //   74f6                 | je                  0xfffffff8
            //   e8????????           |                     

        $sequence_6 = { b900000080 40 8901 81e900100000 75f6 c20400 55 }
            // n = 7, score = 2400
            //   b900000080           | mov                 ecx, 0x80000000
            //   40                   | inc                 eax
            //   8901                 | mov                 dword ptr [ecx], eax
            //   81e900100000         | sub                 ecx, 0x1000
            //   75f6                 | jne                 0xfffffff8
            //   c20400               | ret                 4
            //   55                   | push                ebp

        $sequence_7 = { 33c9 870b 5f 8bc6 5e 5b }
            // n = 6, score = 2400
            //   33c9                 | xor                 ecx, ecx
            //   870b                 | xchg                dword ptr [ebx], ecx
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_8 = { a804 7405 e8???????? 803d????????00 7405 e8???????? }
            // n = 6, score = 2200
            //   a804                 | test                al, 4
            //   7405                 | je                  7
            //   e8????????           |                     
            //   803d????????00       |                     
            //   7405                 | je                  7
            //   e8????????           |                     

        $sequence_9 = { 85c0 7515 2105???????? c705????????04000000 }
            // n = 4, score = 2200
            //   85c0                 | test                eax, eax
            //   7515                 | jne                 0x17
            //   2105????????         |                     
            //   c705????????04000000     |     

        $sequence_10 = { 0fb6c9 81c900ff0000 e8???????? 85c0 }
            // n = 4, score = 2200
            //   0fb6c9               | movzx               ecx, cl
            //   81c900ff0000         | or                  ecx, 0xff00
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_11 = { 750f 33c9 e8???????? 85c0 7404 }
            // n = 5, score = 2200
            //   750f                 | jne                 0x11
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6

        $sequence_12 = { 85c0 7516 c705????????02000000 c705????????03000000 eb14 }
            // n = 5, score = 2200
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   c705????????02000000     |     
            //   c705????????03000000     |     
            //   eb14                 | jmp                 0x16

        $sequence_13 = { a802 7407 e8???????? eb09 a804 7405 e8???????? }
            // n = 7, score = 2200
            //   a802                 | test                al, 2
            //   7407                 | je                  9
            //   e8????????           |                     
            //   eb09                 | jmp                 0xb
            //   a804                 | test                al, 4
            //   7405                 | je                  7
            //   e8????????           |                     

        $sequence_14 = { 803d????????00 7405 e8???????? e8???????? e8???????? e8???????? e8???????? }
            // n = 7, score = 2200
            //   803d????????00       |                     
            //   7405                 | je                  7
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_15 = { 6a08 68???????? 56 ffd7 85c0 }
            // n = 5, score = 2000
            //   6a08                 | push                8
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_16 = { 85c0 7528 68???????? ff15???????? 85c0 7504 33c0 }
            // n = 7, score = 2000
            //   85c0                 | test                eax, eax
            //   7528                 | jne                 0x2a
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_17 = { 68???????? 50 ff15???????? a3???????? 85c0 74e7 }
            // n = 6, score = 2000
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   74e7                 | je                  0xffffffe9

        $sequence_18 = { 8bc6 8703 3bc6 74f8 }
            // n = 4, score = 1900
            //   8bc6                 | mov                 eax, esi
            //   8703                 | xchg                dword ptr [ebx], eax
            //   3bc6                 | cmp                 eax, esi
            //   74f8                 | je                  0xfffffffa

        $sequence_19 = { 59 57 8bf0 ff15???????? 8bc6 }
            // n = 5, score = 1900
            //   59                   | pop                 ecx
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_20 = { e8???????? 33d2 b9ff3f0000 f7f1 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b9ff3f0000           | mov                 ecx, 0x3fff
            //   f7f1                 | div                 ecx

        $sequence_21 = { 56 6a04 53 57 }
            // n = 4, score = 1700
            //   56                   | push                esi
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   57                   | push                edi

        $sequence_22 = { 8d429f 3c0f 7705 80ea61 }
            // n = 4, score = 1700
            //   8d429f               | lea                 eax, [edx - 0x61]
            //   3c0f                 | cmp                 al, 0xf
            //   7705                 | ja                  7
            //   80ea61               | sub                 dl, 0x61

        $sequence_23 = { eb04 8b01 8907 e8???????? }
            // n = 4, score = 1700
            //   eb04                 | jmp                 6
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8907                 | mov                 dword ptr [edi], eax
            //   e8????????           |                     

        $sequence_24 = { 7705 80ea61 eb0a 8d42bf }
            // n = 4, score = 1700
            //   7705                 | ja                  7
            //   80ea61               | sub                 dl, 0x61
            //   eb0a                 | jmp                 0xc
            //   8d42bf               | lea                 eax, [edx - 0x41]

        $sequence_25 = { e9???????? 8ac1 c1e904 c0e004 }
            // n = 4, score = 1200
            //   e9????????           |                     
            //   8ac1                 | mov                 al, cl
            //   c1e904               | shr                 ecx, 4
            //   c0e004               | shl                 al, 4

        $sequence_26 = { ff15???????? 85c0 7904 33c0 eb1e }
            // n = 5, score = 1200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7904                 | jns                 6
            //   33c0                 | xor                 eax, eax
            //   eb1e                 | jmp                 0x20

        $sequence_27 = { 8ac8 240f 80e1f0 80c110 }
            // n = 4, score = 900
            //   8ac8                 | mov                 cl, al
            //   240f                 | and                 al, 0xf
            //   80e1f0               | and                 cl, 0xf0
            //   80c110               | add                 cl, 0x10

        $sequence_28 = { f7d8 1bc0 83e002 83c003 }
            // n = 4, score = 800
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e002               | and                 eax, 2
            //   83c003               | add                 eax, 3

        $sequence_29 = { 3c41 7c11 3c46 7f0d }
            // n = 4, score = 800
            //   3c41                 | cmp                 al, 0x41
            //   7c11                 | jl                  0x13
            //   3c46                 | cmp                 al, 0x46
            //   7f0d                 | jg                  0xf

        $sequence_30 = { b806000000 eb16 8b4c2440 b804000000 }
            // n = 4, score = 700
            //   b806000000           | arpl                di, ax
            //   eb16                 | dec                 eax
            //   8b4c2440             | arpl                bp, cx
            //   b804000000           | dec                 eax

        $sequence_31 = { 4883c602 03ea 03ff 03db 4883fe1e }
            // n = 5, score = 700
            //   4883c602             | dec                 eax
            //   03ea                 | add                 esi, 2
            //   03ff                 | add                 ebp, edx
            //   03db                 | add                 edi, edi
            //   4883fe1e             | add                 ebx, ebx

        $sequence_32 = { 49832000 498bd8 4c8948f0 498bf9 4533c0 }
            // n = 5, score = 700
            //   49832000             | sub                 ecx, eax
            //   498bd8               | mov                 eax, 6
            //   4c8948f0             | jmp                 0x18
            //   498bf9               | mov                 ecx, dword ptr [esp + 0x40]
            //   4533c0               | mov                 eax, 4

        $sequence_33 = { c3 4863c7 4863cd 482bc8 }
            // n = 4, score = 700
            //   c3                   | dec                 eax
            //   4863c7               | cmp                 esi, 0x1e
            //   4863cd               | ret                 
            //   482bc8               | dec                 eax

    condition:
        7 of them and filesize < 1027072
}
Download all Yara Rules