{
	"id": "cbb8092c-bfc0-45a8-865e-9cbabd9621e6",
	"created_at": "2026-04-06T00:11:03.547224Z",
	"updated_at": "2026-04-10T03:20:50.871604Z",
	"deleted_at": null,
	"sha1_hash": "61bca38fc8d12da7c80d9b75f50dc0a8dac5ecc0",
	"title": "“VawTrak” Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3093818,
	"plain_text": "“VawTrak” Malware\r\nBy Ilan Duhin\r\nPublished: 2023-03-19 · Archived: 2026-04-05 15:39:08 UTC\r\nResearched by: Ilan Duhin\r\nExecutive Summary:\r\n“Vawtrak” is a banking Trojan –malware that attempts to steal credentials from banks.\r\nThe Banker gains access to bank accounts via custom key logging, utilizing the access of a wide range of login\r\ncredentials, such as passwords stored in browsers, FTP client private keys, or information stored within remote\r\ndesktop settings.\r\nTo communicate, the Banker utilizes SOCKS connection and exfiltrates information such as screenshots and video\r\ncaptures.\r\nTechnical Analysis:\r\nUnpacking Process:\r\nFrom analyzing the malware in IDA, I see suspicious API such CreateToolhelp32Snapshoot call that retrieves\r\nrunning processes, I guess that the malware will use it to get snapshot of them until it finds a legitimate process to\r\ninject his malicious code.\r\nusing CreateToolhelp32Snapshot\r\nIn addition, I have checked on online sandboxes such as Any.run \u0026 Hybrid Analysis to see additional info about\r\nthe injection and I find that it tries to inject into the explorer.exe process.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 1 of 8\n\nProcess Tree from Any.run\r\nAfter the conclusions, I choose to put my BP on WriteProcessMemory because the malware try to inject her code\r\ninto other process so this call is perfect to use.\r\nGet Ilan Duhin’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAfter placing a breakpoint on WriteProcessMemory, in order to catch the injection of the malware, and checking\r\nthe functionality of the API calls within the code in MSDN, the parameter to dump the MZ header is clearly\r\nshown.\r\nPress enter or click to view image in full size\r\nThe parameter required to dump the packed information is the third parameter, according to MSDN. The\r\nparameter is “lpBuffer” — A pointer to the buffer that contains data to be written in the address space of the\r\nspecified process or in other words “holds our unpacking file data”.\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 2 of 8\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nMemory Map permissions\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 3 of 8\n\nThe dumped memory file:\r\nPress enter or click to view image in full size\r\nAfter cleaning the junk code:\r\nthe malware immediately writes itself into the autoruns paths, in order to have a foothold on the host upon startup\r\nor restart.\r\nPress enter or click to view image in full size\r\nAfter running, “Vawtrak” creates a child process with same name as the original running process. 30 seconds into\r\nthe run, the original malware process terminates itself, and removes itself from the original running path and\r\ncopies itself into APPDATA\\LOCAL\\TEMP, in order to elevate privileges (because of existence Writing\r\nprivileges at this path).\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 4 of 8\n\nAfter establishing itself, the malware, through the injected process drops additional PE files, which contain DLL\r\nand an executable.\r\nPress enter or click to view image in full size\r\nDrop the dll from pe-sieve after I dumped the implemented files into the folder to get more information. IDA also\r\nverify us that it is a dll file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 5 of 8\n\nthe DLL contains is creating a snapshot and list of all the currently running processes (as we mentioned earlier),\r\nthis is usually done by reconnaissance malwares in order to target specific artifacts within the host.\r\nPress enter or click to view image in full size\r\nWhen reconnaissance is complete, the malware extracts its C2 server from a seed that the malware file contains —\r\nhard coded. It will perform certificate validation in order to check if the server is still available, if not, the malware\r\ngoes to sleep for a random amount of time.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 6 of 8\n\nIn addition to certificate validation, the Banker checks if any reconnaissance information has been retrieved. If\r\nnot, the malware does not initiate communication methods.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nEncrypted data start with the C2 server:\r\nPress enter or click to view image in full size\r\nDNS query to C2 server\r\nFollowing all these steps, “VawTrak” will attempt to spread through the network utilizing SMB — a legitimate\r\nWindows file-sharing protocol.\r\nPress enter or click to view image in full size\r\nAfter completing all activities within the host and attempting to preform lateral movement, the malware wipes\r\nitself off the host and terminates its process.\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 7 of 8\n\nPress enter or click to view image in full size\r\nTries to do lateral movement to another computers via SMB protocol.\r\nPress enter or click to view image in full size\r\nlooking for RDP sessions:\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest \\UseLogonCredential / — auth\r\nof http protocol, stored in plaintext user credentials.\r\n· By default the key isn’t shows in registry.\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nhttps://medium.com/@Ilandu/vawtrak-malware-824818c1837\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Ilandu/vawtrak-malware-824818c1837"
	],
	"report_names": [
		"vawtrak-malware-824818c1837"
	],
	"threat_actors": [],
	"ts_created_at": 1775434263,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61bca38fc8d12da7c80d9b75f50dc0a8dac5ecc0.pdf",
		"text": "https://archive.orkl.eu/61bca38fc8d12da7c80d9b75f50dc0a8dac5ecc0.txt",
		"img": "https://archive.orkl.eu/61bca38fc8d12da7c80d9b75f50dc0a8dac5ecc0.jpg"
	}
}