WinNT/Vawtrak

Forum for analysis and discussion about malware.
User avatar
EX!
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Contact:

WinNT/Vawtrak

Post by EX! » Fri Aug 30, 2013 8:59 pm

PWS.Papras.CM o Ursnif

Code: Select all

hxxp://sieargentina.com/pdf_trk_1Z78050W0348566377.zip
https://www.virustotal.com/en/file/9e43 ... 377902730/
.....
You do not have the required permissions to view the files attached to this post.

Horgh
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France

Re: PWS.Papras.CM - Ursnif

Post by Horgh » Sat Aug 31, 2013 1:52 pm

EX! wrote:PWS.Papras.CM o Ursnif

Code: Select all

hxxp://sieargentina.com/pdf_trk_1Z78050W0348566377.zip
https://www.virustotal.com/en/file/9e43 ... 377902730/
.....
Backdoor:Win32/Vawtrak.A
http://www.microsoft.com/security/porta ... ak.A#tab=2

Unrelated to Papras / Ursnif.

kloent
Posts: 10
Joined: Sat Nov 10, 2012 9:00 am

Re: Win32/Vawtrak

Post by kloent » Mon Sep 02, 2013 8:07 am

It's a banking malware, authors internal name is "EQ" ("EQFramework", "X32 EQ PID", "T:\Develop\EQ2\bin\tmp\client_32.pdb").
extracted x32 and x64 inject modules (DLL's) attached. x32 module contains the code of Pony password stealer.
You do not have the required permissions to view the files attached to this post.

forty-six
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm

Re: Win32/Vawtrak

Post by forty-six » Tue Oct 22, 2013 3:39 am

Neutrino & Popads/magnitude dropping this
You do not have the required permissions to view the files attached to this post.

SomeUnusedName
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm

Re: Win32/Vawtrak

Post by SomeUnusedName » Tue Oct 22, 2013 2:31 pm

kloent wrote:It's a banking malware
I didn't see anything banking related though. Looks like Pony password stealing + formgrabbing + VNC/SOCKS backconnect or something.

forty-six
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm

Re: Win32/Vawtrak

Post by forty-six » Tue Oct 22, 2013 5:54 pm

Look again.

SomeUnusedName
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm

Re: Win32/Vawtrak

Post by SomeUnusedName » Wed Oct 23, 2013 11:55 am

Care to enlighten me? I've checked the client_32 file and all I see is password stealing. What do you see that I don't?

User avatar
teddybear
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am

Neverquest Banking Trojan

Post by teddybear » Tue Nov 26, 2013 8:33 pm

http://www.securelist.com/en/analysis/2 ... new_threat

Has anybody heard of this banking malware before? I don't know any aliases for that.
Of all the hashes listed in the article, I've found only the following on VT:

https://www.virustotal.com/en/file/0b27 ... /analysis/
https://www.virustotal.com/en/file/70d5 ... /analysis/
https://www.virustotal.com/en/file/06b8 ... /analysis/

They are detected by the AVs with the following names:
  • Tepfer (forum search: Kelihos?)
    Sinowal (Torpig)
    Reveton?
I'm really confused... :? Any help appreciated.


SomeUnusedName
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm

Re: Neverquest Banking Trojan

Post by SomeUnusedName » Wed Nov 27, 2013 9:46 am

That's Vawtrak. Securelist may want to start reading kernelmode because it's been known here for a while.

Edit: Link to the Vawtrak thread here: http://www.kernelmode.info/forum/viewto ... =16&t=2935

Post Reply