WinNT/Vawtrak

Forum for analysis and discussion about malware.

WinNT/Vawtrak

Postby EX! » Fri Aug 30, 2013 8:59 pm

PWS.Papras.CM o Ursnif

Code: Select all
hxxp://sieargentina.com/pdf_trk_1Z78050W0348566377.zip

https://www.virustotal.com/en/file/9e43 ... 377902730/
.....
You do not have the required permissions to view the files attached to this post.
User avatar
EX!
 
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Reputation point: 11

Re: PWS.Papras.CM - Ursnif

Postby Horgh » Sat Aug 31, 2013 1:52 pm

EX! wrote:PWS.Papras.CM o Ursnif

Code: Select all
hxxp://sieargentina.com/pdf_trk_1Z78050W0348566377.zip

https://www.virustotal.com/en/file/9e43 ... 377902730/
.....


Backdoor:Win32/Vawtrak.A
http://www.microsoft.com/security/porta ... ak.A#tab=2

Unrelated to Papras / Ursnif.
Horgh
 
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France
Reputation point: 40

Re: Win32/Vawtrak

Postby kloent » Mon Sep 02, 2013 8:07 am

It's a banking malware, authors internal name is "EQ" ("EQFramework", "X32 EQ PID", "T:\Develop\EQ2\bin\tmp\client_32.pdb").
extracted x32 and x64 inject modules (DLL's) attached. x32 module contains the code of Pony password stealer.
You do not have the required permissions to view the files attached to this post.
kloent
 
Posts: 10
Joined: Sat Nov 10, 2012 9:00 am
Reputation point: 5

Re: Win32/Vawtrak

Postby forty-six » Tue Oct 22, 2013 3:39 am

Neutrino & Popads/magnitude dropping this
You do not have the required permissions to view the files attached to this post.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Vawtrak

Postby SomeUnusedName » Tue Oct 22, 2013 2:31 pm

kloent wrote:It's a banking malware


I didn't see anything banking related though. Looks like Pony password stealing + formgrabbing + VNC/SOCKS backconnect or something.
SomeUnusedName
 
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm
Reputation point: 8

Re: Win32/Vawtrak

Postby forty-six » Tue Oct 22, 2013 5:54 pm

Look again.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32/Vawtrak

Postby SomeUnusedName » Wed Oct 23, 2013 11:55 am

Care to enlighten me? I've checked the client_32 file and all I see is password stealing. What do you see that I don't?
SomeUnusedName
 
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm
Reputation point: 8

Neverquest Banking Trojan

Postby teddybear » Tue Nov 26, 2013 8:33 pm

http://www.securelist.com/en/analysis/2 ... new_threat

Has anybody heard of this banking malware before? I don't know any aliases for that.
Of all the hashes listed in the article, I've found only the following on VT:

https://www.virustotal.com/en/file/0b27 ... /analysis/
https://www.virustotal.com/en/file/70d5 ... /analysis/
https://www.virustotal.com/en/file/06b8 ... /analysis/

They are detected by the AVs with the following names:
    Tepfer (forum search: Kelihos?)
    Sinowal (Torpig)
    Reveton?

I'm really confused... :? Any help appreciated.
User avatar
teddybear
 
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am
Reputation point: 2


Re: Neverquest Banking Trojan

Postby SomeUnusedName » Wed Nov 27, 2013 9:46 am

That's Vawtrak. Securelist may want to start reading kernelmode because it's been known here for a while.

Edit: Link to the Vawtrak thread here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2935
SomeUnusedName
 
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm
Reputation point: 8

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 13 guests

cron