win.vawtrak (Back to overview)

Vawtrak

aka: Catch, grabnew, NeverQuest

Actor(s): Lunar Spider

URLhaus    

There is no description at this point.

References
2019-02-15 ⋅ CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2018-08-09 ⋅ Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2017-01-22 ⋅ The Hacker NewsMohit Kumar
@online{kumar:20170122:russian:a19c81e, author = {Mohit Kumar}, title = {{Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain}}, date = {2017-01-22}, organization = {The Hacker News}, url = {http://thehackernews.com/2017/01/neverquest-fbi-hacker.html}, language = {English}, urldate = {2019-12-18} } Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain
Vawtrak
2016-09 ⋅ BluelivBlueliv
@techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } Chasing Cybercrime: Network insights into Vawtrak v2
Vawtrak
2016-04-21 ⋅ ThreatpostTom Spring
@online{spring:20160421:pos:008ddcb, author = {Tom Spring}, title = {{PoS Attacks Net Crooks 20 Million Stolen Bank Cards}}, date = {2016-04-21}, organization = {Threatpost}, url = {https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/}, language = {English}, urldate = {2020-01-10} } PoS Attacks Net Crooks 20 Million Stolen Bank Cards
Vawtrak
2014-12-19 ⋅ PhishLabsDon Jackson
@online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } The unrelenting evolution of Vawtrak
Vawtrak
Yara Rules
[TLP:WHITE] win_vawtrak_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_vawtrak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 6a04 6a01 50 ff15???????? 85c0 }
            // n = 5, score = 1400
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_1 = { ff35???????? 6a04 6a01 50 }
            // n = 4, score = 1400
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax

        $sequence_2 = { ff35???????? 6a04 6a01 50 ff15???????? }
            // n = 5, score = 1400
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 6a01 ff35???????? 6a04 6a01 50 ff15???????? 85c0 }
            // n = 7, score = 1400
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_4 = { 6a01 ff35???????? 6a04 6a01 50 }
            // n = 5, score = 1400
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax

        $sequence_5 = { 6a01 ff35???????? 6a04 6a01 }
            // n = 4, score = 1400
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1

        $sequence_6 = { 50 6a00 6a00 e8???????? 50 ff15???????? }
            // n = 6, score = 1400
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 6a01 ff35???????? 6a04 6a01 50 ff15???????? }
            // n = 6, score = 1400
            //   6a01                 | push                1
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { ff35???????? 6a04 6a01 50 ff15???????? 85c0 }
            // n = 6, score = 1400
            //   ff35????????         |                     
            //   6a04                 | push                4
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_9 = { 8706 83f801 74f6 e8???????? }
            // n = 4, score = 1300
            //   8706                 | xchg                dword ptr [esi], eax
            //   83f801               | cmp                 eax, 1
            //   74f6                 | je                  0xfffffff8
            //   e8????????           |                     

    condition:
        7 of them
}
Download all Yara Rules